Access Management
Last updated
Last updated
This is an older version of the document. To view the most recent version of the document, click here.
OES implements Granular RBAC for all of its features. OES integrates with the customers authentication provider (viz., LDAP, SAML etc.) and provides roles based access control to the user groups as available in the authentication system for its features. While installing OES you specify your organizations authentication system and let OES connect to it. With this integration OES would be able to read thru all the user groups defined in your authentication system.
Note: Granular RBAC implementation in OES follows the Spinnaker's access control principle, as per which, by default Spinnaker provides all access to all user groups to all the Spinnaker resources unless administrator / resource owner explicitly restricts the access on that resources to a specific user group.
Note: OES doesn't provide any authentication system for its users, it leverages your organizations Authentication tool. User/User groups cannot be added thru OES. And, all the permissions would be managed at user groups level.
When you integrate your organizations authentication provider with OES during the installation, you also specify a list of user groups that would be marked as 'super admins' for the OES resources. The super admin group is a group of user groups that can identify administrators groups for the OES resources post installation. They can also modify the administrators groups anytime in the system.
Administrators of OES can override any of the user-group permissions on any of the OES resources. Super admins can specify which user groups can be administrators of the OES system and can also modify this group any time. Below section provides instructions to specify administrators group.
As mentioned above, only super admins can use this section, to specify which specific user groups can be provided with administrator rights on the OES resources.
As shown in the figure above, super admins would click on the left menu goto "Security -> Access Management". The "Access Management" page opens up as shown in the figure below.
Clock on the "Select Group" drop down box and a list of all the users groups available your organizations authentication provider appears in the drop down.
Now select the specific user groups that would be provided the administrator rights on OES resources, as shown in the figure below.
After selecting the user groups, click the 'Save' button for your changes to be saved. Refer the image below.
Super admins can always come back to this page and modify the users groups (by removing an existing user group or adding new groups) that will have administrator rights on the OES resources.
Managing access permissions for individual OES resources would be managed at that respective resource pages. For example, You can manage Granular RBAC for an application while creating a new application, or you can manage Granular RBAC for an integration while creating an integration on the Integrations page.
Following are the different OES resources on which Granular RBAC is being implemented.
Applications
Data Source Integrations
Agents
Deployment Targets
Policies
Intelligent Approval Gates