Access Management
Last updated
Last updated
Autopilot implements Granular RBAC for all of its features. Autopilot integrates with the customers authentication provider (viz., LDAP, SAML etc.) and provides roles based access control to the user groups as available in the authentication system for its features. While installing Autopilot you specify your organizations authentication system and let Autopilot connect to it. With this integration, Autopilot would be able to read thru all the user groups defined in your authentication system.
Note: Granular RBAC implementation in Autopilot follows Spinnaker's access control principle, as per which, by default Spinnaker provides all access to all user groups to all the Spinnaker resources unless the administrator/resource owner explicitly restricts the access on that resources to a specific user group.
Note: Autopilot doesn't provide any authentication system for its users, it leverages your organizations Authentication tool. User/User groups cannot be added thru Autopilot. And, all the permissions would be managed at the user groups level.
When you integrate your organizations authentication provider with Autopilot during the installation, you also specify a list of user groups that would be marked as 'super admins' for the Autopilot resources. The super admin group is a group of user groups that can identify administrators groups for the Autopilot resources post installation. They can also modify the administrators groups anytime in the system.
Administrators of Autopilot can override any of the user-group permissions on any of the Autopilot resources. Super admins can specify which user groups can be administrators of the Autopilot system and can also modify this group at any time. Below section provides instructions to specify administrators group.
As mentioned above, only super admins can use this section, to specify which specific user groups can be provided with administrator rights on the Autopilot resources.
As shown in the figure above, super admins would Click on the "Security" --> Click "Access Management". The "Access Management" page opens up as shown in the figure below.
2. Click on the "Select Group" drop down box and a list of all the users groups available your organizations authentication provider appears in the drop down.
3. Now select the specific user groups that would be provided the administrator rights on Autopilot resources and then click 'Save' button for your changes to be saved as shown in the figure below.
Super admins can always come back to this page and modify the users groups (by removing an existing user group or adding new groups) that will have administrator rights on the Autopilot resources.
Managing access permissions for individual Autopilot resources would be managed at that respective resource pages. For example, You can manage Granular RBAC for an application while creating a new application, or you can manage Granular RBAC for integration while creating an integration on the Integrations page.
Following are the different Autopilot resources on which Granular RBAC is being implemented.
Autopilot Native Application
Integration
Cloud Provider
Policy
Agent
Audit
In addition, we have introduced the following two key features of Access Management:
Global Access Permissions
Feature Visibility
Administrators can create a "User Role" using which they can provide global access to one more type of Resource. For example, a user Role of "Auditor" will be able to view all the Audit events coming from Applications irrespective of the permissions specified by the application owner.
Follow the instructions below to provide Global Access Permissions to the User group:
From the application dashboard, click "Security" --> Click "Access Management". This will take you to the “Administrator & User Role” page as a default. If not, click “Administrator & User Role” tab as shown in the below image.
Note: Access Management can be accessed by an “Admin” user only. A non-admin user cannot access it.
2. Click “Add User Role” button to provide Global Access Permissions to the specific user group.
3. Enter the “User Role Name” and select the “User Group” from the drop-down list to define the application's feature access as shown below.
4. Turn on the toggle button to grant the feature access permissions and click “Save” button as shown below.
5. Global Access Permission is provided to the specific user group and the newly created User role name will be listed on the page, as shown in the image below.
From the application dashboard, click "Security" --> Click "Access Management". This will take you to the Administrator & User Role page as shown in the below image.
2. This page displays the list of all the user role names available within your organization and select the one you want to edit. Click "Three dots" at end of the User role name and then click "Edit" as shown in the image below.
3. The User Role screen appears as shown below. Edit the details as required, and click "Save".
From the application dashboard, click "Security" --> Click "Access Management". This will take you to the Administrator & User Role page as shown in the below image.
2. This page displays the list of all the user role names available with your organization and select the one you want to delete. Click "Three dots" at end of the role name and then click "Delete" as shown in the image below.
3. The confirmation message appears, click "Yes, Delete it!" Refer to the image below:
“Feature Visibility” is used for scenarios where one or more user groups need exclusive access to a specific application feature.
For Example, When a “Policy” feature is enabled for a User Group, only that feature is visible to that group, while other features are restricted and not visible to them. Further to that, all other users are automatically denied access to the "Policy" feature. Most User Groups do not have any feature flags enabled by default.
To accomplish this, follow the instructions below:
From the application dashboard, click "Security" --> Click "Access Management". This will take you to the Administrator & User Role page and then click “Feature Visibility” tab as shown in the below image.
2. Click “Add Feature Visibility” button to provide an application feature visibility to the specific user group.
3. Enter the “User Role Name” and select the “User Group” from the drop-down list to define the user role's feature visibility as shown below.
4. After selecting the user group, you can select an application feature to limit visibility to that group and click “Save”. Below application Features are able to limit visibility:
Autopilot Native Application
Integration
Cloud Provider
Policy
Agent
Audit
5. The “Feature Visibility” is updated for the specific user group and the newly created User role name will be listed on the page, as shown in the image below.
6. As an example, we've granted "Policy" feature access to a specific user group. Other features are restricted and not visible to them. Further to that, all other users are automatically denied access to the "Policy" feature and the below screen will appear.
From the ISD application dashboard, click "Security" --> Click "Access Management". This will take you to the Administrator & User Role page and then click “Feature Visibility” tab as shown in the below image.
2. This page displays the list of all the user role names available within your organization and select the one you want to edit. Click "Three dots" at end of the role name and then select "Edit" as shown in the image below.
3. The Feature Visibility screen appears as shown below. Edit the details as required, and click "Save".
From the application dashboard, click "Security" --> Click "Access Management". This will take you to the Administrator & User Role page and then click “Feature Visibility” tab as shown in the below image.
2. This page displays the list of all the user role names available with your organization and select the one you want to delete. Click "Three dots" at end of the role name and then click "Delete" as shown in the image below.
3. The confirmation message appears, click "Yes, Delete it!" Refer to the image below: