Skip to content

docs(orchestrator): clarify workflow-specific permission instance access #2229

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
lokanandaprabhu wants to merge 1 commit into
base: main
Choose a base branch
from
+13 −8
Open

docs(orchestrator): clarify workflow-specific permission instance access #2229

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions workspaces/orchestrator/.changeset/clarify-workflow-permission-docs.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
'@red-hat-developer-hub/backstage-plugin-orchestrator-backend': patch
---

- Clarify that `orchestrator.workflow.[workflowId]` also allows access to instances created by the user.
16 changes: 8 additions & 8 deletions workspaces/orchestrator/docs/Permissions.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,14 +3,14 @@ the RBAC plugin. The result is control over what users can see or execute.

## Orchestrator Permissions

| Name | Resource Type | Policy | Description | Requirements |
| ---------------------------------------- | -------------- | ------ | ---------------------------------------------------------------------------------------------- | ------------ |
| orchestrator.workflow | named resource | read | Allows the user to list and read any workflow definition and their instances that they created | |
| orchestrator.workflow.[`workflowId`] | named resource | read | Allows the user to list and read the details of a _single_ workflow definition | |
| orchestrator.workflow.use | named resource | update | Allows the user to run or abort _any_ workflow | |
| orchestrator.workflow.use.[`workflowId`] | named resource | update | Allows the user to run or abort the _single_ workflow | |
| orchestrator.workflowAdminView | named resource | read | Allows the user to view instance variables and workflow definition editor | |
| orchestrator.instanceAdminView | named resource | read | Allows the user to view all workflow instances, including those not created by them | |
| Name | Resource Type | Policy | Description | Requirements |
| ---------------------------------------- | -------------- | ------ | --------------------------------------------------------------------------------------------------- | ------------ |
| orchestrator.workflow | named resource | read | Allows the user to list and read any workflow definition and their instances that they created | |
| orchestrator.workflow.[`workflowId`] | named resource | read | Allows the user to list and read a _single_ workflow definition and its instances that they created | |
| orchestrator.workflow.use | named resource | update | Allows the user to run or abort _any_ workflow | |
| orchestrator.workflow.use.[`workflowId`] | named resource | update | Allows the user to run or abort the _single_ workflow | |
| orchestrator.workflowAdminView | named resource | read | Allows the user to view instance variables and workflow definition editor | |
| orchestrator.instanceAdminView | named resource | read | Allows the user to view all workflow instances, including those not created by them | |

The user is permitted to do an action if either the generic permission or the specific one allows it.
In other words, it is not possible to grant generic `orchestrator.workflow` and then selectively disable it for a specific workflow via `orchestrator.workflow.use.[workflowId]` with `deny`.
Expand Down