-
Notifications
You must be signed in to change notification settings - Fork 19
docs(aac): initial updates to authorization docs #852
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,115 @@ | ||
| # Authorization & RBAC | ||
|
|
||
| Spacelift provides a comprehensive **Role-Based Access Control (RBAC)** system designed for enterprise infrastructure | ||
| teams. RBAC enables fine-grained, customizable permissions giving | ||
| you precise control over who can access what resources and perform which actions. | ||
|
|
||
| ## Evolution from Legacy System Roles | ||
|
|
||
| Spacelift has evolved from simple **legacy system roles** (Read, Write, Admin) to a custom RBAC system that | ||
| offers: | ||
|
|
||
| - **Custom Roles**: Create roles tailored to your organization's specific needs | ||
| - **Granular Actions**: Composable permissions like `run:trigger`, `stack:manage` | ||
| - **Flexible Assignment**: Assign roles to users, IdP groups, and API keys | ||
| - **Space-Based Control**: All roles are bound to specific [Spaces](../spaces/README.md) for organized access management | ||
|
|
||
| ## Core RBAC Architecture | ||
|
|
||
| RBAC operates on three fundamental concepts: actions, actors, and subjects. | ||
|
|
||
| ### Actions | ||
|
|
||
| **Actions** are the smallest unit of permission granularity. They define specific operations that can be performed | ||
| within Spacelift. Examples include: | ||
|
|
||
| - `run:trigger`: Trigger stack runs | ||
| - `stack:manage`: Create and modify stacks | ||
|
|
||
| ### Actors | ||
|
|
||
| **Actors** are entities that perform actions in the system: | ||
|
|
||
| - **Users**: Individual team members authenticated through your identity provider | ||
| - **API Keys**: Programmatic access tokens for automation | ||
| - **IdP Groups**: Groups of users as defined by your identity provider | ||
|
|
||
| ### Subjects | ||
|
|
||
| **Subjects** are the resources being acted upon. Examples include: | ||
|
|
||
| - **Stacks**: Infrastructure definitions and their runs | ||
| - **Contexts**: Collections of environment variables and files | ||
| - **Policies**: Rules that govern various Spacelift behaviors | ||
| - **Spaces**: Organizational containers for resources | ||
|
|
||
| ## Getting Started with RBAC | ||
|
|
||
| ### For new Spacelift users | ||
|
|
||
| If you're new to Spacelift, you can start using RBAC right away. Follow these steps to set up your RBAC configuration: | ||
|
|
||
| 1. Navigate to **Organization Settings** → **Access Control Center** → **Roles** | ||
| 2. Review the predefined roles (Space Admin, Space Writer, Space Reader). These are equivalent to legacy roles. | ||
| 3. (Optional) Create custom roles with specific actions for your use cases | ||
| 4. Assign roles to users and spaces | ||
|
|
||
| ### Existing Users: Migration from Legacy System Roles | ||
|
|
||
| If you're currently using legacy system roles (Read/Write/Admin), your existing configurations have been automatically | ||
| migrated to equivalent RBAC roles: | ||
|
|
||
| - **Reader** → **Space Reader** | ||
| - **Writer** → **Space Writer** | ||
| - **Admin** → **Space Admin** | ||
|
|
||
| ## Authorization Strategies | ||
|
|
||
| Spacelift offers two primary approaches for managing user access: | ||
|
|
||
| ### User Management (Recommended for Most Organizations) | ||
|
|
||
| - **GUI or API based**: Manage access using the Spacelift web interface or using the terraform provider | ||
| - **User-friendly**: Invite users and assign roles without writing policies | ||
| - **IdP Integration**: Seamlessly integrate with your identity provider for user management | ||
|
|
||
| ### Login Policies (Advanced) | ||
|
|
||
| - **Policy-as-code**: Define authorization rules using [Open Policy Agent](https://www.openpolicyagent.org/) (OPA) | ||
| - **Dynamic**: Conditional role assignment based on user attributes | ||
| - **Flexible**: Support for complex authorization logic | ||
|
|
||
| ## Key RBAC Features | ||
|
|
||
| ### Access Control Center | ||
|
|
||
| A dedicated section in Organization Settings for managing your RBAC configuration: | ||
|
|
||
| - Create and manage custom roles | ||
| - Assign roles to users, groups, and API keys | ||
| - Monitor role assignments across spaces | ||
|
|
||
| ### Custom Roles | ||
|
|
||
| Go beyond predefined roles by creating custom roles that match your organization's specific needs. | ||
|
|
||
| ### Space-Bound Permissions | ||
|
|
||
| All roles are assigned to specific spaces, providing: | ||
|
|
||
| - **Isolation**: Permissions are contained within designated spaces | ||
| - **Inheritance**: Leverage space hierarchies for permission flow | ||
| - **Scalability**: Manage permissions at the appropriate organizational level | ||
|
|
||
| ## Next Steps | ||
|
|
||
| Dive deeper into RBAC with these guides: | ||
|
|
||
| - **[RBAC System](rbac-system.md)** - Detailed explanation of Spacelift's RBAC implementation | ||
|
|
||
| ## Related Topics | ||
|
|
||
| - **[User Management](../user-management/README.md)**: Invite and manage team members | ||
| - **[Spaces](../spaces/README.md)**: Organize resources with spaces | ||
| - **[Login Policies](../policy/login-policy.md)**: Policy-based access control | ||
| - **[Single Sign-On](../../integrations/single-sign-on/README.md)**: Enterprise identity integration |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.