User Access for Hyperion Mode
Like any enterprise product, Devtron supports fine grained access control to the resources
Access can be added to the User either directly or via Groups.
Access Levelsβ
Devtron supports 4 levels of access
- View only: User with
viewonly access has the least privilege. This user can only view combination of environments, applications and helm charts on which access has been granted to the user. This user cannot view sensitive data like secrets used in applications or charts. - View and Edit: In addition to
viewprivilege mentioned in above, user withView and Editpermission can edit the resource manifests of permitted applications and helm charts to permitted environments. - Admin: User with
adminaccess can create, edit, delete and view permitted applications in permitted projects. - Super Admin: User with
super adminprivilege has unrestricted access to all Devtron resources. Super admin can create, modify, delete and view any Devtron resource without any restriction; its like Superman without the weakness of Kryptonite. Super Admin can also add and delete user access across any Devtron resource, add delete git repository credentials, docker registry credentials, cluster and environment.
Visualize using access table (Apps)β
| Access Level | View App | Create App | Edit App | Delete App | Trigger App |
|---|---|---|---|---|---|
| View | Yes | No | No | No | No |
| View and Edit | Yes | No | Yes | Yes | Yes |
| Admin | Yes | Yes | Yes | Yes | Yes |
| Super Admin | Yes | Yes | Yes | Yes | Yes |
Visualize using access table (Charts)β
| Access Level | View Charts | Install Charts | Edit Charts | Delete Charts |
|---|---|---|---|---|
| View | Yes | No | No | No |
| View and Edit | Yes | No | No | No |
| Admin | Yes | Yes | Yes | Yes |
| Super Admin | Yes | Yes | Yes | Yes |
Visualize using access table (User Management)β
| Access Level | Add User Access | Edit User Access | Delete User Access |
|---|---|---|---|
| Super Admin | Yes | Yes | Yes |
Visualize using access table (Config Management)β
| Access Level | Add Global Config | Edit Global Config | Delete Global Config |
|---|---|---|---|
| Super Admin | Yes | Yes |
To control the access of User and Group
Go to the left main panel -> Select Global Configurations -> Select User Access
Usersβ
1. Add new userβ
Click on Add User, to add one or multiple users.
2. Search the existing Userβ
Click on Search Box, and type your user's email
3. Create User Permissionsβ
When you click on Add User, you will see 4 options to set permission for users which are as follow:
- Email addresses
- Assign super admin permissions
- Group permissions
- Helm Apps
- Project
- Environment
- Application
- Permission
Email addresses:β
In the Email address box, you have to provide the mail ID of the user to whom you want to give access to your applications.
IMP Please note that Email address should be same as that in the email field in the JWT token returned by OIDC provider.
Assign super admin permissionsβ
If you check the option Assign super admin permissions, the user will get full access to your system and the rest of the options will disappear. Please check above to see permission levels.
Click on Save and your user will be saved with super admin permissions.
We suggest that super admin privileges should be given to only select few.
If you donβt want to assign super admin permissions then you have to provide the rest of the information.
Group permissionsβ
This is used to assign user to a particular group and user inherits all the permissions granted to this group. The Group permissions section contains a drop-down of all existing groups on which you have access. This is optional field and more than one groups can be selected for a user.
We will discuss how to create groups in the later section.
Helm Appsβ
Access can be given to user by attaching permission directly to his/her email id through the Helm Apps section. This section has 4 options to manage the permissions of your users.
- Project
Select a project from the drop-down to which you want to give permission to the users. You can select only one project at a time if you want to select more than one project then click Add row.
- Environment or cluster/namespace
In the Environment or cluster/namespace section, you can select one or more than one or all environments at a time. Click on the environment section, you will see a drop-down of your environments and select any environment on which you want to give permission to the user.
IMP If all environments option is selected then user gets access to all current environments and any new environment which gets associated with this application later.
- Application
Similarly, you can select Applications from the drop-down corresponding to your selected Environments. In this section, you can also give permissions to one or more than one or to all applications at a time.
IMP If all applications option is selected then user gets access to all current applications and any new application which gets associated with this project later.
-
Permission
Inside the
Permission, you actually choose which type of permissions you want to give to the users.
There are there different view access levels available for both User and Group as described above:
You can add multiple rows, for Helm Apps.
Once you have finished assigning the appropriate permissions for the listed user, Click on Save.
4. Edit User Permissionsβ
You can edit the user permissions, by clicking on the downward arrow.
Then you can edit the user permissions here.
After you have done editing the user permissions. Click on Save.
If you want to delete the user/users with particular permissions. Click on Delete.
Groupsβ
The advantage of the groups is to define a set of privileges like create, edit, or delete for the given set of resources that can be shared among the users within the group. Users can be added to an existing group to utilize the privileges that it grants. Any access change to group is reflected immediately in user access.
You can select the group which you are creating in the Group permissions section inside Add users.
1. Add new Groupβ
Click on Add Group, to create a new group.
Enter the Group Name and Description.
2. Create Group Permissionsβ
Once you have given the group name and group description.
Then, control the access permissions of groups in the Helm Apps section. Manage the Project, Environment, Application, and Permission access the same as we discuss in the above users section.
You can add multiple rows, for the Helm Apps section.
Once you have finished assigning the appropriate permissions for the listed users, Click on Save.
3. Edit Group Permissionsβ
You can edit the group permissions, by clicking on the downward arrow.
Then you can edit the group permissions here.
Once you are done editing the group permissions. Click on Save.
If you want to delete the groups with particular permissions. Click on Delete.
4. Manage Chart Group Permissionsβ
The chart group permissions for the group will be managed in the same way as for the users. For reference, check Manage chart group permissions for users.