Set Up RBAC for Shared Secrets and Connectors

Updated 4 months ago by Rashmi Nanda Sahoo

Harness permissions at the Shared Resources level increase the security of your Connectors and Secrets. These permissions are set at the Account/Org/Project level.

This topic explains how to secure access to your Shared Resources (Connectors and Secrets) using Harness Role-Based Access Control (RBAC).

In this topic:

Before You Begin

Review: RBAC Set Up Process

Harness RBAC lets you create and grant Roles using Resource-level permissions for your Connectors and Secrets.

You can do the following:

  • Create Users/Groups.
  • Control which Users/Groups can access specific Connectors.
  • Grant read-only (view) access to Users/Groups and forbid them from making any changes to your Connectors.

This topic describes a simplistic (minimal) approach by defining three User Groups and assigning the Default Roles and Resource Groups at Project-scope. You can also create these at Account/Organization scope. For more on Default Roles at Account/Organization/Project scope, see Default Roles.

Step 1: Create User Groups

Create three User Groups:

  • Connector_Viewers
  • Connector_Accessors
  • Connector_Admins

Create the Connector_Viewers User Group

Add a User Group with the name Connector_Viewers. See Add and Manage User Groups for specific instructions.

The members of this group need View permissions to Connectors and Secrets. Assign Project Viewer Role and All Resources Resource Group to this group. The users in this group can only View the Connectors and Secrets. You can also assign Custom Roles and Resource Groups to your User Groups. For more on creating a Custom Role and Resource Group, see Add and Manage Roles and Add and Manage Resource Groups.

Create the Connector_Accessors User Group

Add a User Group with the name Connector_Accessors. See Add and Manage User Groups for specific instructions.

The members of this group need View and Access permissions to Connectors and Secrets. Assign Role as Pipeline Executor and Resource Group as All Resources to this User Group. The users in this group can View and Access Connectors and Secrets, but cannot Create/Edit or Delete them. You can assign Custom Roles and Resource Groups to your User Groups as mentioned above.

Create the Connector_Admin User Group

Add a User Group with the name Connector_Admins. See Add and Manage User Groups for specific instructions.

The members of this group need Admin permissions to Connectors and Secrets. Assign Role as Project Admin and Resource Group as All Resources to this User Group. The users in this group can View, Create/Edit, Delete, and Access Connectors and Secrets. You can assign Custom Roles and Resource Groups to your User Groups as mentioned above.

Step 2: Add Members to the Groups

Add members to the three User Groups — Connector_Viewers, Connector_Accessor, and Connector_Admins. See Add and Manage User Groups for specific instructions to invite members to User Groups.

Limit Access to Specific Connectors

By default, when you add Connectors to your Resource Group, all the resources of that type get added. Harness RBAC enables you to limit access only for specific Connectors/Secrets. For example: you want UserGroup1 to be able to access only SampleDockerConnector and no other Connectors.

Perform the following steps to do this:

  • Create a custom Resource Group and add Connectors as its Resource. See Add and Manage Resource Groups for detailed instructions.
  • Click Add Connectors to add SampleDockerConnector as shown below.
  • You can now follow the Role Assignment process to grant permissions to the specific Users/Group.

Next Steps


Please Provide Feedback