Skip to content

Security roles

Jump to bottom Edit New page
bugzmanov edited this page Aug 14, 2012 · 6 revisions

Genesis project : Security roles

Genesis provide ability to assign one of it's predefined roles to particular user or group. Each role specify concrete set of actions that user will be allowed to perform

Currently genesis support 2 types of "static" roles:

  • System roles - roles that affect user capabilities though the whole application
  • Project roles - roles that affect user capabilities in particular project.

System roles

System roles can be manipulated via system settings or via rest api (role management Rest api)

Supported roles:

  • ROLE_GENESIS_USER - to be able to login to genesis application user must have this role (please be aware about genesis.auth.role property). Note: even system admin without this role shouldn't be able to login into app
  • ROLE_GENESIS_ADMIN - system admin has practically no restrictions (i.e. it should have access to ALL available rest calls).

Rest api that is available ONLY to system admin 

  • /rest/groups/**  except GET requests that are also accessible by project admins
  • /rest/users/**  except GET requests that are also accessible by project admins
  • /rest/plugins/**
  • /rest/settings/**
  • /rest/projects*  delete and post requests

Project roles

Project roles can be manipulated via project settings or via rest api (role management Rest api)

Supported roles:

  • ROLE_GENESIS_PROJECT_USER - role that allows user to execute envs manipulation
    Availbale rest api:

    • /rest/projects/(projectId)/envs/**
    • /rest/projects/(projectId)/** - GET
    • /rest/projects/(projectId)/permissions - GET
    • /rest/projects - GET (list of projects will be filtered)
      projectId - project id of a project in which user has the role assigned

  • ROLE_GENESIS_PROJECT_ADMIN - role that allow user ability to manipulate project settings, i.e. grant other users access to the project, modify basic project properties, manipulate project's credentials, etc..
    Available rest api:

    • Everything that is available to ROLE_GENESIS_PROJECT_USER
    • /rest/projects/(projectId)/roles/** - PUT
    • /rest/projects/(projectId)/credentials/**  
    • /rest/projects/(projectId)  -PUT
    • /rest/groups* and /rest/users/* - GET

projectId - project id of a project in which user has the role assigned

Restricting access to created environments

Genesis provide optional support for access restrictions on environment level.

To enable this support property genesis.system.security.environment.restriction.enabled must be set to true. This can be done via REST or via UI(from system settings page).

Note: for changes to take effect, application restart is required)

Following rules apply in that mode:

  • Only project administrator can create new environments
  • Only project administrator can grant access to specific created environments (access can be granted via REST Api or via UI (on environment details page)
  • regular user can see and access (execute workflows) only those environmnets, he was granted access to.
Add a custom footer
Add a custom sidebar
Clone this wiki locally