# Pipeline level RBAC

## **Introduction**

Role-based access control (RBAC) restricts access based on the roles of individual users within an organization.\
\
OpsMx **Pipeline level RBAC** feature restricts access at the pipeline level within an application. 

{% hint style="info" %}
Pipeline RBAC feature is disabled by default
{% endhint %}

### **To Enable Pipeline RBAC** 

* Connect to Spinnaker halyard pod using the command below:

```
kubectl exec -it <NAME_OF_THE_HALYARD_POD> -n <YOUR_NAMESPACE> bash
```

* Do the following changes in the hal config file. Search for **authz** and enable it.&#x20;

```
authz:
       groupMembership:
         service: "EXTERNAL"
         google:
           roleProviderType: "GOOGLE"
         github:
           roleProviderType: "GITHUB"
         file:
           roleProviderType: "FILE"
         ldap:
           roleProviderType: "LDAP"
       enabled: true
```

&#x20; &#x20;

1. Access to the GitHub repository where Spinnaker is configured and locate the **Gate secret & fiat**, **front50** and **orca** yaml files under the  *\~/.hal/default/profiles*.
2. Set **pipeline: rbac: true** in the orca.yml, fiat.yml and front50.yml files.&#x20;
3. Run the following command to apply the changes: *- hal deploy apply.*
4. Save the changes and exit.&#x20;
5. Restart the gate service.
6. Wait for all the 3 pods to restart successfully.&#x20;

#### To verify if the Pipeline RBAC is enabled or not

Follow the steps provided below to verify if pipeline RBAC is enabled or not:

1. Port-forward the fiat service by running the following command from your terminal

```
kubectl port-forward service/spin <fiat-service-name> 7003:7003 -n <Your Namespace>
```

2. Once port-forwarded the fiat service, access the following url from your browser: <http://localhost:7003/authorize/>\<VALID-USERNAME>

{% hint style="info" %}
You will get the list of Applications & Pipelines
{% endhint %}

Search for pipelines to check if the list of pipelines are listed. If you are seeing the list of pipelines - then Pipeline level RBAC is enabled successfully.

### To provide Pipeline-level RBAC Access

Admin can restrict access to the pipeline's **Read**, **Write**, and **Execute** functions to a specific user group. Through this access, users can define who can edit the pipeline configuration, execute the pipeline, and delete the pipeline.

### **Prerequisite**

{% hint style="info" %}
&#x20;The following config change will be updated through helm.
{% endhint %}

To use the Pipeline level RBAC feature, the **fiat** configuration in the all gate secret would be **enabled** by default. If not, set it to **true**, as shown below.

```yaml
Fiat:
  baseUrl:http://spin-fiat:
  enabled: true
  host: 0.0.0.0
  port: 7003
```

### **Instructions**

Follow the steps below to provide pipeline-level RBAC access:

1. Access to the GitHub repository where Spinnaker is configured and locate the **fiat-local-yaml** file in the path “**\~/default/profiles/fiat-local.yaml**”.&#x20;
2. Update the **aggregate** and **prefix** details in the **fiat-local-yaml** file as mentioned below:

   <pre class="language-yaml" data-overflow="wrap"><code class="lang-yaml">auth.permissions.provider.pipeline: aggregate 
   auth.permissions.source.pipeline.Prefix:
   </code></pre>
3. **Prefix:** Provide any prefix name with **“\*”** mark (Example: “dev\*”) as shown below:

   <div data-gb-custom-block data-tag="hint" data-style="info" class="hint hint-info"><p><strong>Note:</strong> The pipeline name should begin with the prefix provided here. Here we have mentioned the prefix “dev*”.</p></div>

   <figure><img src="https://lh3.googleusercontent.com/ajyfRD3HvPj0P0N1TT_N_-kk0z2fXOcv3jePAdrGs0K06HuGpPYTDAZb8nB872HIVy-Bi_tyG87gf-ycD5kKaSeRqZSalxfdSC78roISQxGwsGjOc6MASfvAOTSYcGNmL3dAQjG2qpA4MvzfnhPGiIVr4qH4irBrMPOT13ko3u1B6r-IplxPPz3zsn9sNg" alt=""><figcaption></figcaption></figure>
4. **Pipeline Prefix:** As mentioned above, a pipeline was created with a specified prefix.

   <figure><img src="https://lh6.googleusercontent.com/YqVw5OyFljn_NWbKEzCIWDmxgthS3IKh31e7mS6vcgNJF4RHSwT0GIHGSrRe74kv7FfP4CYtg8Vnx9WdZMrWA9HaVoXKw_DBIOLbIMqZzNE8Juh0upH9Iu15eHLpztjV9PhgmfT1x4yAXd8OGoELS9trYFLra7SLkrfIWjqv5_WjX8Z2OGjsecWINvEatw" alt=""><figcaption></figcaption></figure>
5. **Permissions:** Specify the **READ**, **WRITE** and **EXECUTE** permissions to the specific user group as shown in the below image:

   <figure><img src="https://lh3.googleusercontent.com/oa-GKWF6cgbszPgDhu-ArydD2QOND4ABUPoUiFK1U67PqMB7PjrcypjoIPB_G2NtSYE8rUANWFKm9KCxtFIGAvewOMUngls3VCeOafs_jr2rh-yDInwEr8quzXJBVpganNGjPmhp8PPuzQXsNsQg8DakbkgUgT5hNqQHhzdk8WFZvyS9olXD9STGNh8iNA" alt=""><figcaption></figcaption></figure>

   <div data-gb-custom-block data-tag="hint" data-style="info" class="hint hint-info"><p><strong>Note:</strong> In the above example, we provided access as follows:</p><ul><li><strong>devteam</strong> group has <strong>READ</strong> permission only </li><li><strong>qateam</strong> group has <strong>READ, WRITE</strong> and <strong>EXECUTE</strong> permissions</li></ul></div>
6. We have only provided **READ** access to the **devteam** group, **WRITE** and **EXECUTE** permissions are not provided. So, this user group can view a specific pipeline and will not be able to modify, execute or delete the pipeline.\
   \
   If the user tries to edit, execute or delete the pipeline, an error message will be displayed as shown below:
   * If a restricted user tries to **Edit** the pipeline, the following error message is displayed:

     <figure><img src="https://lh5.googleusercontent.com/DKvneXvoue2I2BzNh97wrfwx1wdfBp884d6WtARirLmi6YYW0wbEiizn1OshThBSDKq-DVNV2ZBKpcWBgJtOdr7kBxLVYL_Z-Ui-9RPLjkm07-_kiApZHBpFOBwvBJZUqb0dN6H_rUQyoqleybwRvB4PHlcKUsW1V3Gli_W6T9A2RffcnjhFfu8ZBoWWCw" alt=""><figcaption></figcaption></figure>
   * If a restricted user tries to **Execute** the pipeline, the following error message is displayed:

     <figure><img src="https://lh4.googleusercontent.com/6VUJ13WBwaXpRKKNdxypMbIcCsbbB1oVEKhzflLLMBbtRuXoK7th7RpqlEqHppBI7t12OvxTJhbxYGBIpfKp3AaH_krAysLOcYvOSICm692e1RUaDqgnIU_Zn2jbbkd_Jw7PoBF3T_wKhTY0a_mEdDk7ijurwn6erwm-NFvJfeInryzQKnrFpG2SrZQ9sQ" alt=""><figcaption></figcaption></figure>
   * If a restricted user tries to **Delete** the pipeline, the following error message is displayed:

     <figure><img src="https://lh3.googleusercontent.com/M1BD5-uDrrD38k-DbhdbID0hI6kIrkSxNiX1vIfcuzxXh3PJIef-2m-T8yqZBpmavh21ChZiX3ynrAv3EXYNxYO7o40PKURnLF5JhJ0eKaLsXoLtXhxTmkUNwOmVwyuRBSGerchPCWvaKjlEjaODJbuoU20d71kijB5xPMXKw71SzDmSXXz_gdlT8MTHGw" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.opsmx.com/isd-spinnaker/opsmx-intelligent-software-delivery-isd-platform-spinnaker/user-guide/manage-pipelines/pipeline-level-rbac.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.