RBAC
Use Case of RBAC on Scoutflo
Role-Based Access Control (RBAC) is a method of regulating access to resources based on the roles assigned to individual users within an organization. On the Scoutflo platform, RBAC plays a critical role in managing and maintaining secure access to key features like clusters, applications, and workspaces. It helps ensure that users can only access the resources and perform actions that are necessary for their role, thus preventing unauthorized changes or deletions.
Use Case in Scoutflo:
RBAC allows Super Admins and Workspace Owners to define roles and permissions across the platform, ensuring:
Secure operations: Only authorized users can perform sensitive actions like billing management or cluster deletion.
Streamlined collaboration: Team members are assigned appropriate roles to avoid unnecessary complexity in permissions.
Efficient management: Different permission levels prevent accidental or malicious changes to critical resources.
The 4 Default Roles Provided by Scoutflo
Scoutflo comes with four main roles that users can be assigned to, each with different levels of access and permissions:
Super Admin:
The Super Admin has the highest level of access on Scoutflo. This role is assigned to the individual who creates the organization’s account.
Where: Account level.
Key Abilities: Manage billing, handle GitHub App integration, Containor Registery integrations, access the Dora dashboard, and perform CRUD operations across all workspaces.
Workspace Owner:
The Workspace Owner has significant control over a specific workspace, allowing them to manage users, clusters, and applications within that workspace.
Where: Workspace level.
Key Abilities: Manage workspace settings, clusters, and applications, invite and manage team members within the workspace.
Workspace User:
A Workspace User can collaborate within the workspace but has more limited permissions than the Owner.
Where: Workspace level.
Key Abilities: Perform tasks like creating and editing clusters or applications but lack higher-level management control.
View-Only:
The View-Only role allows users to view resources without the ability to make changes.
Where: Workspace level.
Key Abilities: Read access to clusters, applications, and connections, view dashboards, and check billing info but cannot edit or manage resources.
Permissions Overview
Scoutflo permissions are divided into two levels: Account Level and Workspace Level. This ensures that roles have appropriate access and control depending on their scope within the organization.
Account Level Permissions
Git App
Create, Read, Update, Delete (CRUD)
Manage the GitHub Auth App, including installation and settings.
Billing
Read, Update
View and manage account billing details (invoices, subscriptions).
Dora Dashboard
View
Access performance metrics related to software delivery.
Workspace Level Permissions
Workspace
Create, Read, Update, Delete (CRUD)
Manage workspaces for team members and resources.
Cluster
Create, Read, Update, Delete (CRUD)
Manage Kubernetes clusters, including creating and modifying them.
Apps/Connections
Create, Read, Update, Delete (CRUD)
Manage applications and database connections.
Invite
Create, Read, Update, Delete (CRUD)
Control user invitations and member roles within workspaces.
K8s Dashboard
View
Monitor clusters, resource usage, and application health.
Profile Deletion
Delete
Remove user profiles within workspaces (except Super Admins).
Role-Based Permissions:
Account Level Permissions:
Permissions at the Account level govern actions that affect the entire organization, such as managing integrations, billing, and overarching metrics. These permissions ensure that the appropriate roles can control high-level functions across all workspaces.
1. Git App Permissions
Create (Install)
✅
❌
❌
❌
Read (View)
✅
✅
✅
❌
Update (Configure)
✅
❌
❌
❌
Delete (Uninstall)
✅
❌
❌
❌
Generate User Access Token
✅
✅
✅
❌
The Git App allows integration with GitHub for version control and deployment. This permission governs the installation, viewing, configuration, and removal of the GitHub Auth App for the organization.
2. Billing Permissions
Create (Add billing info)
✅
❌
❌
❌
Read (View billing info)
✅
✅
✅
✅
Update (Change billing details)
✅
❌
❌
❌
Delete (Remove billing info)
✅
❌
❌
❌
Billing permissions manage the ability to view and update financial information, ensuring that only authorized personnel can make changes to payment methods, subscriptions, and other financial data.
3. Dora Dashboard Permissions
Read (View Dashboard)
✅
✅
✅
✅
Dora Dashboard permissions allow access to key performance metrics for the software delivery process, providing insights into deployment frequency, lead time, and failure rates.
Workspace Level Permissions:
Workspace-level permissions focus on managing specific workspaces, including clusters, applications, and member roles. These permissions ensure fine-grained control over resources within individual workspaces.
1. Workspace Management Permissions
Create (New workspace)
✅
✅
❌
❌
Read (View workspace)
✅
✅
✅
✅
Update (Edit workspace)
✅
✅
❌
❌
Delete (Delete workspace)
✅
✅
❌
❌
Workspace management permissions control the ability to create, modify, and delete workspaces. This is essential for organizing environments and managing teams within isolated workspaces.
2. Cluster Management Permissions
Create (New cluster)
✅
✅
✅
❌
Read (View clusters)
✅
✅
✅
✅
Update (Edit clusters)
✅
✅
✅
❌
Delete (Remove clusters)
✅
✅
❌
❌
Cluster management permissions cover the full lifecycle of Kubernetes clusters, allowing roles to create new clusters, view existing ones, and modify or delete clusters based on their level of access.
3. Application/Connection Management Permissions
Create (New app/connection)
✅
✅
✅
❌
Read (View apps/connections)
✅
✅
✅
✅
Update (Edit apps/connections)
✅
✅
✅
❌
Delete (Remove apps/connections)
✅
✅
❌
❌
These permissions govern the creation, modification, and deletion of applications and database connections within a workspace. They are essential for managing deployments and ensuring the correct configuration of services.
4. Invite Management Permissions
Create (Invite new members)
✅
✅
❌
❌
Read (View invite list)
✅
✅
✅
✅
Update (Edit roles/invites)
✅
✅
❌
❌
Delete (Remove members)
✅
✅
❌
❌
Invite management permissions ensure that only authorized roles can add or remove members, assign roles, or modify the invite list for a workspace.
5. Kubernetes (K8s) Dashboard Permissions
Read (View K8s dashboard)
✅
✅
✅
✅
Access to the Kubernetes Dashboard allows roles to monitor cluster performance, resource usage, and running applications. This permission is essential for ensuring operational visibility without providing modification capabilities.
6. Profile Deletion Permissions
Delete (Self or others' profiles)
✅ (Can delete others but Cannot delete self)
✅ (Self and others)
✅ (Self only)
❌
Profile deletion permissions allow for the removal of user profiles from a workspace or the entire account, ensuring proper access control and security.
Last updated