User Permissions

Like any enterprise product, Devtron supports fine grained access control to the resources based on:

Type of action allowed on Devtron resources (Create Vs View)
Sensitivity of the data (Editing image Vs Editing memory)

Access can be added to the User either directly or via Permission groups.

Role-based Access Levels

Devtron supports the following levels of access:

View only: User with View only access has the least privilege. This user can only view combination of environments, applications and helm charts on which access has been granted to the user. This user cannot view sensitive data like secrets used in applications or charts.
Build and Deploy: In addition to View only access, user with Build and deploy permission can build and deploy the image of the permitted applications and helm charts to the permitted environments.
Admin: User with Admin access can create, edit, delete and view permitted applications in the permitted projects.
Manager: User with Manager access can do everything that an Admin type user can do, in addition, they can also give and revoke access of users for the applications and environments of which they are Manager.
Super Admin: User with Super admin privilege has unrestricted access to all Devtron resources. Super admin can create, modify, delete and view any Devtron resource without any restriction; its like Superman without the weakness of Kryptonite. Super Admin can also add and delete user access across any Devtron resource, add delete git repository credentials, container registry credentials, cluster and environment.

User Roles And Permissions

1. Custom Applications

User Roles

View

Create

Edit

Delete

Build & Deploy

2. Helm Charts

User Roles

View

Deploy

Edit

Delete

3. User Access

User Roles

Add User Access

Edit User Access

Delete User Access

4. Global Configurations

User Role

Add Global Config

Edit Global Config

Delete Global Config

Add User

To add a user, go to the Authorization > User Permissions section of Global Configurations. Click Add user.

There are two types of permissions in Devtron:

Permission Type

Description

Assign Super admin permission

To assign a super admin access, go to the Authorization > User Permissions section of Global Configurations.

Click Add user.
Provide the email address of a user. You can add more than one email address. Please note that email address must be same as that in the email field in the JWT token returned by OIDC provider.
Select Super admin permission and click Save.
A user now will have a Super admin access.

Note:

Only users with Super admin permission can assign super admin permissions to a user.
We suggest that super admin access must be given to the selected users only.

Assign Specific permissions

To assign a specific permission, go to the Authorization > User Permissions section of Global Configurations.

Click Add user.
Provide the email address of a user. You can add more than one email address. Please note that email address must be same as that in the email field in the JWT token returned by OIDC provider.
Select Specific permissions.
Select the group permission from the drop-down list, if required.
Selecting Specific permission option allows you to manage access and provide the role-based access accordingly for

Devtron Apps Permissions

In Devtron Apps option, you can provide access to a user to manage permission for custom apps created using Devtron.

Note: The Devtron Apps option will be available only if you install CI/CD integration.

Provide the information in the following fields:

Registry Type

Credentials

You can add multiple rows for Devtron app permission.

Once you have finished assigning the appropriate permissions for the users, Click Save.

Helm Apps Permissions

In Helm Apps option, you can provide access to a user to manage permission for Helm apps deployed from Devtron or outside Devtron.

Provide the information in the following fields:

Registry Type

Credentials

You can add multiple rows for Devtron app permission.

Once you have finished assigning the appropriate permissions for the users, Click Save.

Kubernetes Resources Permissions

In Kubernetes Resources option, you can provide permission to view, inspect, manage, and delete resources in your clusters from Kubernetes Resource Browser page in Devtron. You can also create resources from the Kubernetes Resource Browser page.

Note: Only super admin users will be able to see Kubernetes Resources tab and provide permission to other users to access Resource Browser.

To provide Kubernetes resource permission, click Add permission.

On the Kubernetes resource permission, provide the information in the following fields:

Registry Type

Credentials

You can add multiple rows for Kubernetes resource permission.

Once you have finished assigning the appropriate permissions for the users, Click Save.

Chart Group Permissions

In Chart group permission option, you can manage the access of users for Chart Groups in your project.

Note: The Chart group permission option will be available only if you install CI/CD integration.

NOTE: You can only give users the ability to create or edit, not both.

Action

Permissions

Click Saveonce you have configured all the required permissions for the users.

Edit User Permissions

Direct user permissions cannot be edited if you're using LDAP/Microsoft for SSO and 'auto-assign permission' is enabled. Permissions can only be managed via permission groups in such a scenario.

You can edit the user permissions by clicking on the downward arrow.

Edit the user permissions.

After you have done editing the user permissions, click Save.

If you want to delete the user/users with particular permissions, click Delete.

PreviousExample - Okta SSO NextPermission Groups

Last updated 1 month ago