Autopilot implements Granular RBAC for all of its features. Autopilot integrates with the customer's authentication provider (viz., LDAP, SAML, etc.) and provides roles-based access control to the user groups as available in the authentication system for its features. While installing Autopilot you specify your organizations authentication system and let Autopilot connect to it. With this integration, Autopilot would be able to read thru all the user groups defined in your authentication system.
Note: Granular RBAC implementation in Autopilot follows Spinnaker's access control principle, as per which, by default Spinnaker provides all access to all user groups to all the Spinnaker resources unless the administrator/resource owner explicitly restricts the access on that resources to a specific user group.
Note: Autopilot doesn't provide any authentication system for its users, it leverages your organizations Authentication tool. User/User groups cannot be added thru Autopilot. And, all the permissions would be managed at the user groups level.
When you integrate your organization's authentication provider with Autopilot during the installation, you also specify a list of user groups that would be marked as 'super admins' for the Autopilot resources. A super admin group is a group of user groups that can identify administrator groups for the Autopilot resources post-installation They can also modify the administrator groups anytime in the system.
Autopilot administrators can override any user-group permissions on any of the Autopilot resources. Super admins can specify which user groups can be administrators of the Autopilot system and can also modify this group at any time. Below section provides instructions to specify administrator's group.
As mentioned above, only super admins can use this section, to specify which specific user groups can be provided with administrator rights on the Autopilot resources.
Follow the instructions below to provide administrator rights to specific user group:
- 1.As shown in the figure above, super admins would click "Security" --> Click "Access Management". The "Access Management" page opens up as shown in the image below.
- 2.Click on the "Select Group" drop-down box and a list of all the user groups available for your organization's authentication provider appears in the drop-down.
- 3.Now select the specific user groups that would be provided the administrator rights on Autopilot resources and then click 'Save' button for your changes to be saved as shown in the figure below.
Super admins can always come back to this page and modify the user groups (by removing an existing user group or adding new groups) that will have administrator rights on the Autopilot resources.
Managing access permissions for individual Autopilot resources would be managed at that respective resource pages. For example, You can manage Granular RBAC for an application while creating a new application, or you can manage Granular RBAC for integration while creating an integration on the Integrations page.
Following are the different Autopilot resources on which Granular RBAC is being implemented.
- Autopilot Native Application
- Cloud Provider
In addition, we have introduced the following two key features of Access Management: