RBAC
What is Role Based Access Control (RBAC)
Humanitec allows developers in your team or from across your Organization to collaborate on tasks related to delivering software. Users can be invited to join an Organization in Humanitec. They can sign in using their existing GitHub or Google accounts. Users can work on specific Apps with permissions to perform certain actions such as Deploy to Production based on Roles that are granted by Organization Administrators and Managers.
Role Types
You can set roles in an Organization, Application, or Environment.
Organization level roles
- Member: Can access applications they have a role for.
- Manager: Same as the Member Role. In addition, can invite and remove users from the organization in Humanitec, issue API tokens, and create applications.
- Administrator: Has full access to everything within the organization in Humanitec.
Application level roles
- Viewer: Has read-only access to the app.
- Developer: Can update configuration, shared values and secrets, and create environments.
- Owner: Same as the Developer Role, but can additionally configure webhooks, invite and remove users from the app, and delete the app.
Environment types roles
- Deployer: If a user has the Developer or Owner Role of an app, they can create, deploy, and delete environments of this environment type.
When planning your RBAC strategy it is best practice to follow the “Principle Of Least Privilege” (POLP). The idea is that any user of a system should only have the minimum set of permissions necessary to get their job done.
Managing access with Roles
Humanitec uses Roles to assign privileges to Users in a system. Roles encapsulate the granular permissions that a User will need in order to perform certain tasks associated with their job. Each User can have Roles in specific Organizations, Applications, and Environment Types.
Example
- A User with the Developer Role is able to update the configuration for an App the User has access to. But the User cannot delete the App.
- A User with the Viewer Role will not be able to make updates to the configuration.
Organization Roles
Organization Roles cover permissions that affect the entire Organization in Humanitec. This includes User Management, API Tokens, Images, Resources, and Apps.
| Role | Description |
|---|---|
| Member | Can access Apps they have a Role for. |
| Manager | Same as the Member Role. In addition, can invite and remove Users from the Organization in Humanitec and create Apps. |
| Administrator | Has full access to everything within the Organization in Humanitec. |
Notes
- The User who originally created the Organization will have the Administrator Role by default.
- There must always be at least one User in the Organization with the Administrator Role.
- The Administrator is the only Role that can update Resources.
Inviting Users to an Organization
An Organization Administrator or Manager can invite new users to join an existing Organization in Humanitec. An invitation involves sending an email that contains a one-time link that the invited User can follow to associate either their GitHub or Google account with the Organization in Humanitec. The link will expire after 7 days. If the link has expired before a User has accepted the invite, a new invite can be sent.
Users can be invited to an existing Organization from the Organization Settings. Note that only Organization Administrators and Managers can invite users.
- Select Organization settings from the Organization menu.
- In Organization Settings, select the Organization members tab.
- Add the email address of the User to invite in the Email text box on the left hand side.
- Select a role for the User to invite from the Role dropdown on the right hand side. Be aware that you will only have the option to invite Administrators to your Organization if you are an Administrator yourself.
- To invite a user, select Send invite.
Instructions coming soon.
Instructions coming soon.
Instructions coming soon.
Application Roles
Application Roles cover permissions that affect a specific App.
| Role | Description |
|---|---|
| Viewer | Has read-only access to the App. |
| Developer | Can update Configuration, Shared Values and Secrets, create and delete Environments. |
| Owner | Same as the Developer Role, but can additionally configure Webhooks, invite and remove Users from the App and delete the App. |
Notes
- The User who originally created the App will have the Owner Role by default.
- Developer and Owner Roles can only create, delete, or deploy to Environments with the Environment Type they have the Deployer Role for.
- An Owner will not be able to delete an App unless they have the Deployer Role for all the Environment Types used in the App.
Adding Users to an App
Application Roles can be managed in the App Settings Screen. Note that only Organization Administrators and App Owners can grant Application Roles.
- Select App settings at the top of the App Details Screen.
- In App Settings, scroll down to the App members section.
- Select + Add members to enter the email address or name of the User to add.
- Select a role for the User to add from the Role dropdown.
- To add the user, select Add.
Instructions coming soon.
Instructions coming soon.
Instructions coming soon.
User Roles for existing members can be changed on the App Members list.
Environment Type Roles
At this time, there is only one Role for Environment Types.
| Role | Description |
|---|---|
| Deployer | If a User has the Developer or Owner Role of an App, they can create, deploy, and delete Environments of this Environment Type. |
Notes
- All Users have the Deployer Role for the default Environment Type development.
Managing Deployers for Environment Types
Environment Type Roles can be managed from the Organization Settings. Note that only Organization Administrators can grant Environment Type Roles.
- Select Organization settings from the Organization menu.
- In Organization Settings, select the Environment Types tab.
- Select the Deployers button on the Environment Type you would like to configure. This will open a configuration pop up.
- On the modal, add the email address or name of the User you would like to add as a Deployer.
- Select the Done to continue.
Instructions coming soon.
Instructions coming soon.
Instructions coming soon.