Set Up RBAC for Pipelines
Harness Resource-level permissions increase the security of your Pipelines. These permissions are set at the Account/Org/Project level.
This topic describes how to configure Role-Based Access Control (RBAC) for your Pipelines using Resource-level permissions.
In this topic:
- Before You Begin
- Review: RBAC Set Up Process
- Step 1: Create User Groups
- Step 2: Add Members to the Groups
- Next Steps
Before You Begin
- Learn Harness' Key Concepts
- Create Organizations and Projects
- Access Management (RBAC) Overview
- Add and Manage Users
- For information on creating a Pipeline and adding a Stage, see Add a Stage.
- Make sure you have Admin rights for the Account/Org/Project where you want to configure Access Management.
Review: RBAC Set Up Process
Harness RBAC lets you create and grant Roles using Resource-level permissions for your Pipelines. You can do the following:
- Create Users/Groups.
- Control which Users/Groups can access specific Pipelines.
- Allow a User/Group to have read-only access to your Pipelines, but prevent them from making changes.
This topic describes a simplistic (minimal) approach by defining three User Groups and assigning the Default Roles and Resource Groups at Project-scope. For more on Default Roles at Account/Organization/Project scope, see Default Roles.
View and Execute Pipeline
View, Create, Edit, and Execute Pipeline
This example uses a Sample Pipeline to configure RBAC. The example suggests the creation of three User Groups based on the Default Roles and responsibilities of the Users involved in the process:
- Example_Pipeline_Viewer - Users in this group are allowed to only View, but not to Create/Edit, Delete, or Execute any Pipelines. This may be necessary when the access to modify/execute Pipelines is given only to certain Users/Groups.
- Example_Pipeline_Executor - Users in this group are allowed to View and Execute, but not to Create/Edit, or Delete Pipelines. For example a Pipeline created by Build team can be executed by the Dev team, but can be modified only by the Build team.
- Example_Pipeline_Admin - Users in this group can Create/Edit, Delete, and Execute Pipelines. For example you want to grant all privileges to a group which can be the owner for that particular Project/Organization/Account.
Step 1: Create User Groups
Create the three User Groups as identified and defined already.
Create the Example_Pipeline_Viewer User Group
Add a User Group with the name Example_Pipeline_Viewer. See Add and Manage User Groups for specific instructions.
The members of this group need View permissions to Environments, Services, and Pipelines. Assign Project Viewer Role and All Resources Resource Group to this group. You can create Custom Roles and Resource Groups and assign them to your User Groups as needed. See Add and Manage Roles and Add and Manage Resource Groups for specific instructions.
Create the Example_Pipeline_Executor User Group
Add a User Group with the name Example_Pipeline_Executor. See Add and Manage User Groups for specific instructions.
The members of this group need Access permissions to Environments and Services and Execute permissions to Pipelines. Assign Pipeline Executor role, Project Viewer role and All Resources Resource Group to this group. You can assign Custom Roles and Resource Groups to your User Groups as mentioned above.
Create the Example_Pipeline_Admin User Group
Add a User Group with the name Example_Pipeline_Admin. See Add and Manage User Groups for specific instructions.
The members of this group need Admin permissions to Environments and Services and Pipelines. Assign Role as Project Admin and Resource Group as All Resources to this User Group. You can assign Custom Roles and Resource Groups to your User Groups as mentioned above.
Step 2: Add Members to the Groups
Add members to the three User Groups — Example_Pipeline_Viewer, Example_Pipeline_Executor, and Example_Pipeline_Admin. See Add and Manage User Groups for specific instructions to add members to User Groups.
You can further refine the type of permissions as needed to restrict Resource-level access.