Users, groups and roles
Authentication & Authorization
Self Service supports different means of authentication for users. Currently, LDAP is supported. This means the user can use its own corporate credentials to get access. As soon as the user has logged in, authorization is done by Self Service by a combination of a RBAC (Role Based Access Control) and ABAC (Attribute Based Access Control) system.
Roles & Permissions
In a DevOps culture, applications, streams and environments are maintained by the teams responsible for those entities. That is exactly why ownership of resources in Self Service is based on a group (team).
High Level Permissions
At a high level, AUTHOR permissions are needed to create a resource and assign an owner. After the resource has been created, the group ownership is used to determine the users’s permissions. Users with ADMIN rights on specific resources, can create and modify resources even though they are not the owner. For an overview, see the table below.
View | Create | Edit | Delete | Roles | |
---|---|---|---|---|---|
Authenticated user |
X |
- |
- |
- |
- |
Author |
X |
X |
- |
- |
|
Owner |
X |
X |
X |
X |
- |
Admin |
X |
X |
X |
X |
|
Application Permissions
When a user has Edit permissions on an Application, the user has the following additional permissions:
Stream Permissions
When a user has Edit permissions on a Stream, the user has the following additional permissions:
Viewing Stream Messages
Access to the messages of a stream is granted based on the following permissions:
-
If you are a stream owner: you can see the messages on streams you own
-
If you are a tenant admin: you can see the messages on any stream in any environment
-
If you are an application owner of a connected application: you can see the messages on any stream, in authorized environments
Environment Permissions
When a user has Edit permissions on an Environment, the user has the following additional permissions:
Default Roles
By default, whenever a user logs in to Management UI for the first time, the user receives by default the following roles:
-
Application Author
-
Environment Author
-
Stream Author
Other Resources
The most frequently modified resources such as Applications, Streams, Environments have now been covered. There are additional resources that are not visible for most users, but can be administered as well, such as:
-
Instance
-
Cluster
-
Group
Group Permissions
See Groups
Tenant permissions
For administering any resource within a tenant, the role "Tenant admin" has been created. This role is intended for people managing the Self Service installation within a company. Anyone with the role Tenant admin has admin permissions for all resources mentioned above, including some additional resources:
-
Users: create, assign roles, modify, delete users
-
Groups: create, modify and delete groups
-
Tenant: modify tenant settings, such as Admin contacts, logo
Users
Creating A User
-
Visit the Settings page
-
Click the Users tab
-
Click on New User. You will see a modal as below:
-
After filling out the form and saving it, you have created a new user.
Groups
Creating A Group
-
Go to Settings
-
Click on Groups on the top right
-
Then click on the New user group button. You will see a page as below:
-
After filling out the form and saving it, you have created your new group.
Editing A Group
-
Go to Settings
-
Click on Groups on the top right . You will see the list of existing groups.
-
Click on the group you want to edit. It will take you on the Group’s detail page.
-
Click on the Edit user group button. On the bottom right, you see the below page:
-
Fill in or change any information you need and click the Save user group button to update the group’s information.
Deleting A Group
Deleting a group can only be done if the group is not owning any entities(applications, environments, streams).
-
Visit the Group Detail page
-
Click Edit user group
-
There is a Delete Group button on the bottom left of the page. Clicking on that button, if all constraints are met and deletion is possible, a confirmation modal opens, as below:
-
Clicking on Confirm will delete the group. Otherwise, a modal opens with information on how many applications, environments and streams this group owns, as below: