-
Notifications
You must be signed in to change notification settings - Fork 34
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding Managing policies docs #1426
Changes from 4 commits
373c6f6
00d1eff
ebe996b
bc86286
ab7aaa9
7ff15f4
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
--- | ||
title: Policies Management | ||
publishedDate: '2024-11-05T21:00:00.0Z' | ||
description: How to configure and manage policies in Roadie for access control. | ||
--- | ||
|
||
## Introduction | ||
|
||
In Roadie, **policies** are integral components of the permissions framework, governing access control within the platform. They define the rules and conditions under which users can perform specific actions on various resources, such as services, components, or documentation. | ||
|
||
**Key aspects of policies:** | ||
|
||
- **Authorization Decisions:** Policies determine whether a user is permitted to execute a particular action. For instance, a policy might allow only the owner of a service to delete it from the catalog. For more on policy definitions, refer to the [Backstage documentation](https://backstage.io/docs/permissions/writing-a-policy/). | ||
- **Conditional Logic:** Policies can incorporate complex conditions, such as verifying if a user belongs to a specific group or possesses certain attributes, to make nuanced authorization decisions. Details are available in the [Backstage documentation on custom rules](https://backstage.io/docs/permissions/custom-rules/). | ||
- **Customization:** Administrators have the flexibility to craft custom policies tailored to their organization's unique requirements, ensuring that access controls align with internal processes and security standards. Read more in the [Backstage custom rules documentation](https://backstage.io/docs/permissions/custom-rules/). | ||
|
||
By implementing policies, Roadie ensures that access to resources is managed effectively, enhancing security and maintaining the integrity of the development environment. | ||
|
||
To configure this in Roadie we provide a UI for **Policies Management** and you can access it at: `https://<tenant name>.roadie.so/administration/settings/policies`. | ||
|
||
Currently, a set of permissions is available from the upstream Backstage project, with the option to create and validate new permissions. | ||
|
||
- Built-in policies cannot be modified or removed, but they can be added to or removed from roles. | ||
- Each policy can be configured with an effect to either **ALLOW** or **DENY** the specified permissions and the conditions set for the policy. | ||
|
||
### Conditions for Configurable Permissions | ||
|
||
Some permissions allow configuration with a set of conditions, particularly those starting with `catalog.entity.`. These conditions enable access customization based on defined rules. Currently, these are the available rules: | ||
|
||
| Rule Name | Parameters | Description | | ||
| --------------------- | --------------------- | --------------------------------------------------------------------------- | | ||
| isEntityOwner | None | Checks if the user is the owner of the entity. | | ||
| isUserEntity | None | Checks if the entity represents the current user. | | ||
| hasOwnEntityName | None | Validates that the entity has its own unique name. | | ||
| hasOwnEntityNamespace | None | Confirms that the entity has its own designated namespace. | | ||
| hasEntityKind | `kinds` | Checks if the entity is of a specific kind (e.g., Component, API). | | ||
| hasSpec | `key`, `value` | Verifies the entity’s specification includes a specific key-value pair. | | ||
| hasMetadata | `key`, `value` | Ensures the entity metadata contains a specific key-value pair. | | ||
| hasLabel | `label` | Checks if the entity includes a specific label in its metadata. | | ||
| hasAnnotation | `annotation`, `value` | Validates the presence of a particular annotation in the entity’s metadata. | |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -6,13 +6,15 @@ description: How to configure access control permissions in Roadie. | |
|
||
## Introduction | ||
|
||
**This feature is currently in the process of being rolled out. If you want access, please contact our support or sales teams.** | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Is this true? I believe this is enabled to everyone There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I changed it to the policies document, my mistake. Roles management has been rolled out, just not Policies management |
||
|
||
Roadie comes with RBAC out of the box. We provide 4 default roles: `admin`, `viewer`, `maintainer` and `tech-insights-admin`. It is possible to also define custom roles - please contact our sales team if this is something you are interested in. | ||
|
||
| Name | Description | | ||
|------|-------------------| | ||
| admin | Can perform any action in Roadie | | ||
| viewer | Can only view data within Roadie | | ||
| maintainer | Can read and write data, but cannot access administration settings or tech insights editing | | ||
| Name | Description | | ||
| ------------------- | ------------------------------------------------------------------------------------------------------------------------------ | | ||
| admin | Can perform any action in Roadie | | ||
| viewer | Can only view data within Roadie | | ||
| maintainer | Can read and write data, but cannot access administration settings or tech insights editing | | ||
| tech-insights-admin | Can edit scorecards, checks and data sources in tech insights. This role requires one of viewer / maintainer to work correctly | | ||
|
||
## Assigning Roles | ||
|
@@ -24,7 +26,7 @@ There are two ways to assign a role to a user in Roadie: | |
|
||
### User Management | ||
|
||
- Visit the user management page in `https://<tenant name>.roadie.so/administration/manage-users`. | ||
- Visit the user management section in `https://<tenant name>.roadie.so/administration/settings/manage-users`. | ||
- Find the name of the user you would like to assign a role to. | ||
- Click the edit pencil and then add the roles you would like to assign the user. | ||
|
||
|
@@ -41,11 +43,12 @@ If your Roadie tenant is using a custom identity provider, you can choose to inc | |
``` | ||
|
||
## Setting the default roles | ||
|
||
If a user has no role associated yet, e.g. if it is the first time they have logged in and there are no roles associated with the user, then the user is allowed the policies associated with the default roles. There can be many default roles. | ||
|
||
To edit the default roles: | ||
|
||
- Visit `http://<tenant name>.roadie.so/administration/roles` | ||
- Visit `http://<tenant name>.roadie.so/administration/settings/roles` | ||
- Click the edit pencil beside the roles you would like to be the default roles | ||
- The click "Set as default role" and save. | ||
- You can perform similar steps to make a role no longer a default role. | ||
- You can perform similar steps to make a role no longer a default role. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Change this to not be written from Backstage point of view but from Roadie POV and referring to and on top of Backstage permissions/policies.