RBAC
Properly assigning permissions to users based on their role is a key component for environment management. Creating roles and assigning users to those roles is less prone to error than assigning permissions to individual users.
There are two main personas:
-
Platform Engineers whose goal is to allow their development and QA teams to move faster and reduce complexity to building and testing apps by providing them with whatever tools, capabilities, and platforms necessary to do so.
-
Developers whose goal is to deliver value to their customers through new cutting-edge applications. Developers should not be burdened with learning DevOps, cloud infrastructure, or dependency management to deliver their applications. They should be able to write code and point their code to a testbed or environment without worrying about infrastructure.
Environment Manager provides the following role-based access controls.
-
Environment Template User
- Can provision and deprovision environments based on existing environment templates.
- They cannot create environment templates or resource templates. These are defined by the Infra Admin or Org Admin.
-
Infra Admin
- Responsible for creating environment and resource templates. The overall governance and management of IaC is the Infra Admin's responsibility.
- Cannot share templates. Sharing templates is done by an Org Admin.
-
Org Admin
- Share environment and resource templates between different projects within the organization.
-
Project / Workspace / Namespace Admin
- Can deploy apps to environments.
- Can view some information about environments, but does not have full IaC view. Full IaC view is for Environment Admins, Infra Admins, and Org Admins.
| Permission | Org Admin | Infra Admin | Env Template User | Other |
|---|---|---|---|---|
| Resource and Environment Template Sharing | Yes | No | No | No |
| Environment Provisioning | Yes | Yes | Yes | No |
| Environment and Resource Template Creation | Yes | Yes | No | No |
| Provisioning Workload to Environment | Yes | Yes | Yes | Yes |
Environment Template User Role¶
Users with Environment Template User can exclusively create environments using existing environment templates and are restricted from creating any other Environment Manager resources.
To assign this role to a user, ensure a project and a group are created, and the user is added to the group. For more details, visit this page
Use the below command to assign the role
./rctl create groupassociation <group_name> --associateproject <project_name> --roles ENVIRONMENT_TEMPLATE_USER