Users, groups and roles

Authentication & Authorization

Self Service supports different means of authentication for users. Currently, LDAP is supported. This means the user can use its own corporate crendtials to get access. As soon as the user has logged in, authorization is done by Self Service by a combination of a RBAC (Role Based Access Control) and ABAC (Attribute Based Access Control) system.

Roles & Permissions

In a DevOps culture, applications, streams and environments are maintained by the teams responsible for those entities. That is exactly why ownership of resources in Self Service is based on a group (team).

High Level Permissions

At a high level, AUTHOR permissions are needed to create a resource and assign an owner. After the resource has been created, the group ownership is used to determine the users’s permissions. Users with ADMIN rights on specific resources, can create and modify resources even though they are not the owner. For an overview, see the table below.

Table 1. Permissions for Applications, Streams and Environments
View Create Edit Delete Roles

Authenticated user

X

-

-

-

-

Author

X

X

-

-

  • Application Author

  • Stream Author

  • Environment Author

Owner

X

X

X

X

-

Admin

X

X

X

X

  • Application Admin

  • Stream Admin

  • Environment Admin

  • Tenant admin (see below)

Application Permissions

When a user has Edit permissions on an Application, the user has the following additional permissions:

Stream Permissions

When a user has Edit permissions on a Stream, the user has the following additional permissions:

Environment Permissions

When a user has Edit permissions on an Environment, the user has the following additional permissions:

Other Resources

The most frequently modified resources such as Applications, Streams, Environments have now been covered. There are additional resources that are not visible for most users, but can be administered as well, such as:

  • Instance

  • Cluster

  • Group

Group Permissions

See Groups

Tenant permissions

For administering any resource within a tenant, the role "Tenant admin" has been created. This role is intended for people managing the Self Service installation within a company. Anyone with the role Tenant admin has admin permissions for all resources mentioned above, including some additional resources:

  • Users: create, assign roles, modify, delete users

  • Groups: create, modify and delete groups

  • Tenant: modify tenant settings, such as Admin contacts, logo

Instance And Cluster Permissions

For modifying the Instance and Cluster resources, the role Super Admin has been added. This user has the following permissions:

  • Cluster: create, update, delete

  • Instance: create, update, delete, synchronize instance, sychronize environment

Default Roles

By default, users are assigned certain roles when they are created in Self Service. This is done by specifying the axual.default.roles setting of Management API with a comma separated list of roles, e.g. APPLICATION_AUTHOR, ENVIRONMENT_AUTHOR, STREAM_AUTHOR

Users

Creating A User

  1. Visit the Settings page

  2. Click the Users tab

  3. Click on New User. You will see a modal as below:

Creating new user
  1. After filling out the form and saving it, you have created a new user.

Editing A User

  1. Go to the User’s detail page

  2. Click the Edit user button and you see the below page:

Edit user
  1. Filling or changing any information you need and clicking the Save user button updates the user’s information.

Deleting A User

  1. Go to the User’s detail page

  2. Click the Edit user button and you see the below page:

  3. Click on the Delete User button at the bottom left of the page and a confirm modal pops up.

  4. After clicking on Confirm your user is deleted.

Groups

Creating A Group

  1. Go to Settings

  2. Click on Groups on the top right

  3. Then click on the New user group button. You will see a page as below:

Creating new group
  1. After filling out the form and saving it, you have created your new group.

Editing A Group

  1. Go to Settings

  2. Click on Groups on the top right . You will see the list of existing groups.

  3. Click on the group you want to edit. It will take you on the Group’s detail page.

  4. Click on the Edit user group button. On the bottom right, you see the below page:

Edit group
  1. Fill in or change any information you need and click the Save user group button to update the group’s information.

Deleting A Group

Deleting a group can only be done if the group is not owning any entities(applications, environments, streams).

  1. Visit the Group Detail page

  2. Click Edit user group

  3. There is a Delete Group button on the bottom left of the page. Clicking on that button, if all constraints are met and deletion is possible, a confirmation modal opens, as below:

Delete group confirmation
  1. Clicking on Confirm will delete the group. Otherwise, a modal opens with information on how many applications, environments and streams this group owns, as below:

Inform delete group modal

Adding Users To A Group

You can add users to a group from the Add user group page or from the Edit user group page. The forms in these pages have a Members section as below:

Add user to group

You can add a user by clicking on the Add user button and choosing a user from the dropdown.

Removing Users From A Group

You can remove users from a group from the Edit user group page. The form in that page has a Members section as the one above. You can remove a user by clicking on the button with the bin icon.