Opsera platform: Users, Groups, and RBAC Management
This Document contains specific user guides and instructions related to Role Based Access Controls for your Opsera platform, from a description of how to set site access to group management, item level access, and pipeline access. This Guide will take you through each step in the Table of Contents with screenshots to keep you on the path.
Role Based Access: Platform Role and Item Level Based Group Management
The Opsera platform supports both platform level access roles as well as individual item level access rules. Users are assigned one of 3 Platform Roles, but item level access is driven by group membership. Group membership can be managed by Site Admins and Power Users via the Settings area in the portal.
Individual users and groups are then assigned to Pipelines, Tasks, Tools in Registry as well as other core features of the product. The owner or delegated users can then manage this access at the item level.
Individual Access Rules can be applied to Pipelines, Tasks, KPI Dashboards, Scripts and Custom Parameters. By default, however if an item (pipeline, tool, etc) does not have an access rule applied, then all users will see and be able to use it. Only after a rule is applied, with RBAC controls apply to that time.
Please note that Site Level Access: Administrators or Power Users supersede any item level access rules.
Platform Roles
Opsera supports 3 levels of Platform Roles: Administrator, Power User and User. Any user who is not one of those three is considered a Guest and defaults to “read-only” access.
Administrators can manage Role Levels in the Settings → Site Roles screens.
If a user is not assigned any role, then they are considered a Guest with standard read only access: they see whatever items have NO RBAC Access Rules applied and can create their own pipelines, tools, etc but cannot interact with any pipelines, tasks or tools that they are not explicitly granted access to via RBAC Access Rules.
Viewing My Platform Role
The my profile page (available from the top right nav bar drop down) gives you a view of what access the user has at that given time. It’s a good tool for troubleshooting access and other settings. In this context, if a user looks at their Profile, there is a “Platform Access Role” field that will indicate what site level role they are a member of. Obviously if a user is in two roles (administrator AND Power User for example) the site will choose the higher of the two privileges. The Groups Membership is also helpful to see all the groups a user is currently a part of.
If a user’s role is changed, that change may not take effect until the user logs out and back in, or waits 20 minutes.
Group Management
Group Management is controlled via the Settings panel under the Groups UI. This tool is ONLY visible to the Administrators and Power User Roles at this time.
In here Admins and Power Users can create any group model that fits for the organization or team structure. Then users can be added accordingly. These groups are then available for assignment in the Access Rules for pipelines, tasks, etc.
Administrators and Power Users can add and remove gropu access*.
*Please note, changes to group membership can take up to 20min to take effect depending on caching timeouts.
Platform Role Definitions
Administrator: Full system access, allowing user to perform all actions on Toolchain, Pipelines, Tool Registry, Tasks, Tag and Data Mapping Management, Analytics, etc. In Pipelines and Tasks, an Administrator can perform all actions on any pipeline as if they were an Owner*. Administrators also see all pipelines and tools, no matter what role settings are in place. So it’s important to limit who is in here.
Power Users: Power Users are intended to have the ability to work with more of the advanced settings of the Opsera platform: Group Management, Tags Management, elevated pipeline settings (for the pipelines they have access to), but not have the FULL account access of an Administrator. As such, they would NOT see everyone’s pipelines or tools, and so they would need to still be granted Pipeline or Tool level access to see or work with individual objects.
Users: Users should be the most common role in use. This is a base level for using all of the features of Opsera in accordance with the Access Rules for individual items.
Guest / Read-Only: This is not explicitly a role, rather it is the lack of role. Any user with no role assigned is treated as a guest with no ability to see anything that already has RBAC rules assigned (please note if tools, pipelines, tasks are wide open and do not have Access Rules defined even Guests would be able to see them). The intention with this classification is primarily to allow any user to log into Opsera and view Insights or Analytics but not to use the Orchestration and Tool Chain capabilities.
*An Owner of a pipeline, task, tool, ect is always going to have full access to that item. This is why Opsera offers a way to transfer ownership to another user. Owner of a pipeline or task shoudl be considered an “Administrator” of that item.
Access Rules: Pipelines, Tasks, Tools, etc
Item level access rules are designed to apply users or groups to given objects in the system: Pipelines or Tools at this time. These policies will apply to the given item and its actions. By default, Site Administrators AND individual item Owners will always have full access to a given item.
The owner of the pipeline will always have full access and visibility to that item, no matter what the roles settings are in relation to that user. If the user does not desire this access, they need to use the Transfer Pipeline feature to transfer ownership to someone else. Item level access can be applied to custom user groups OR individual users.
Following other platform models, IF a user does not have the proper access to a Pipeline or Tool, then the site will completely hide it from them. It will be as if the item doesn’t exist to the user, so they will not see it in the All Pipelines or Tool Registry table AND in the Logs/Blueprints UI, the pipeline will not show up in the drop down.
Pipelines
This functionality operates the same way as Tool Registry. If NO rules are applied, all users have access to an item. If specific rules are set (either via a custom group or direct user) then that takes over.
Access Role Type | Access Policy | Description |
Owner | Full Access | |
Administrator | Full Access | |
Manager Site Level Power User | Power User Type Policy | Please note, this role is the same as a Site Level Power User. · View Step Configuration · Edit Step Details · Publish a pipeline to catalog · Duplicate a Pipeline · Stop, Start, Reset Pipeline · Approve Step when pipeline is waiting (this may not apply via Slack, so have to flush out the services end on this still.) · Edit Access Roles · Edit Step Notification Rules |
User | End User Type Policy | This is the standard user policy so it’s designed to give users just enough access to run, stop, reset pipeline. That’s it. As such they will see all pipeline activity logs too. |
Guest | Read Only Access | This is used to allow a user to see a pipeline in the UI. They would have only read access to it but as such can search logs, view activity. Without this access, the user would not even know the pipeline exists. |
Ownership - Tool Registry
This functionality operates the same way as Pipelines. If NO rules are applied, all users have access to an item. If specific rules are set (either via a custom group or direct user) then that takes over.
Access Role Type | Access Policy | Description |
Owner | Full Access | |
Administrator | Full Access | |
Manager Site Level Power User | Power User Type Policy | Please note, this role is the same as a Site Level Power User. · Edit tool settings · User tool in pipeline (not implemented yet) · Edit tool connection tab · Edit tool job/project/ account tabs · Create a tool |
User | End User Type Policy | When complete, this will be the standard user policy where users can select and use the tool. This user should be able to see the tool log output. NOT YET COMPLETE. |
Guest | Read-Only Access | When complete, this would imply the user can see the tool in the list so that they can see who the owner is, other location data or any attributes stored on the tool, BUT they could not use it. NOT YET COMPLETE. |