Set Up RBAC for Pipelines

Updated 4 months ago by Rashmi Nanda Sahoo

Harness Resource-level permissions increase the security of your Pipelines. These permissions are set at the Account/Org/Project level.

This topic describes how to configure Role-Based Access Control (RBAC) for your Pipelines using Resource-level permissions.

In this topic:

Before You Begin

Review: RBAC Set Up Process

Harness RBAC lets you create and grant Roles using Resource-level permissions for your Pipelines. You can do the following:

  • Create Users/Groups.
  • Control which Users/Groups can access specific Pipelines.
  • Allow a User/Group to have read-only access to your Pipelines, but prevent them from making changes.

This topic describes a simplistic (minimal) approach by defining three User Groups and assigning the Default Roles and Resource Groups at Project-scope. For more on Default Roles at Account/Organization/Project scope, see Default Roles.

Role (Default)

Responsibility

Project Viewer

View Pipeline

Pipeline Executor

View and Execute Pipeline

Project Admin

View, Create, Edit, and Execute Pipeline

This example uses a Sample Pipeline to configure RBAC. The example suggests the creation of three User Groups based on the Default Roles and responsibilities of the Users involved in the process:

  • Example_Pipeline_Viewer - Users in this group are allowed to only View, but not to Create/Edit, Delete, or Execute any Pipelines. This may be necessary when the access to modify/execute Pipelines is given only to certain Users/Groups.
  • Example_Pipeline_Executor - Users in this group are allowed to View and Execute, but not to Create/Edit, or Delete Pipelines. For example a Pipeline created by Build team can be executed by the Dev team, but can be modified only by the Build team.
  • Example_Pipeline_Admin - Users in this group can Create/Edit, Delete, and Execute Pipelines. For example you want to grant all privileges to a group which can be the owner for that particular Project/Organization/Account.

Step 1: Create User Groups

Create the three User Groups as identified and defined already.

Create the Example_Pipeline_Viewer User Group

Add a User Group with the name Example_Pipeline_Viewer. See Add and Manage User Groups for specific instructions.

The members of this group need View permissions to Environments, Services, and Pipelines. Assign Project Viewer Role and All Resources Resource Group to this group. You can create Custom Roles and Resource Groups and assign them to your User Groups as needed. See Add and Manage Roles and Add and Manage Resource Groups for specific instructions.

Create the Example_Pipeline_Executor User Group

Add a User Group with the name Example_Pipeline_Executor. See Add and Manage User Groups for specific instructions.

The members of this group need Access permissions to Environments and Services and Execute permissions to Pipelines. Assign Pipeline Executor role, Project Viewer role and All Resources Resource Group to this group. You can assign Custom Roles and Resource Groups to your User Groups as mentioned above.

Any User/Group must be granted Project Viewer role in addition to Pipeline Executor or any other Custom role. Without this role the User/Group won't have permissions to view any resources.

Create the Example_Pipeline_Admin User Group

Add a User Group with the name Example_Pipeline_Admin. See Add and Manage User Groups for specific instructions.

The members of this group need Admin permissions to Environments and Services and Pipelines. Assign Role as Project Admin and Resource Group as All Resources to this User Group. You can assign Custom Roles and Resource Groups to your User Groups as mentioned above.

Step 2: Add Members to the Groups

Add members to the three User Groups — Example_Pipeline_Viewer, Example_Pipeline_Executor, and Example_Pipeline_Admin. See Add and Manage User Groups for specific instructions to add members to User Groups.

You can further refine the type of permissions as needed to restrict Resource-level access.

Next Steps


Please Provide Feedback