Role Based Access - Pipelines & Tool Registry

Owned by Vasanthavishnu Vasudevan
Last updated: Sept 21, 2022 by Todd Barczak
5 min read

Opsera platform: Users, Groups, and RBAC Management

This Document contains specific user guides and instructions related to Role Based Access Controls for your Opsera platform, from a description of how to set site access to group management, item level access, and pipeline access.  This Guide will take you through each step in the Table of Contents with screenshots to keep you on the path. 

Role Based Access: Platform Role and Item Level Based Group Management

The Opsera platform supports both platform level access roles as well as individual item level access rules. Users are assigned one of 3 Platform Roles, but item level access is driven by group membership. Group membership can be managed by Site Admins and Power Users via the Settings area in the portal.

Individual users and groups are then assigned to Pipelines, Tasks, Tools in Registry as well as other core features of the product. The owner or delegated users can then manage this access at the item level.

Individual Access Rules can be applied to Pipelines, Tasks, KPI Dashboards, Scripts and Custom Parameters. By default, however if an item (pipeline, tool, etc) does not have an access rule applied, then all users will see and be able to use it. Only after a rule is applied, with RBAC controls apply to that time.

Please note that Site Level Access: Administrators or Power Users supersede any item level access rules.

Platform Roles

Opsera supports 3 levels of Platform Roles: Administrator, Power User and User. Any user who is not one of those three is considered a Guest and defaults to “read-only” access.

Administrators can manage Role Levels in the Settings → Site Roles screens.

If a user is not assigned any role, then they are considered a Guest with standard read only access: they see whatever items have NO RBAC Access Rules applied and can create their own pipelines, tools, etc but cannot interact with any pipelines, tasks or tools that they are not explicitly granted access to via RBAC Access Rules.

Viewing My Platform Role

The my profile page (available from the top right nav bar drop down) gives you a view of what access the user has at that given time. It’s a good tool for troubleshooting access and other settings. In this context, if a user looks at their Profile, there is a “Platform Access Role” field that will indicate what site level role they are a member of. Obviously if a user is in two roles (administrator AND Power User for example) the site will choose the higher of the two privileges. The Groups Membership is also helpful to see all the groups a user is currently a part of. 

If a user’s role is changed, that change may not take effect until the user logs out and back in, or waits 20 minutes.

Group Management

Group Management is controlled via the Settings panel under the Groups UI. This tool is ONLY visible to the Administrators and Power User Roles at this time.

In here Admins and Power Users can create any group model that fits for the organization or team structure. Then users can be added accordingly. These groups are then available for assignment in the Access Rules for pipelines, tasks, etc.

Administrators and Power Users can add and remove gropu access*.

*Please note, changes to group membership can take up to 20min to take effect depending on caching timeouts.

Platform Role Definitions

Administrator: Full system access, allowing user to perform all actions on Toolchain, Pipelines, Tool Registry, Tasks, Tag and Data Mapping Management, Analytics, etc. In Pipelines and Tasks, an Administrator can perform all actions on any pipeline as if they were an Owner*. Administrators also see all pipelines and tools, no matter what role settings are in place. So it’s important to limit who is in here.

Power Users: Power Users are intended to have the ability to work with more of the advanced settings of the Opsera platform: Group Management, Tags Management, elevated pipeline settings (for the pipelines they have access to), but not have the FULL account access of an Administrator. As such, they would NOT see everyone’s pipelines or tools, and so they would need to still be granted Pipeline or Tool level access to see or work with individual objects.

Users: Users should be the most common role in use. This is a base level for using all of the features of Opsera in accordance with the Access Rules for individual items.

Guest / Read-Only: This is not explicitly a role, rather it is the lack of role. Any user with no role assigned is treated as a guest with no ability to see anything that already has RBAC rules assigned (please note if tools, pipelines, tasks are wide open and do not have Access Rules defined even Guests would be able to see them). The intention with this classification is primarily to allow any user to log into Opsera and view Insights or Analytics but not to use the Orchestration and Tool Chain capabilities.

*An Owner of a pipeline, task, tool, ect is always going to have full access to that item. This is why Opsera offers a way to transfer ownership to another user. Owner of a pipeline or task shoudl be considered an “Administrator” of that item.