Create an RBAC Role
Create a new RBAC role
By default, a new user has no permission to access functionality within CD-as-a-Service. You can assign a new user the Organization Admin role or create a custom role that defines what the user can see and do in the UI as well as from the CLI.
All users can start a deployment.
Before you begin
- You are an Organization or Tenant Admin within CD-as-a-Service.
- You have read Role-Based Access Control.
How to create a custom role
You define your roles in a YAML file using the following structure:
roles: - name: <role-name> tenant: <tenant-name> grants: - type: <grant-type> resource: <resource-type> permission: <permission-type>
name: (Required); String; name of the role
tenant: (Optional); String; name of the tenant; if omitted, the role is an organization-wide role, not bound to a specific tenant
type: (Required); String;
resource: (Required); String; one of
permission: (Required); String;
After you have defined your roles, use the CLI to add those roles to CD-as-a-Service.
armory login armory config apply -f <path-to-rbac-config>.yml
You can check that you created your roles correctly by running
armory config get.
Organization Admin is a system-defined role that does not appear in your RBAC config.
User role examples
A user with this role can access every screen in the
main tenant and deploy apps using the CLI.
roles: - name: Tenant Admin tenant: main grants: - type: api resource: tenant permission: full
A user with this role can only access the Deployments screen in the UI and deploy apps using the CLI.
roles: - name: Deployer tenant: main grants: - type: api resource: deployment permission: full
If your organization uses SSO with CD-as-a-Service, you must create your roles using the same names as your SSO groups. For example, your company has the following groups defined in its SSO provider:
You want to use those groups in CD-as-a-Service, so you need to create roles for those SSO groups. In the following example,
Engineering-Infra has a Tenant Admin role.
Engineering-InfoSec have tenant-scoped deployment roles.
roles: - name: Engineering-Infra tenant: main grants: - type: api resource: tenant permission: full - name: Engineering-InfoSec tenant: main grants: - type: api resource: deployment permission: full - name: Engineering-Release tenant: main grants: - type: api resource: deployment permission: full
User Role Management
- Troubleshoot Role-Based Access Control
Was this page helpful?
Thank you for letting us know!
Sorry to hear that. Please tell us how we can improve.
Last modified December 27, 2022: (4e05ffa)