|
| 1 | +# Authorization & RBAC |
| 2 | + |
| 3 | +Spacelift provides a comprehensive **Role-Based Access Control (RBAC)** system designed for enterprise infrastructure |
| 4 | +teams. RBAC enables fine-grained, customizable permissions giving |
| 5 | +you precise control over who can access what resources and perform which actions. |
| 6 | + |
| 7 | +## Evolution from Legacy System Roles |
| 8 | + |
| 9 | +Spacelift has evolved from simple **legacy system roles** (Read, Write, Admin) to a custom RBAC system that |
| 10 | +offers: |
| 11 | + |
| 12 | +- **Custom Roles**: Create roles tailored to your organization's specific needs |
| 13 | +- **Granular Actions**: Composable permissions like `run:trigger`, `stack:manage` |
| 14 | +- **Flexible Assignment**: Assign roles to users, IdP groups, and API keys |
| 15 | +- **Space-Based Control**: All roles are bound to specific [Spaces](../spaces/README.md) for organized access management |
| 16 | + |
| 17 | +## Core RBAC Architecture |
| 18 | + |
| 19 | +RBAC operates on three fundamental concepts: actions, actors, and subjects. |
| 20 | + |
| 21 | +### Actions |
| 22 | + |
| 23 | +**Actions** are the smallest unit of permission granularity. They define specific operations that can be performed |
| 24 | +within Spacelift. Examples include: |
| 25 | + |
| 26 | +- `run:trigger`: Trigger stack runs |
| 27 | +- `stack:manage`: Create and modify stacks |
| 28 | + |
| 29 | +### Actors |
| 30 | + |
| 31 | +**Actors** are entities that perform actions in the system: |
| 32 | + |
| 33 | +- **Users**: Individual team members authenticated through your identity provider |
| 34 | +- **API Keys**: Programmatic access tokens for automation |
| 35 | +- **IdP Groups**: Groups of users as defined by your identity provider |
| 36 | + |
| 37 | +### Subjects |
| 38 | + |
| 39 | +**Subjects** are the resources being acted upon. Examples include: |
| 40 | + |
| 41 | +- **Stacks**: Infrastructure definitions and their runs |
| 42 | +- **Contexts**: Collections of environment variables and files |
| 43 | +- **Policies**: Rules that govern various Spacelift behaviors |
| 44 | +- **Spaces**: Organizational containers for resources |
| 45 | + |
| 46 | +## Getting Started with RBAC |
| 47 | + |
| 48 | +### For new Spacelift users |
| 49 | + |
| 50 | +If you're new to Spacelift, you can start using RBAC right away. Follow these steps to set up your RBAC configuration: |
| 51 | + |
| 52 | +1. Navigate to **Organization Settings** → **Access Control Center** → **Roles** |
| 53 | +2. Review the predefined roles (Space Admin, Space Writer, Space Reader). These are equivalent to legacy roles. |
| 54 | +3. (Optional) Create custom roles with specific actions for your use cases |
| 55 | +4. Assign roles to users and spaces |
| 56 | + |
| 57 | +### Existing Users: Migration from Legacy System Roles |
| 58 | + |
| 59 | +If you're currently using legacy system roles (Read/Write/Admin), your existing configurations have been automatically |
| 60 | +migrated to equivalent RBAC roles: |
| 61 | + |
| 62 | +- **Reader** → **Space Reader** |
| 63 | +- **Writer** → **Space Writer** |
| 64 | +- **Admin** → **Space Admin** |
| 65 | + |
| 66 | +## Authorization Strategies |
| 67 | + |
| 68 | +Spacelift offers two primary approaches for managing user access: |
| 69 | + |
| 70 | +### User Management (Recommended for Most Organizations) |
| 71 | + |
| 72 | +- **GUI or API based**: Manage access using the Spacelift web interface or using the terraform provider |
| 73 | +- **User-friendly**: Invite users and assign roles without writing policies |
| 74 | +- **IdP Integration**: Seamlessly integrate with your identity provider for user management |
| 75 | + |
| 76 | +### Login Policies (Advanced) |
| 77 | + |
| 78 | +- **Policy-as-code**: Define authorization rules using [Open Policy Agent](https://www.openpolicyagent.org/) (OPA) |
| 79 | +- **Dynamic**: Conditional role assignment based on user attributes |
| 80 | +- **Flexible**: Support for complex authorization logic |
| 81 | + |
| 82 | +## Key RBAC Features |
| 83 | + |
| 84 | +### Access Control Center |
| 85 | + |
| 86 | +A dedicated section in Organization Settings for managing your RBAC configuration: |
| 87 | + |
| 88 | +- Create and manage custom roles |
| 89 | +- Assign roles to users, groups, and API keys |
| 90 | +- Monitor role assignments across spaces |
| 91 | + |
| 92 | +### Custom Roles |
| 93 | + |
| 94 | +Go beyond predefined roles by creating custom roles that match your organization's specific needs. |
| 95 | + |
| 96 | +### Space-Bound Permissions |
| 97 | + |
| 98 | +All roles are assigned to specific spaces, providing: |
| 99 | + |
| 100 | +- **Isolation**: Permissions are contained within designated spaces |
| 101 | +- **Inheritance**: Leverage space hierarchies for permission flow |
| 102 | +- **Scalability**: Manage permissions at the appropriate organizational level |
| 103 | + |
| 104 | +## Next Steps |
| 105 | + |
| 106 | +Dive deeper into RBAC with these guides: |
| 107 | + |
| 108 | +- **[RBAC System](rbac-system.md)** - Detailed explanation of Spacelift's RBAC implementation |
| 109 | + |
| 110 | +## Related Topics |
| 111 | + |
| 112 | +- **[User Management](../user-management/README.md)**: Invite and manage team members |
| 113 | +- **[Spaces](../spaces/README.md)**: Organize resources with spaces |
| 114 | +- **[Login Policies](../policy/login-policy.md)**: Policy-based access control |
| 115 | +- **[Single Sign-On](../../integrations/single-sign-on/README.md)**: Enterprise identity integration |
0 commit comments