Access Management
Last updated
Last updated
Autopilot(ISD) implements Granular RBAC for all of its features. Autopilot integrates with the customer's authentication provider (viz., LDAP, SAML, etc.) and provides role-based access control to the user groups as available in the authentication system for its features. While installing Autopilot you specify your organization's authentication system and let Autopilot connect to it. With this integration, Autopilot would be able to read through all the user groups defined in your authentication system.
Note: Autopilot doesn't provide any authentication system for its users, it leverages your organization's Authentication tool. User/User groups cannot be added through Autopilot and all the permissions would be managed at the user group level.
You can import OSS Argo CD RBAC into ISD and enforce the same RBAC in ISD. The RBAC rules that you have configured in ArgoCD, the same rules will be applied in ISD for Application Dashboard, Audit and Insights. To make this possible, ISD and all the Argo CD instances must be using the same authentication provider with the same configuration. Specifically:
The user that sees ISD is the same user that sees ArgoCD.
The groups for a user must be the same for ISD and ArgoCD.
You can configure the RBAC in Argo CD in the following two ways.
To setup RBAC policy for a group in Argo CD UI, follow the steps below:
From the Argo CD dashboard, click on “Settings” and then click on the “Projects” as shown below.
Click on the desired project for which you want to set the RBAC rules. In this example we are selecting the “default” project. Refer to the image below:
Click on “ROLES” and then click on the “ADD ROLE” button. Refer to the image below.
The following screen appears. Fill out all the information and click on the “CREATE” button. Refer to the image below.
Update the following information on the above screen.
Role Name: Provide a name to the role.
Role Description: Description of the role. Note: Please note that you should be an admin to create the roles.
ADD POLICY: Click on the “ADD POLICY” button and update the following parameters.
ACTION: click on the “ACTION” drop-down and select the desired action.
APPLICATION: click on the “APPLICATION” drop-down and select the desired application for which you want to grant permissions. If you would like to grant permission for all the applications in your project, select “Project name/*”.
PERMISSION: click on the “PERMISSION” drop-down and select allow if you would like to grant permission to that user/user group or select deny if you don’t want to grant the permission. In the same way you can add multiple policies by clicking the “ADD POLICY” button.
ADD GROUP: Enter the name of the group for which you would like to apply the policy/policies and click the “ADD GROUP” button. In the same way you can add multiple groups.
For the detailed information about RBAC Configuration in Argo CD, refer here.
You can also setup RBAC policy for a group in Argo CD through a configmap. For the detailed information on how to setup RBAC policy in Argo CD through a configmap, refer here.
Once you setup RBAC policy for a group in Argo CD UI, the RBAC rules that you have configured for that particular group in Argo CD, the same rules will be applied in ISD for Application Dashboard, Audit and Insights.
For example, let us say an user who can view the two applications called “guestbook” and “sampleapp1” in Argo CD UI, can also view the same applications in ISD UI. Refer to the images below.
The list of applications that this particular user can see in Argo CD application dashboard is shown in the image below.
The same applications that has been displayed in Argo CD dashboard are being displayed in ISD UI as shown in the image below.
When you integrate your organization's authentication provider with Autopilot during the installation, you also specify a list of user groups that would be marked as 'super admins' for the Autopilot resources. A super admin group is a group of user groups that can identify administrator groups for the Autopilot resources post-installation. They can also modify the administrator groups anytime in the system.
Administrators of Autopilot can override any of the user-group permissions on any of the Autopilot resources. Super admins can specify which user groups can be administrators of the Autopilot system and can also modify this group at any time. Below section provides instructions to specify the administrator's group.
As mentioned above, only super admins can use this section, to specify which specific user groups can be provided with administrator rights on the Autopilot resources.
As shown in the image above, super admins would Click on "Setup" --> Click "Access Management". The "Access Management" page appears as shown in the image below.
Click on the "Select Group" drop-down box and a list of all the user groups available with your organization's authentication provider appears in the drop-down.
Now select the specific user groups that would be provided with the administrator rights on Autopilot resources and then click 'Save' button for your changes to be saved as shown in the image below.
Super admins can always come back to this page and modify the user groups (by removing an existing user group or adding new groups) that will have administrator rights on the Autopilot resources.
Managing access permissions for individual Autopilot resources would be managed at that respective resource pages. For example, You can manage Granular RBAC for an application while creating a new application, or you can manage Granular RBAC for integration while creating an integration on the Integrations page.
Following are the different Autopilot features on which Granular RBAC is being implemented.
Integration
Agent
Audit
In addition, we have introduced the “Global Access Permissions” as a key feature of Access Management:
Administrators can create a "User Role" using which they can provide global access to one more type of Resource. For example, a user Role of "Auditor" will be able to view all the Audit events coming from Applications irrespective of the permissions specified by the application owner.
Follow the instructions below to provide Global Access Permissions to the User group:
From the application dashboard, click "Setup" --> Click "Access Management". This will take you to the “User Roles” page as a default. If not, click on “User Roles” tab as shown in the image below.
Note: Access Management can be accessed by an “Admin” user only. A non-admin user cannot access it.
Click “Add User Role” button to provide Global Access Permissions to the specific user group as shown in the image below.
Provide the “User Role Name” and select the “User Group” from the drop-down list to define the application's feature access as shown in the image below.
Turn on the toggle button to grant the feature access permissions and click “Save” button as shown below.
Global Access Permission is provided to the specific user group and the newly created User role name will be listed on the page, as shown in the image below.
From the application dashboard, click "Setup" --> Click "Access Management". This will take you to the “User Roles” page as a default. If not, click on “User Roles” tab as shown in the image below.
This page displays the list of all the user role names available within your organization and select the one you want to edit. Click "Three dots" at end of the User role name and then click "Edit" as shown in the image below.
The User Role screen appears as shown below. Edit the details as required, and click "Save".
From the application dashboard, click "Setup" --> Click "Access Management". This will take you to the “User Roles” page as a default. If not, click on “User Roles” tab as shown in the image below.
This page displays the list of all the user role names available within your organization and select the one you want to delete. Click "Three dots" at end of the User role name and then click "Delete" as shown in the image below.
The confirmation message appears, click "Yes, Delete it!" Refer to the image below: