From f5ffccf9149e11987ee6aacac4a91789b4d0e4f8 Mon Sep 17 00:00:00 2001 From: Bharathvaj Date: Thu, 5 Jun 2025 14:56:58 +0530 Subject: [PATCH 01/14] Added Access Manager Documentation --- .../authorization/user-access.md | 127 ++++++++++++++---- 1 file changed, 99 insertions(+), 28 deletions(-) diff --git a/docs/user-guide/global-configurations/authorization/user-access.md b/docs/user-guide/global-configurations/authorization/user-access.md index 0df6f36a0..acf795073 100644 --- a/docs/user-guide/global-configurations/authorization/user-access.md +++ b/docs/user-guide/global-configurations/authorization/user-access.md @@ -95,33 +95,104 @@ If you assign a permission group as well as direct permissions, the user will ha ### Devtron Apps permissions {% hint style="warning" %} + ### Note -The 'Devtron Apps' tab will be available only if the [CI/CD module](../../integrations/build-and-deploy-ci-cd.md) is installed. + +The **Devtron Apps** tab is displayed only when the [Build and Deploy (CI/CD)](../../integrations/build-and-deploy-ci-cd.md) module is installed in your Devtron instance. + {% endhint %} -Here you can grant your user the permissions for Devtron apps. +The **Devtron Apps** tab allows you to grant user permissions for Devtron applications. ![Figure 9: Granting Devtron Apps Permissions](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/devtron-apps-perm.jpg) | Field | Description | | --- | --- | -| **Project** | Select a project from the dropdown list to grant the user access. You can select only one project at a time.
**Note**: If you want to select more than one project, then click **Add Permission**. | -| **Environment** | Select a specific environment or all environments from the dropdown list.
**Note**: If you select `All environments`, the user will have access to all the current environments including any new environment which gets associated with the application later. | -| **Application** | Select a specific application or all applications from the dropdown list corresponding to your selected environments.
**Note**: If you select `All applications`, the user will have access to all current and future applications associated with the project. Moreover, user with access to all applications, can create new applications too. | -| **Role** | Available Roles:[Click here](#roles-available-for-devtron-apps) to learn more about the role you wish to assign the user. | +| **Project** | Select your preferred project from the drop-down box to grant the user access. You can select only one project at a time.
**Note**: If you want to select more than one project, then click **Add Permission**. | +| **Environment** | Select a specific environment or all environments from the drop-down box as per your requirement.
**Note**: If you select `All environments`, the user will have access to all the current environments and any new environment which gets associated with the application in the future. | +| **Application** | Select a specific application or all applications from the drop-down box that is associated with the environment(s) selected in the **Environment** drop-down box, as per your requirement.
**Note**: If you select `All applications`, the user will have access to all the current and future applications associated with the project. Moreover, user with access to all applications, can create new applications too. | +| **Role** | Available Roles:[Click here](#roles-available-for-devtron-apps) to learn more about the role you wish to assign to the user. | | **Status** | Read: [Making Users Active/Inactive](#at-direct-permissions-level) [![](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/elements/EnterpriseTag.svg)](https://devtron.ai/pricing) | #### Roles available for Devtron Apps -There are seven role-based access levels for Devtron Apps: +The role-based access for Devtron Apps are as follows: + +**Base Role** + +* **View only**: Users can view applications and access environments but cannot view sensitive information like secrets used in applications or charts or perform any actions. + +* **Build and Deploy**: In addition to **View only** permission, users can build and deploy images of applications in permitted environments. + +* **Admin**: Users can create, edit, deploy, and delete permitted applications in permitted projects. + +* **Manager**: In addition to **Admin** permission, users can also grant or revoke user access for applications and environments that they manage. + +* **Additional Roles** [![](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/elements/EnterpriseTag.svg)](https://devtron.ai/pricing) + + **Additional Roles** is an enterprise feature that allows you to assign specific permissions to a user beyond their **Base Role**. For example, you can grant a user both the **Build and Deploy** (Base Role) and **Config Approver** permissions (Additional Role). This allows the user to build and deploy images, while also being responsible for approving configuration change requests. + + The following permissions are currently available in **Additional Roles**: + + * **Config Approver**: You can approve configuration change requests for [Deployment Templates](../../creating-application/deployment-template.md), [ConfigMaps](../../creating-application/config-maps.md), and [Secrets](../../creating-application/secrets.md). However, you cannot self-approve your own proposed changes, even if you have the **Config Approver** permission or even the Super Admin access. + + * **Artifact promoter**: You can approve the promotion of [artifacts](../../../reference/glossary.md#artifacts) directly to the target CD pipeline. For example, if your application workflow includes three CD pipelines (e.g., dev, qa, and prod) and someone raises a request to bypass dev and qa and deploy the artifact directly to prod, you can approve and perform this action with the **Artifact promoter** permission. + + * **Deployment approver**: You can approve the image deployment requests. + +**Access Manager** [![](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/elements/EnterpriseTag.svg)](https://devtron.ai/pricing) + +{% hint style="warning" %} + +### Who Can Perform This Action? + +Only [Super-Admins](#grant-super-admin-permission) can create an **Access Manager** role. + +{% endhint %} + +![Figure 10: Access Manager](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-access/access-manager-highlighted.jpg) + +**Access Manager** is an enterprise feature that allows you to manage user permissions on a granular level. As an Access Manager, you can assign or revoke permissions of existing users within your granted scope. + +For example, when a Super-Admin creates an Access Manager and grants him **View only** access under **Base Role**, and **Admin**, **Config Approver** permissions under the **Access Manager** role, then the Access Manager will have **View only** access across Devtron and will not be able to perform any other operations. + +However, he will still be able to assign **View only** access, assign or revoke **Admin** and **Config Approver** permissions to other existing users. This is possible because the Super-Admin has explicitly granted those permissions under the **Access Manager** role when creating the Access Manager. + +{% hint style="warning" %} + +### Important Note + +An Access Manager cannot create other Access Managers or add new users. Creation of new users and Access Manager is restricted only to Super-Admin. + +{% endhint %} + +If a Super-Admin enables the **Can manage access for all roles** toggle for a user, then that user can create new users, modify permissions of even existing Super-Admins. However, he will still not be able to create a Super-Admin. The **Can manage access for all roles** toggle is exclusively available to Super Admins and is not visible to any other users. + +![Figure 11: Can manage access for all roles Toggle](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-access/cmafar-highlighted.jpg) + +Enabling this toggle, however, does not grant the user the ability to give another user the Access Manager role. When an Access Manager modifies permissions of an existing user, the **Access Manager** toggle in the **Role** drop-down box remains hidden. + +![Figure 12: Access Manager is not Displayed](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-access/access-manager-not-displayed.jpg) + +For a Super-Admin, the **Access Manager** toggle is disabled by default. When you enable the **Access Manager** toggle from the **Role** drop-down but do not select any permissions, the system treats it as if the toggle were never enabled. In other words, enabling the toggle without assigning any permissions has no effect. Therefore, when enabling the **Access Manager** toggle, it is recommended to select at least one permission to ensure the role is active. + +The following permissions are currently available in the Access Manager role: + +* **View only**: When selected, this permission allows you to grant or revoke View Only access to other users. + +* **Build and Deploy**: When selected, this permission allows you to grant or revoke Build and Deploy access to other users. + +* **Admin**: When selected, this permission allows you to grant or revoke Admin access to other users. + +* **Config Approver**: When selected, this permission allows you to grant or revoke Config Approver access to other users. + +* **Artifact promoter**: When selected, this permission allows you to grant or revoke Artifact promoter access to other users. + +The **Deployment approver** permission is not currently available within the **Access Manager** role. If you would like to see this permission included, we encourage you to raise a feature request on GitHub. + +An Access Manager cannot modify Super Admin permissions. If an Access Manager attempts to perform any action beyond their granted scope, the system will display an appropriate error message. For example, if an Access Manager has **View Only** access under the **Base Role**, and attempts to modify an existing user who currently has **Admin** access, the Access Manager can downgrade the user’s access to **View only**. But, he will not be able to reassign **Admin** access afterward, as he himself do not hold that permission and an appropriate error message is displayed. Access Managers can only modify permissions that fall within their own granted scope. -1. **View only**: These users can view applications and environments access to but cannot view sensitive data like secrets used in applications or charts. -2. **Build and Deploy**: In addition to `View only` access, these users can build and deploy images of applications to permitted environments. -3. **Admin**: These users can create, edit, deploy, and delete permitted applications in selected projects. -4. **Manager**: These users have the same permissions as `Admin` but can also grant or revoke user access for applications and environments they manage. -5. **Image approver**: These users can approve image deployment requests. -6. **Configuration approver**: These users can approve configuration change requests for [Deployment Templates](../../creating-application/deployment-template.md), [ConfigMaps](../../creating-application/config-maps.md), and [Secrets](../../creating-application/secrets.md). However, users cannot self-approve their own proposed changes, even if they have this role or Super Admin access. -7. **Artifact promoter**: These users have the authority to approve the promotion of [artifacts](../../../reference/glossary.md#artifacts) directly to the target CD pipeline. +When an Access Manager modifies and assigns the **Artifact Promoter** permission to an existing user, for example, then that user will only have **Artifact Promoter** permission selected and displayed in the **Role** drop-down box, whereas the other permissions, **Config Approver** and **Deployment approver**, will not be displayed. However, super-admin users have unrestricted access to all Devtron resources. They can create, modify, delete, and manage any resource, including user access, Git repositories, container registries, clusters, and environments. @@ -131,7 +202,7 @@ However, super-admin users have unrestricted access to all Devtron resources. Th | **Build and Deploy** | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | | **Admin** | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | | **Manager** | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ✅ | -| **Image Approver** | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | +| **Deployment Approver** | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | | **Configuration Approver** | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | | **Artifact Promoter** | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | | **Super Admin** | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | @@ -141,7 +212,7 @@ However, super-admin users have unrestricted access to all Devtron resources. Th Here you can grant your user the permissions for Helm apps deployed from Devtron or outside Devtron. -![Figure 10: Granting Helm Apps Permissions](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/helm-apps-perm.jpg) +![Figure 13: Granting Helm Apps Permissions](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/helm-apps-perm.jpg) | Field | Description | | --- | --- | @@ -170,7 +241,7 @@ There are three role-based access levels for Helm Apps: Here you can grant your user the permissions to access the jobs created in Devtron. -![Figure 11: Granting Jobs Permissions](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/jobs-perm.jpg) +![Figure 14: Granting Jobs Permissions](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/jobs-perm.jpg) | Field | Description | | --- | --- | @@ -209,10 +280,10 @@ Here you can provide permission to view, inspect, manage, and delete resources i To grant Kubernetes resource permission, click **Add permission**. -![Figure 12a: Adding Permissions for Kubernetes Resources](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/k8s-perm1.jpg) +![Figure 15a: Adding Permissions for Kubernetes Resources](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/k8s-perm1.jpg) -![Figure 12b: Granting Permissions for Kubernetes Resources](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/k8s-perm2.jpg) +![Figure 15b: Granting Permissions for Kubernetes Resources](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/k8s-perm2.jpg) | Field | Description | | --- | --- | @@ -246,7 +317,7 @@ The 'Chart Groups' tab will be available only if the [CI/CD module](../../integr Here you can grant your user the permissions for accessing Chart Groups. Note that you can only give users the permission to either create chart groups or edit them, but not both. -![Figure 13: Granting Chart Group Permissions](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/chart-group-perm.jpg) +![Figure 16: Granting Chart Group Permissions](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/chart-group-perm.jpg) | Action | Permissions | | :--- | :--- | @@ -279,7 +350,7 @@ Here you can grant your user the permissions for accessing Chart Groups. Note th When working with multiple collaborators in Devtron, you may need to deactivate users who no longer require access and reactivate them when needed. This applies to users of Devtron Apps, Helm Apps, Jobs, and Kubernetes Resources. -![Figure 14: Active/Inactive Options](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/active-inactive-levels.jpg) +![Figure 17: Active/Inactive Options](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/active-inactive-levels.jpg) You can manage a user's active status at three levels: * [User-level](#at-user-level) @@ -289,7 +360,7 @@ You can manage a user's active status at three levels: ### At User level -![Figure 15: Active/Inactive User](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/user-level-activation.jpg) +![Figure 18: Active/Inactive User](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/user-level-activation.jpg) * **Active/Activate** - Use this option to activate a deactivated user while retaining their previous roles and permissions. * **Inactive/Inactivate** - Use this option to deactivate an existing active user and save the changes. If the user has an ongoing session, they will be logged out permanently on their next action or refresh. @@ -297,7 +368,7 @@ You can manage a user's active status at three levels: ### At Permission Group level -![Figure 16: Active/Inactive User from Permission Group](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/group-level-activation.jpg) +![Figure 19: Active/Inactive User from Permission Group](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/group-level-activation.jpg) * **Active/Activate** - Use this option to allow permissions from the group to take effect for the user. * **Inactive/Inactivate** - Use this option to prevent permissions from the group from taking effect for the user. However, they can still log in/log out of Devtron if [active at the user-level](#at-user-level). @@ -305,7 +376,7 @@ You can manage a user's active status at three levels: ### At Direct Permissions level -![Figure 17: Active/Inactive User for Project Access](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/permission-level-activation.jpg) +![Figure 20: Active/Inactive User for Project Access](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/permission-level-activation.jpg) * **Active/Activate** - Use this option to grant the project/resource access to the user. * **Inactive/Inactivate** - Use this option to revoke the project/resource access from the user. **Note**: The user will still be able to log in/log out of Devtron if [active at user-level](#at-user-level). @@ -328,7 +399,7 @@ Direct user permissions cannot be edited if you're using [LDAP](./sso/ldap.md)/[ You can edit the user permissions by clicking the edit icon. Click **Save** after editing the permissions. -![Figure 18: Editing User Permissions](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/edit-permissions.gif) +![Figure 21: Editing User Permissions](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/edit-permissions.gif) --- @@ -343,7 +414,7 @@ You may download the user data of current users and deleted users in a CSV forma * Role * Timestamps for User Addition, Updation, and Deletion -![Figure 19: Exporting User Data](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/export-users-csv-v2.gif) +![Figure 22: Exporting User Data](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/export-users-csv-v2.gif) --- @@ -357,6 +428,6 @@ You may download the user data of current users and deleted users in a CSV forma If you want to delete a user, click **Delete**. -![Figure 20: Deleting a User](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/delete-user.jpg) +![Figure 23: Deleting a User](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/delete-user.jpg) -This will remove the user from the system along with all the permissions granted earlier. The user will no longer be able to log in to Devtron unless added again. +This will remove the user from the system along with all the permissions granted earlier. The user will no longer be able to log in to Devtron unless added again. \ No newline at end of file From 6ab1c75302b61ff4e3ec361ce19274109e354840 Mon Sep 17 00:00:00 2001 From: Bharathvaj Date: Thu, 5 Jun 2025 15:05:28 +0530 Subject: [PATCH 02/14] Added missing links --- .../authorization/user-access.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/user-guide/global-configurations/authorization/user-access.md b/docs/user-guide/global-configurations/authorization/user-access.md index acf795073..c5037b438 100644 --- a/docs/user-guide/global-configurations/authorization/user-access.md +++ b/docs/user-guide/global-configurations/authorization/user-access.md @@ -154,19 +154,19 @@ Only [Super-Admins](#grant-super-admin-permission) can create an **Access Manage **Access Manager** is an enterprise feature that allows you to manage user permissions on a granular level. As an Access Manager, you can assign or revoke permissions of existing users within your granted scope. -For example, when a Super-Admin creates an Access Manager and grants him **View only** access under **Base Role**, and **Admin**, **Config Approver** permissions under the **Access Manager** role, then the Access Manager will have **View only** access across Devtron and will not be able to perform any other operations. +For example, when a [Super-Admin](#grant-super-admin-permission) creates an Access Manager and grants him **View only** access under **Base Role**, and **Admin**, **Config Approver** permissions under the **Access Manager** role, then the Access Manager will have **View only** access across Devtron and will not be able to perform any other operations. -However, he will still be able to assign **View only** access, assign or revoke **Admin** and **Config Approver** permissions to other existing users. This is possible because the Super-Admin has explicitly granted those permissions under the **Access Manager** role when creating the Access Manager. +However, he will still be able to assign **View only** access, assign or revoke **Admin** and **Config Approver** permissions to other existing users. This is possible because the [Super-Admin](#grant-super-admin-permission) has explicitly granted those permissions under the **Access Manager** role when creating the Access Manager. {% hint style="warning" %} ### Important Note -An Access Manager cannot create other Access Managers or add new users. Creation of new users and Access Manager is restricted only to Super-Admin. +An Access Manager cannot create other Access Managers or add new users. Creation of new users and Access Manager is restricted only to [Super-Admins](#grant-super-admin-permission). {% endhint %} -If a Super-Admin enables the **Can manage access for all roles** toggle for a user, then that user can create new users, modify permissions of even existing Super-Admins. However, he will still not be able to create a Super-Admin. The **Can manage access for all roles** toggle is exclusively available to Super Admins and is not visible to any other users. +If a [Super-Admin](#grant-super-admin-permission) enables the **Can manage access for all roles** toggle for a user, then that user can create new users, modify permissions of even existing [Super-Admin](#grant-super-admin-permission). However, he will still not be able to create a [Super-Admin](#grant-super-admin-permission). The **Can manage access for all roles** toggle is exclusively available to [Super-Admin](#grant-super-admin-permission) and is not visible to any other users. ![Figure 11: Can manage access for all roles Toggle](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-access/cmafar-highlighted.jpg) @@ -174,7 +174,7 @@ Enabling this toggle, however, does not grant the user the ability to give anoth ![Figure 12: Access Manager is not Displayed](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-access/access-manager-not-displayed.jpg) -For a Super-Admin, the **Access Manager** toggle is disabled by default. When you enable the **Access Manager** toggle from the **Role** drop-down but do not select any permissions, the system treats it as if the toggle were never enabled. In other words, enabling the toggle without assigning any permissions has no effect. Therefore, when enabling the **Access Manager** toggle, it is recommended to select at least one permission to ensure the role is active. +For a [Super-Admin](#grant-super-admin-permission), the **Access Manager** toggle is disabled by default. When you enable the **Access Manager** toggle from the **Role** drop-down but do not select any permissions, the system treats it as if the toggle were never enabled. In other words, enabling the toggle without assigning any permissions has no effect. Therefore, when enabling the **Access Manager** toggle, it is recommended to select at least one permission to ensure the role is active. The following permissions are currently available in the Access Manager role: @@ -190,11 +190,11 @@ The following permissions are currently available in the Access Manager role: The **Deployment approver** permission is not currently available within the **Access Manager** role. If you would like to see this permission included, we encourage you to raise a feature request on GitHub. -An Access Manager cannot modify Super Admin permissions. If an Access Manager attempts to perform any action beyond their granted scope, the system will display an appropriate error message. For example, if an Access Manager has **View Only** access under the **Base Role**, and attempts to modify an existing user who currently has **Admin** access, the Access Manager can downgrade the user’s access to **View only**. But, he will not be able to reassign **Admin** access afterward, as he himself do not hold that permission and an appropriate error message is displayed. Access Managers can only modify permissions that fall within their own granted scope. +An Access Manager cannot modify [Super-Admin](#grant-super-admin-permission) permissions. If an Access Manager attempts to perform any action beyond their granted scope, the system will display an appropriate error message. For example, if an Access Manager has **View Only** access under the **Base Role**, and attempts to modify an existing user who currently has **Admin** access, the Access Manager can downgrade the user’s access to **View only**. But, he will not be able to reassign **Admin** access afterward, as he himself do not hold that permission and an appropriate error message is displayed. Access Managers can only modify permissions that fall within their own granted scope. When an Access Manager modifies and assigns the **Artifact Promoter** permission to an existing user, for example, then that user will only have **Artifact Promoter** permission selected and displayed in the **Role** drop-down box, whereas the other permissions, **Config Approver** and **Deployment approver**, will not be displayed. -However, super-admin users have unrestricted access to all Devtron resources. They can create, modify, delete, and manage any resource, including user access, Git repositories, container registries, clusters, and environments. +However, [Super-Admin](#grant-super-admin-permission) users have unrestricted access to all Devtron resources. They can create, modify, delete, and manage any resource, including user access, Git repositories, container registries, clusters, and environments. | Role | View | Create | Edit | Delete | Build & Deploy | Approve Images | Approve Config Change | Approve Artifacts | Manage User Access | |-----------------------|:----:|:------:|:----:|:------:|:--------------:|:--------------:|:--------------:|:----------------:|:----------------:| From c5bc0c22463f177978d7e457bc817d3abac81d9a Mon Sep 17 00:00:00 2001 From: Bharathvaj Date: Fri, 6 Jun 2025 15:27:06 +0530 Subject: [PATCH 03/14] Rewrote a Couple of Sentences --- .../global-configurations/authorization/user-access.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/user-guide/global-configurations/authorization/user-access.md b/docs/user-guide/global-configurations/authorization/user-access.md index c5037b438..dc3f1fce8 100644 --- a/docs/user-guide/global-configurations/authorization/user-access.md +++ b/docs/user-guide/global-configurations/authorization/user-access.md @@ -166,7 +166,7 @@ An Access Manager cannot create other Access Managers or add new users. Creation {% endhint %} -If a [Super-Admin](#grant-super-admin-permission) enables the **Can manage access for all roles** toggle for a user, then that user can create new users, modify permissions of even existing [Super-Admin](#grant-super-admin-permission). However, he will still not be able to create a [Super-Admin](#grant-super-admin-permission). The **Can manage access for all roles** toggle is exclusively available to [Super-Admin](#grant-super-admin-permission) and is not visible to any other users. +If a [Super-Admin](#grant-super-admin-permission) enables the **Can manage access for all roles** toggle for a user, then that user can modify permissions of existing users and even [Super-Admins](#grant-super-admin-permission). However, he will still not be able to create a [Super-Admin](#grant-super-admin-permission) or new users. The **Can manage access for all roles** toggle is exclusively available to [Super-Admin](#grant-super-admin-permission) and is not visible to any other users. ![Figure 11: Can manage access for all roles Toggle](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-access/cmafar-highlighted.jpg) From 2970d485efaac4ef011075a8b576ce26568ad98b Mon Sep 17 00:00:00 2001 From: Bharathvaj Date: Sat, 7 Jun 2025 16:21:34 +0530 Subject: [PATCH 04/14] Added a GIF + Fixed Review Comments --- .../authorization/user-access.md | 48 +++++++++++-------- 1 file changed, 27 insertions(+), 21 deletions(-) diff --git a/docs/user-guide/global-configurations/authorization/user-access.md b/docs/user-guide/global-configurations/authorization/user-access.md index dc3f1fce8..196f83a3b 100644 --- a/docs/user-guide/global-configurations/authorization/user-access.md +++ b/docs/user-guide/global-configurations/authorization/user-access.md @@ -154,27 +154,29 @@ Only [Super-Admins](#grant-super-admin-permission) can create an **Access Manage **Access Manager** is an enterprise feature that allows you to manage user permissions on a granular level. As an Access Manager, you can assign or revoke permissions of existing users within your granted scope. -For example, when a [Super-Admin](#grant-super-admin-permission) creates an Access Manager and grants him **View only** access under **Base Role**, and **Admin**, **Config Approver** permissions under the **Access Manager** role, then the Access Manager will have **View only** access across Devtron and will not be able to perform any other operations. +For example, when a Super-Admin creates an Access Manager and grants him **View only** access under **Base Role**, and **Admin**, **Config Approver** permissions under the **Access Manager** role, then the Access Manager will have **View only** access across Devtron and will not be able to perform any other operations. -However, he will still be able to assign **View only** access, assign or revoke **Admin** and **Config Approver** permissions to other existing users. This is possible because the [Super-Admin](#grant-super-admin-permission) has explicitly granted those permissions under the **Access Manager** role when creating the Access Manager. +However, he will still be able to assign **View only** access, assign or revoke **Admin** and **Config Approver** permissions to other existing users. This is possible because the Super-Admin has explicitly granted those permissions under the **Access Manager** role when creating the Access Manager. {% hint style="warning" %} ### Important Note -An Access Manager cannot create other Access Managers or add new users. Creation of new users and Access Manager is restricted only to [Super-Admins](#grant-super-admin-permission). +An Access Manager cannot create other Access Managers or add new users. Creation of new users and Access Manager is restricted only to Super-Admins. {% endhint %} -If a [Super-Admin](#grant-super-admin-permission) enables the **Can manage access for all roles** toggle for a user, then that user can modify permissions of existing users and even [Super-Admins](#grant-super-admin-permission). However, he will still not be able to create a [Super-Admin](#grant-super-admin-permission) or new users. The **Can manage access for all roles** toggle is exclusively available to [Super-Admin](#grant-super-admin-permission) and is not visible to any other users. +If a Super-Admin enables the **Can manage access for all roles** toggle for a user, then that user can modify permissions of existing users and even Super-Admin. However, he will still not be able to create a Super-Admin or new users. The **Can manage access for all roles** toggle is exclusively available to Super-Admin and is not visible to any other users. -![Figure 11: Can manage access for all roles Toggle](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-access/cmafar-highlighted.jpg) +![Figure 11: 'Can manage access for all roles' Toggle](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-access/cmafar-highlighted.jpg) -Enabling this toggle, however, does not grant the user the ability to give another user the Access Manager role. When an Access Manager modifies permissions of an existing user, the **Access Manager** toggle in the **Role** drop-down box remains hidden. +Enabling this toggle, however, does not grant the user the ability to give another user the Access Manager role. For example, when a Super-Admin enables the **Can manage access for all roles** toggle for a user, then for that user, the **Access Manager** toggle will not be available in the **Role** drop-down box, thereby restricting the ability to create Access Managers to Super-Admin. ![Figure 12: Access Manager is not Displayed](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-access/access-manager-not-displayed.jpg) -For a [Super-Admin](#grant-super-admin-permission), the **Access Manager** toggle is disabled by default. When you enable the **Access Manager** toggle from the **Role** drop-down but do not select any permissions, the system treats it as if the toggle were never enabled. In other words, enabling the toggle without assigning any permissions has no effect. Therefore, when enabling the **Access Manager** toggle, it is recommended to select at least one permission to ensure the role is active. +The **Access Manager** toggle in the **Role** drop-down box is disabled by default. + +When a Super-Admin creates a new user or edits the permissions of an existing user, if he enables the **Access Manager** toggle from the **Role** drop-down box but do not select any permissions, the system treats it as if the toggle were never enabled. In other words, enabling the toggle without assigning any permissions has no effect. Therefore, when enabling the **Access Manager** toggle, it is recommended to select at least one permission to ensure the role is active. The following permissions are currently available in the Access Manager role: @@ -190,11 +192,15 @@ The following permissions are currently available in the Access Manager role: The **Deployment approver** permission is not currently available within the **Access Manager** role. If you would like to see this permission included, we encourage you to raise a feature request on GitHub. -An Access Manager cannot modify [Super-Admin](#grant-super-admin-permission) permissions. If an Access Manager attempts to perform any action beyond their granted scope, the system will display an appropriate error message. For example, if an Access Manager has **View Only** access under the **Base Role**, and attempts to modify an existing user who currently has **Admin** access, the Access Manager can downgrade the user’s access to **View only**. But, he will not be able to reassign **Admin** access afterward, as he himself do not hold that permission and an appropriate error message is displayed. Access Managers can only modify permissions that fall within their own granted scope. +An Access Manager cannot modify Super-Admin permissions. If an Access Manager attempts to perform any action beyond their granted scope, the system will display an appropriate error message. For example, when modifying the permissions of an existing user, if the Access Manager only has the **View only** permission, but attempt to assign **Build and Deploy** permission to the existing user, an error message is displayed. + +![Figure 13: Not Authorized Error](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-access/not-authorized.gif) + +Similarly, if an Access Manager has **View Only** access, but attempts to modify an existing user who currently has **Admin** access, the Access Manager can downgrade the user’s access to **View only**. But, he will not be able to reassign **Admin** access afterward, as he himself do not hold that permission and an appropriate error message is displayed. Access Managers can only modify permissions that fall within their own granted scope. When an Access Manager modifies and assigns the **Artifact Promoter** permission to an existing user, for example, then that user will only have **Artifact Promoter** permission selected and displayed in the **Role** drop-down box, whereas the other permissions, **Config Approver** and **Deployment approver**, will not be displayed. -However, [Super-Admin](#grant-super-admin-permission) users have unrestricted access to all Devtron resources. They can create, modify, delete, and manage any resource, including user access, Git repositories, container registries, clusters, and environments. +However, Super-Admin users have unrestricted access to all Devtron resources. They can create, modify, delete, and manage any resource, including user access, Git repositories, container registries, clusters, and environments. | Role | View | Create | Edit | Delete | Build & Deploy | Approve Images | Approve Config Change | Approve Artifacts | Manage User Access | |-----------------------|:----:|:------:|:----:|:------:|:--------------:|:--------------:|:--------------:|:----------------:|:----------------:| @@ -212,7 +218,7 @@ However, [Super-Admin](#grant-super-admin-permission) users have unrestricted ac Here you can grant your user the permissions for Helm apps deployed from Devtron or outside Devtron. -![Figure 13: Granting Helm Apps Permissions](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/helm-apps-perm.jpg) +![Figure 14: Granting Helm Apps Permissions](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/helm-apps-perm.jpg) | Field | Description | | --- | --- | @@ -241,7 +247,7 @@ There are three role-based access levels for Helm Apps: Here you can grant your user the permissions to access the jobs created in Devtron. -![Figure 14: Granting Jobs Permissions](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/jobs-perm.jpg) +![Figure 15: Granting Jobs Permissions](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/jobs-perm.jpg) | Field | Description | | --- | --- | @@ -280,10 +286,10 @@ Here you can provide permission to view, inspect, manage, and delete resources i To grant Kubernetes resource permission, click **Add permission**. -![Figure 15a: Adding Permissions for Kubernetes Resources](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/k8s-perm1.jpg) +![Figure 16a: Adding Permissions for Kubernetes Resources](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/k8s-perm1.jpg) -![Figure 15b: Granting Permissions for Kubernetes Resources](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/k8s-perm2.jpg) +![Figure 16b: Granting Permissions for Kubernetes Resources](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/k8s-perm2.jpg) | Field | Description | | --- | --- | @@ -317,7 +323,7 @@ The 'Chart Groups' tab will be available only if the [CI/CD module](../../integr Here you can grant your user the permissions for accessing Chart Groups. Note that you can only give users the permission to either create chart groups or edit them, but not both. -![Figure 16: Granting Chart Group Permissions](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/chart-group-perm.jpg) +![Figure 17: Granting Chart Group Permissions](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/chart-group-perm.jpg) | Action | Permissions | | :--- | :--- | @@ -350,7 +356,7 @@ Here you can grant your user the permissions for accessing Chart Groups. Note th When working with multiple collaborators in Devtron, you may need to deactivate users who no longer require access and reactivate them when needed. This applies to users of Devtron Apps, Helm Apps, Jobs, and Kubernetes Resources. -![Figure 17: Active/Inactive Options](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/active-inactive-levels.jpg) +![Figure 18: Active/Inactive Options](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/active-inactive-levels.jpg) You can manage a user's active status at three levels: * [User-level](#at-user-level) @@ -360,7 +366,7 @@ You can manage a user's active status at three levels: ### At User level -![Figure 18: Active/Inactive User](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/user-level-activation.jpg) +![Figure 19: Active/Inactive User](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/user-level-activation.jpg) * **Active/Activate** - Use this option to activate a deactivated user while retaining their previous roles and permissions. * **Inactive/Inactivate** - Use this option to deactivate an existing active user and save the changes. If the user has an ongoing session, they will be logged out permanently on their next action or refresh. @@ -368,7 +374,7 @@ You can manage a user's active status at three levels: ### At Permission Group level -![Figure 19: Active/Inactive User from Permission Group](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/group-level-activation.jpg) +![Figure 20: Active/Inactive User from Permission Group](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/group-level-activation.jpg) * **Active/Activate** - Use this option to allow permissions from the group to take effect for the user. * **Inactive/Inactivate** - Use this option to prevent permissions from the group from taking effect for the user. However, they can still log in/log out of Devtron if [active at the user-level](#at-user-level). @@ -376,7 +382,7 @@ You can manage a user's active status at three levels: ### At Direct Permissions level -![Figure 20: Active/Inactive User for Project Access](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/permission-level-activation.jpg) +![Figure 21: Active/Inactive User for Project Access](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/permission-level-activation.jpg) * **Active/Activate** - Use this option to grant the project/resource access to the user. * **Inactive/Inactivate** - Use this option to revoke the project/resource access from the user. **Note**: The user will still be able to log in/log out of Devtron if [active at user-level](#at-user-level). @@ -399,7 +405,7 @@ Direct user permissions cannot be edited if you're using [LDAP](./sso/ldap.md)/[ You can edit the user permissions by clicking the edit icon. Click **Save** after editing the permissions. -![Figure 21: Editing User Permissions](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/edit-permissions.gif) +![Figure 22: Editing User Permissions](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/edit-permissions.gif) --- @@ -414,7 +420,7 @@ You may download the user data of current users and deleted users in a CSV forma * Role * Timestamps for User Addition, Updation, and Deletion -![Figure 22: Exporting User Data](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/export-users-csv-v2.gif) +![Figure 23: Exporting User Data](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/export-users-csv-v2.gif) --- @@ -428,6 +434,6 @@ You may download the user data of current users and deleted users in a CSV forma If you want to delete a user, click **Delete**. -![Figure 23: Deleting a User](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/delete-user.jpg) +![Figure 24: Deleting a User](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/delete-user.jpg) This will remove the user from the system along with all the permissions granted earlier. The user will no longer be able to log in to Devtron unless added again. \ No newline at end of file From f55515c5e4ee8fcfcd000a95dd8e6f38c9995c29 Mon Sep 17 00:00:00 2001 From: Bharathvaj Date: Mon, 9 Jun 2025 09:13:27 +0530 Subject: [PATCH 05/14] Fixed Review Comments --- .../authorization/user-access.md | 44 ++++++++++++++----- 1 file changed, 32 insertions(+), 12 deletions(-) diff --git a/docs/user-guide/global-configurations/authorization/user-access.md b/docs/user-guide/global-configurations/authorization/user-access.md index 196f83a3b..3e0282061 100644 --- a/docs/user-guide/global-configurations/authorization/user-access.md +++ b/docs/user-guide/global-configurations/authorization/user-access.md @@ -130,7 +130,7 @@ The role-based access for Devtron Apps are as follows: * **Additional Roles** [![](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/elements/EnterpriseTag.svg)](https://devtron.ai/pricing) - **Additional Roles** is an enterprise feature that allows you to assign specific permissions to a user beyond their **Base Role**. For example, you can grant a user both the **Build and Deploy** (Base Role) and **Config Approver** permissions (Additional Role). This allows the user to build and deploy images, while also being responsible for approving configuration change requests. + **Additional Roles** allows you to assign specific permissions to a user beyond their **Base Role**. For example, you can grant a user both the **Build and Deploy** (Base Role) and **Config Approver** permissions (Additional Role). This allows the user to build and deploy images, while also being responsible for approving configuration change requests. The following permissions are currently available in **Additional Roles**: @@ -152,11 +152,11 @@ Only [Super-Admins](#grant-super-admin-permission) can create an **Access Manage ![Figure 10: Access Manager](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-access/access-manager-highlighted.jpg) -**Access Manager** is an enterprise feature that allows you to manage user permissions on a granular level. As an Access Manager, you can assign or revoke permissions of existing users within your granted scope. +**Access Manager** allows you to manage user permissions on a granular level. As an Access Manager, you can assign or revoke permissions of existing users within your granted scope. -For example, when a Super-Admin creates an Access Manager and grants him **View only** access under **Base Role**, and **Admin**, **Config Approver** permissions under the **Access Manager** role, then the Access Manager will have **View only** access across Devtron and will not be able to perform any other operations. +For example, when you create an Access Manager and grant him **View only** access under **Base Role**, and **Admin**, **Config Approver** permissions under the **Access Manager** role, then the Access Manager will have **View only** access across Devtron and will not be able to perform any other operations. -However, he will still be able to assign **View only** access, assign or revoke **Admin** and **Config Approver** permissions to other existing users. This is possible because the Super-Admin has explicitly granted those permissions under the **Access Manager** role when creating the Access Manager. +However, he will still be able to assign **View only** access, and assign or revoke **Admin** and **Config Approver** permissions to other existing users. This is possible because you have explicitly granted those permissions under the **Access Manager** role when creating the Access Manager. {% hint style="warning" %} @@ -166,29 +166,43 @@ An Access Manager cannot create other Access Managers or add new users. Creation {% endhint %} -If a Super-Admin enables the **Can manage access for all roles** toggle for a user, then that user can modify permissions of existing users and even Super-Admin. However, he will still not be able to create a Super-Admin or new users. The **Can manage access for all roles** toggle is exclusively available to Super-Admin and is not visible to any other users. +If you enable the **Can manage access for all roles** toggle for a user, then that user can modify permissions of existing users and even Super-Admin. However, he will still not be able to create a Super-Admin or a new user. The **Can manage access for all roles** toggle is exclusively available to Super-Admins and is not visible to any other users. ![Figure 11: 'Can manage access for all roles' Toggle](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-access/cmafar-highlighted.jpg) -Enabling this toggle, however, does not grant the user the ability to give another user the Access Manager role. For example, when a Super-Admin enables the **Can manage access for all roles** toggle for a user, then for that user, the **Access Manager** toggle will not be available in the **Role** drop-down box, thereby restricting the ability to create Access Managers to Super-Admin. +{% hint style="info" %} + +### Note + +Even if you enable the **Can manage access for all roles** toggle for a user, that user will not be able to further make another user an Access Manager. + +{% endhint %} ![Figure 12: Access Manager is not Displayed](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-access/access-manager-not-displayed.jpg) The **Access Manager** toggle in the **Role** drop-down box is disabled by default. -When a Super-Admin creates a new user or edits the permissions of an existing user, if he enables the **Access Manager** toggle from the **Role** drop-down box but do not select any permissions, the system treats it as if the toggle were never enabled. In other words, enabling the toggle without assigning any permissions has no effect. Therefore, when enabling the **Access Manager** toggle, it is recommended to select at least one permission to ensure the role is active. +When enabling the **Access Manager** toggle, make sure to select at least one permission from the checkboxes of permissions displayed beneath the toggle. + +{% hint style="info" %} + +### Note + +When you create a new user or edit the permissions of an existing user, if you enable the **Access Manager** toggle from the **Role** drop-down box but do not select any permissions, the system treats it as if the toggle were never enabled. In other words, enabling the toggle without assigning any permissions has no effect. Therefore, when enabling the **Access Manager** toggle, it is recommended to select at least one permission to ensure the role is active. + +{% endhint %} The following permissions are currently available in the Access Manager role: -* **View only**: When selected, this permission allows you to grant or revoke View Only access to other users. +* **View only**: When selected, this permission allows the Access Manager to grant or revoke View Only access to other users. -* **Build and Deploy**: When selected, this permission allows you to grant or revoke Build and Deploy access to other users. +* **Build and Deploy**: When selected, this permission allows the Access Manager to grant or revoke Build and Deploy access to other users. -* **Admin**: When selected, this permission allows you to grant or revoke Admin access to other users. +* **Admin**: When selected, this permission allows the Access Manager to grant or revoke Admin access to other users. -* **Config Approver**: When selected, this permission allows you to grant or revoke Config Approver access to other users. +* **Config Approver**: When selected, this permission allows the Access Manager to grant or revoke Config Approver access to other users. -* **Artifact promoter**: When selected, this permission allows you to grant or revoke Artifact promoter access to other users. +* **Artifact promoter**: When selected, this permission allows the Access Manager to grant or revoke Artifact promoter access to other users. The **Deployment approver** permission is not currently available within the **Access Manager** role. If you would like to see this permission included, we encourage you to raise a feature request on GitHub. @@ -198,8 +212,14 @@ An Access Manager cannot modify Super-Admin permissions. If an Access Manager at Similarly, if an Access Manager has **View Only** access, but attempts to modify an existing user who currently has **Admin** access, the Access Manager can downgrade the user’s access to **View only**. But, he will not be able to reassign **Admin** access afterward, as he himself do not hold that permission and an appropriate error message is displayed. Access Managers can only modify permissions that fall within their own granted scope. +{% hint style="info" %} + +### Note + When an Access Manager modifies and assigns the **Artifact Promoter** permission to an existing user, for example, then that user will only have **Artifact Promoter** permission selected and displayed in the **Role** drop-down box, whereas the other permissions, **Config Approver** and **Deployment approver**, will not be displayed. +{% endhint %} + However, Super-Admin users have unrestricted access to all Devtron resources. They can create, modify, delete, and manage any resource, including user access, Git repositories, container registries, clusters, and environments. | Role | View | Create | Edit | Delete | Build & Deploy | Approve Images | Approve Config Change | Approve Artifacts | Manage User Access | From 50e654451c0316b35b46d017da3f49a1d063f6d7 Mon Sep 17 00:00:00 2001 From: Bharathvaj Date: Mon, 9 Jun 2025 14:51:02 +0530 Subject: [PATCH 06/14] Added CMAFAR Section --- .../authorization/user-access.md | 69 ++++++++++--------- 1 file changed, 37 insertions(+), 32 deletions(-) diff --git a/docs/user-guide/global-configurations/authorization/user-access.md b/docs/user-guide/global-configurations/authorization/user-access.md index 3e0282061..d26bac365 100644 --- a/docs/user-guide/global-configurations/authorization/user-access.md +++ b/docs/user-guide/global-configurations/authorization/user-access.md @@ -126,7 +126,7 @@ The role-based access for Devtron Apps are as follows: * **Admin**: Users can create, edit, deploy, and delete permitted applications in permitted projects. -* **Manager**: In addition to **Admin** permission, users can also grant or revoke user access for applications and environments that they manage. +* **Manager**: In addition to **Admin** permission, users can also grant or revoke user access for applications and environments that they manage. The **Manager** role for enterprise users will be deprecated and removed soon. Therefore, we recommend using the **Access Manager** role instead of **Manager** going forward. * **Additional Roles** [![](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/elements/EnterpriseTag.svg)](https://devtron.ai/pricing) @@ -134,11 +134,11 @@ The role-based access for Devtron Apps are as follows: The following permissions are currently available in **Additional Roles**: - * **Config Approver**: You can approve configuration change requests for [Deployment Templates](../../creating-application/deployment-template.md), [ConfigMaps](../../creating-application/config-maps.md), and [Secrets](../../creating-application/secrets.md). However, you cannot self-approve your own proposed changes, even if you have the **Config Approver** permission or even the Super Admin access. + * **Artifact Promoter**: You can approve the promotion of [artifacts](../../../reference/glossary.md#artifacts) directly to the target CD pipeline. For example, if your application workflow includes three CD pipelines (e.g., dev, qa, and prod) and someone raises a request to bypass dev and qa and deploy the artifact directly to prod, you can approve and perform this action with the **Artifact promoter** permission. - * **Artifact promoter**: You can approve the promotion of [artifacts](../../../reference/glossary.md#artifacts) directly to the target CD pipeline. For example, if your application workflow includes three CD pipelines (e.g., dev, qa, and prod) and someone raises a request to bypass dev and qa and deploy the artifact directly to prod, you can approve and perform this action with the **Artifact promoter** permission. + * **Config Approver**: You can approve configuration change requests for [Deployment Templates](../../creating-application/deployment-template.md), [ConfigMaps](../../creating-application/config-maps.md), and [Secrets](../../creating-application/secrets.md). However, you cannot self-approve your own proposed changes, even if you have the **Config Approver** permission or even the Super Admin access. - * **Deployment approver**: You can approve the image deployment requests. + * **Deployment Approver**: You can approve the deployment requests for the selected applications and environments. **Access Manager** [![](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/elements/EnterpriseTag.svg)](https://devtron.ai/pricing) @@ -146,17 +146,17 @@ The role-based access for Devtron Apps are as follows: ### Who Can Perform This Action? -Only [Super-Admins](#grant-super-admin-permission) can create an **Access Manager** role. +Only [Super-Admins](#grant-super-admin-permission) can grant an **Access Manager** role. {% endhint %} ![Figure 10: Access Manager](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-access/access-manager-highlighted.jpg) -**Access Manager** allows you to manage user permissions on a granular level. As an Access Manager, you can assign or revoke permissions of existing users within your granted scope. +**Access Manager** allows you to manage user permissions on a granular level. The user to whom you have granted the Access Manager role can assign or revoke permissions of existing users within their granted scope. -For example, when you create an Access Manager and grant him **View only** access under **Base Role**, and **Admin**, **Config Approver** permissions under the **Access Manager** role, then the Access Manager will have **View only** access across Devtron and will not be able to perform any other operations. +For example, when you create an Access Manager with **View only** access under **Base Role**, and **Admin**, **Config Approver** permissions under the **Access Manager** role, then the Access Manager will have **View only** access across Devtron and will not be able to perform any other operations. -However, he will still be able to assign **View only** access, and assign or revoke **Admin** and **Config Approver** permissions to other existing users. This is possible because you have explicitly granted those permissions under the **Access Manager** role when creating the Access Manager. +However, the Access Manager will still be able to assign **View only** access, and assign or revoke **Admin** and **Config Approver** permissions to other existing users. This is possible because you have granted those permissions under the **Access Manager** role when creating the Access Manager. {% hint style="warning" %} @@ -166,7 +166,7 @@ An Access Manager cannot create other Access Managers or add new users. Creation {% endhint %} -If you enable the **Can manage access for all roles** toggle for a user, then that user can modify permissions of existing users and even Super-Admin. However, he will still not be able to create a Super-Admin or a new user. The **Can manage access for all roles** toggle is exclusively available to Super-Admins and is not visible to any other users. +If you enable the **Can manage access for all roles** toggle for a user, then that user can modify permissions of existing users and even Super-Admin. However, the user will still not be able to create a Super-Admin or a new user. The [Can manage access for all roles](#can-manage-access-for-all-roles-toggle) toggle is exclusively available to Super-Admin and is not visible to any other users. ![Figure 11: 'Can manage access for all roles' Toggle](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-access/cmafar-highlighted.jpg) @@ -174,7 +174,7 @@ If you enable the **Can manage access for all roles** toggle for a user, then th ### Note -Even if you enable the **Can manage access for all roles** toggle for a user, that user will not be able to further make another user an Access Manager. +Even if you enable the [Can manage access for all roles toggle](#can-manage-access-for-all-roles-toggle) for a user, that user will not be able to further make another user an Access Manager. {% endhint %} @@ -182,15 +182,7 @@ Even if you enable the **Can manage access for all roles** toggle for a user, th The **Access Manager** toggle in the **Role** drop-down box is disabled by default. -When enabling the **Access Manager** toggle, make sure to select at least one permission from the checkboxes of permissions displayed beneath the toggle. - -{% hint style="info" %} - -### Note - -When you create a new user or edit the permissions of an existing user, if you enable the **Access Manager** toggle from the **Role** drop-down box but do not select any permissions, the system treats it as if the toggle were never enabled. In other words, enabling the toggle without assigning any permissions has no effect. Therefore, when enabling the **Access Manager** toggle, it is recommended to select at least one permission to ensure the role is active. - -{% endhint %} +When enabling the **Access Manager** toggle, make sure to select at least one permission from the checkboxes displayed beneath the toggle to ensure the role is active. The following permissions are currently available in the Access Manager role: @@ -204,19 +196,19 @@ The following permissions are currently available in the Access Manager role: * **Artifact promoter**: When selected, this permission allows the Access Manager to grant or revoke Artifact promoter access to other users. -The **Deployment approver** permission is not currently available within the **Access Manager** role. If you would like to see this permission included, we encourage you to raise a feature request on GitHub. +The **Deployment approver** permission is not currently available within the **Access Manager** role. If you would like to see this permission included, we encourage you to [raise a feature request on GitHub](https://github.com/devtron-labs/devtron/issues). An Access Manager cannot modify Super-Admin permissions. If an Access Manager attempts to perform any action beyond their granted scope, the system will display an appropriate error message. For example, when modifying the permissions of an existing user, if the Access Manager only has the **View only** permission, but attempt to assign **Build and Deploy** permission to the existing user, an error message is displayed. ![Figure 13: Not Authorized Error](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-access/not-authorized.gif) -Similarly, if an Access Manager has **View Only** access, but attempts to modify an existing user who currently has **Admin** access, the Access Manager can downgrade the user’s access to **View only**. But, he will not be able to reassign **Admin** access afterward, as he himself do not hold that permission and an appropriate error message is displayed. Access Managers can only modify permissions that fall within their own granted scope. +Similarly, if an Access Manager has **View only** access and attempts to modify an existing user who currently has **Admin** access, the Access Manager can downgrade the user's access to **View only**. However, the Access Manager cannot reassign **Admin** access afterward, as they do not hold that permission, and an appropriate error message is displayed. Access Managers can only modify permissions that fall within their own granted scope. {% hint style="info" %} ### Note -When an Access Manager modifies and assigns the **Artifact Promoter** permission to an existing user, for example, then that user will only have **Artifact Promoter** permission selected and displayed in the **Role** drop-down box, whereas the other permissions, **Config Approver** and **Deployment approver**, will not be displayed. +When an Access Manager modifies and assigns the **Artifact Promoter** permission to an existing user, for example, then that user will only have **Artifact Promoter** permission selected and displayed in the **Role** drop-down box. The other permissions, **Config Approver** and **Deployment approver**, will not be displayed. {% endhint %} @@ -228,12 +220,12 @@ However, Super-Admin users have unrestricted access to all Devtron resources. Th | **Build and Deploy** | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | | **Admin** | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | | **Manager** | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ✅ | -| **Deployment Approver** | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | -| **Configuration Approver** | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | | **Artifact Promoter** | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | +| **Configuration Approver** | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | +| **Deployment Approver** | ✅ | ❌ | ❌ | ❌ | ❌ | ✅ | ❌ | ❌ | ❌ | +| **Access Manager** | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | | **Super Admin** | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | - ### Helm Apps permissions Here you can grant your user the permissions for Helm apps deployed from Devtron or outside Devtron. @@ -364,6 +356,19 @@ Here you can grant your user the permissions for accessing Chart Groups. Note th | **Edit** | ✅ | ❌ | ❌ | None/Specific Groups | ❌ | | **Super Admin** | ✅ | ✅ | ✅ | ✅ | ✅ | +### Can Manage Access For All Roles Toggle + +{% hint style="warning" %} +### Who Can Perform This Action? +Only a [Super Admin](#grant-super-admin-permission) can enable the **Can manage access for all roles** toggle for other users. This toggle is available only to Super-Admin and not to other users. +{% endhint %} + +![Figure 18: 'Can manage access for all roles' Toggle](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-access/cmafar-highlighted.jpg) + +The **Can manage access for all roles** toggle allows you to grant a user the permission to manage access for all roles across Devtron apps, Helm Apps, Jobs, Kubernetes Resources, and Chart Groups. + +When you enable this toggle for a user, they can then manage access for all roles of existing users. However, they cannot create new users. By default, the **Can manage access for all roles** toggle is disabled. + --- ## Making Users Active/Inactive [![](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/elements/EnterpriseTag.svg)](https://devtron.ai/pricing) @@ -376,7 +381,7 @@ Here you can grant your user the permissions for accessing Chart Groups. Note th When working with multiple collaborators in Devtron, you may need to deactivate users who no longer require access and reactivate them when needed. This applies to users of Devtron Apps, Helm Apps, Jobs, and Kubernetes Resources. -![Figure 18: Active/Inactive Options](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/active-inactive-levels.jpg) +![Figure 19: Active/Inactive Options](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/active-inactive-levels.jpg) You can manage a user's active status at three levels: * [User-level](#at-user-level) @@ -386,7 +391,7 @@ You can manage a user's active status at three levels: ### At User level -![Figure 19: Active/Inactive User](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/user-level-activation.jpg) +![Figure 20: Active/Inactive User](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/user-level-activation.jpg) * **Active/Activate** - Use this option to activate a deactivated user while retaining their previous roles and permissions. * **Inactive/Inactivate** - Use this option to deactivate an existing active user and save the changes. If the user has an ongoing session, they will be logged out permanently on their next action or refresh. @@ -394,7 +399,7 @@ You can manage a user's active status at three levels: ### At Permission Group level -![Figure 20: Active/Inactive User from Permission Group](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/group-level-activation.jpg) +![Figure 21: Active/Inactive User from Permission Group](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/group-level-activation.jpg) * **Active/Activate** - Use this option to allow permissions from the group to take effect for the user. * **Inactive/Inactivate** - Use this option to prevent permissions from the group from taking effect for the user. However, they can still log in/log out of Devtron if [active at the user-level](#at-user-level). @@ -402,7 +407,7 @@ You can manage a user's active status at three levels: ### At Direct Permissions level -![Figure 21: Active/Inactive User for Project Access](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/permission-level-activation.jpg) +![Figure 22: Active/Inactive User for Project Access](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/permission-level-activation.jpg) * **Active/Activate** - Use this option to grant the project/resource access to the user. * **Inactive/Inactivate** - Use this option to revoke the project/resource access from the user. **Note**: The user will still be able to log in/log out of Devtron if [active at user-level](#at-user-level). @@ -425,7 +430,7 @@ Direct user permissions cannot be edited if you're using [LDAP](./sso/ldap.md)/[ You can edit the user permissions by clicking the edit icon. Click **Save** after editing the permissions. -![Figure 22: Editing User Permissions](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/edit-permissions.gif) +![Figure 23: Editing User Permissions](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/edit-permissions.gif) --- @@ -440,7 +445,7 @@ You may download the user data of current users and deleted users in a CSV forma * Role * Timestamps for User Addition, Updation, and Deletion -![Figure 23: Exporting User Data](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/export-users-csv-v2.gif) +![Figure 24: Exporting User Data](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/export-users-csv-v2.gif) --- @@ -454,6 +459,6 @@ You may download the user data of current users and deleted users in a CSV forma If you want to delete a user, click **Delete**. -![Figure 24: Deleting a User](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/delete-user.jpg) +![Figure 25: Deleting a User](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/delete-user.jpg) This will remove the user from the system along with all the permissions granted earlier. The user will no longer be able to log in to Devtron unless added again. \ No newline at end of file From 6468de3d69d697362bc754caa13b3ebf87e4dd90 Mon Sep 17 00:00:00 2001 From: Bharathvaj Date: Wed, 18 Jun 2025 17:29:20 +0530 Subject: [PATCH 07/14] Fixed Review Comments + Restructured TOC --- .../authorization/user-access.md | 140 +++++++++--------- 1 file changed, 74 insertions(+), 66 deletions(-) diff --git a/docs/user-guide/global-configurations/authorization/user-access.md b/docs/user-guide/global-configurations/authorization/user-access.md index d26bac365..24774d00f 100644 --- a/docs/user-guide/global-configurations/authorization/user-access.md +++ b/docs/user-guide/global-configurations/authorization/user-access.md @@ -49,13 +49,16 @@ Only managers and super-admins can add users. ## Grant Super Admin Permission {% hint style="warning" %} + ### Who Can Perform This Action? + Only existing super-admins can assign super-admin permissions to another user. + {% endhint %} ![Figure 7: Granting Superadmin Access](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/superadmin-perm.jpg) -Before assigning this permission, please note the following: +Super-Admins have unrestricted access to all Devtron resources. They can create, modify, delete, and manage any resource, including user access, Git repositories, container registries, clusters, and environments. Before assigning this permission, please note: * Selecting this option will grant the user full access to all the resources. @@ -68,28 +71,65 @@ Before assigning this permission, please note the following: ## Grant Specific Permissions {% hint style="warning" %} + ### Who Can Perform This Action? + Only managers and super-admins can assign specific permissions to a user. + {% endhint %} -![Figure 8: Granting Specific Access](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/specific-perm.jpg) +![Figure 8: Granting Specific Access](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-access/specific-permissions.jpg) + +### Permission Groups + +**Permission Groups** allows you select a group with a predefined set of user permissions, so that the users belonging to the group automatically inherits those permissions. This reduces the need to repeatedly grant permissions each time a user is added. -Upon selecting this option, you get two additional sections: +The **Permission Groups** drop-down box allows you to select from a list of permission groups already created in the [Permission Groups](../authorization/permission-groups.md) page. -| **Section** | **Description** | -|-----------------------|------------------------------| -| **Permission Groups**
| (*Recommended*, [see snapshot](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/assign-permission-groups.gif)) Use the dropdown to assign the user to a [permission group](./permission-groups.md). Your user will automatically inherit all the permissions to the projects/resources defined for that group. You may select more than one permission group too. Once you select a permission group, assigning direct permissions can be skipped (unless you wish to grant additional permissions).

You may also [make users Active/Inactive](#at-permission-group-level) at permission group-level.

**We recommend using permission groups over direct permissions for easier management of user access**. | -| **Direct Permissions**| This option allows you to grant your user the access to:
  • [Devtron Apps](#devtron-apps-permissions)
  • [Helm Apps](#helm-apps-permissions)
  • [Jobs](#jobs-permissions)
  • [Kubernetes Resources](#kubernetes-resources-permissions)
  • [Chart Groups](#chart-groups-permissions)
| +![Figure 9: Permission Groups](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/assign-permission-groups.gif) + +You can select one or more permission groups, and the user will automatically inherit all the permissions to the projects and resources defined for those groups. Once you select permission group(s), assigning specific permissions can be skipped (unless you wish to grant additional permissions). + +You can also make users [Active/Inactive](#making-users-activeinactive) at permission group-level. {% hint style="info" %} -### What happens when a user has direct permissions as well as permissions inherited from a group? -If you assign a permission group as well as direct permissions, the user will have the combined permissions of both. + +### What happens when a user has specific permissions as well as permissions inherited from a group? + +If you assign a permission group as well as specific permissions, the user will have the combined permissions of both. **For example**: -* A user is granted ‘Build & Deploy’ access to three apps via direct permissions. -* The same user is part of a group that has ‘View only’ access to five apps (including those three apps). -* Now, the user will have both ‘Build & Deploy’ and ‘View only’ permissions for those three apps, and just ‘View only’ for the other two. +* A user is granted **Build & Deploy** access to three apps via specific permissions. + +* The same user is part of a group that has **View only** access to five apps (including those three apps). + +* Now, the user will have both **Build & Deploy** and **View only** permissions for those three apps, and just **View only** for the other two. + +{% endhint %} + +### Can Manage Access For All Roles Toggle + +{% hint style="warning" %} + +### Who Can Perform This Action? + +Only a [Super Admin](#grant-super-admin-permission) can enable the **Can manage access for all roles** toggle for other users. This toggle is available only to Super-Admins. + +{% endhint %} + +![Figure 10: 'Can manage access for all roles' Toggle](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-access/cmafar-highlighted.jpg) + +The **Can manage access for all roles** toggle allows you to grant a user the permission to manage access for all roles across Devtron apps, Helm Apps, Jobs, Kubernetes Resources, and Chart Groups. However, they cannot create new users. + +By default, the **Can manage access for all roles** toggle is disabled. + +{% hint style="warning" %} + +### Important Note + +If you enable the **Can manage access for all roles** toggle for a user, then that user can modify permissions of all the users including super-admins. + {% endhint %} ### Devtron Apps permissions @@ -104,7 +144,7 @@ The **Devtron Apps** tab is displayed only when the [Build and Deploy (CI/CD)](. The **Devtron Apps** tab allows you to grant user permissions for Devtron applications. -![Figure 9: Granting Devtron Apps Permissions](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/devtron-apps-perm.jpg) +![Figure 11: Granting Devtron Apps Permissions](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/devtron-apps-perm.jpg) | Field | Description | | --- | --- | @@ -150,13 +190,9 @@ Only [Super-Admins](#grant-super-admin-permission) can grant an **Access Manager {% endhint %} -![Figure 10: Access Manager](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-access/access-manager-highlighted.jpg) +![Figure 12: Access Manager](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-access/access-manager-highlighted.jpg) -**Access Manager** allows you to manage user permissions on a granular level. The user to whom you have granted the Access Manager role can assign or revoke permissions of existing users within their granted scope. - -For example, when you create an Access Manager with **View only** access under **Base Role**, and **Admin**, **Config Approver** permissions under the **Access Manager** role, then the Access Manager will have **View only** access across Devtron and will not be able to perform any other operations. - -However, the Access Manager will still be able to assign **View only** access, and assign or revoke **Admin** and **Config Approver** permissions to other existing users. This is possible because you have granted those permissions under the **Access Manager** role when creating the Access Manager. +Enabling **Access Manager** for a user allows that user to further grant or change permissions of existing users. {% hint style="warning" %} @@ -166,20 +202,19 @@ An Access Manager cannot create other Access Managers or add new users. Creation {% endhint %} -If you enable the **Can manage access for all roles** toggle for a user, then that user can modify permissions of existing users and even Super-Admin. However, the user will still not be able to create a Super-Admin or a new user. The [Can manage access for all roles](#can-manage-access-for-all-roles-toggle) toggle is exclusively available to Super-Admin and is not visible to any other users. +| Users | Base Role(s) | Access Manager Role(s) | What's Allowed | What's Not Allowed | +|:-----------------------|:----|:------|:----|:------| +| User A | Admin | View Only | Changing user B's **Manager** role to **View Only** role (Manager → View Only) |
  • Reverting to User B's **Manager** role (View Only → Manager)
  • Changing User B's **Manager** role to any other role, except for **View Only**
  • Performing operations beyond the base role (i.e., **Admin**)
  • Modifying Super-Admin permissions
| +| User B | Manager | Not Applicable | Perform the operations under the scope of **Manager** role across Devtron |
  • Manage user access for other users
  • Perform operations beyond the base role (i.e., **Manager**)
  • Modifying Super-Admin permissions
| -![Figure 11: 'Can manage access for all roles' Toggle](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-access/cmafar-highlighted.jpg) - -{% hint style="info" %} +{% hint style="warning" %} ### Note -Even if you enable the [Can manage access for all roles toggle](#can-manage-access-for-all-roles-toggle) for a user, that user will not be able to further make another user an Access Manager. +If you need to grant someone global control over modifying the roles of other users, enable the [Can manage access for all roles](#can-manage-access-for-all-roles-toggle) toggle instead. {% endhint %} -![Figure 12: Access Manager is not Displayed](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-access/access-manager-not-displayed.jpg) - The **Access Manager** toggle in the **Role** drop-down box is disabled by default. When enabling the **Access Manager** toggle, make sure to select at least one permission from the checkboxes displayed beneath the toggle to ensure the role is active. @@ -198,21 +233,7 @@ The following permissions are currently available in the Access Manager role: The **Deployment approver** permission is not currently available within the **Access Manager** role. If you would like to see this permission included, we encourage you to [raise a feature request on GitHub](https://github.com/devtron-labs/devtron/issues). -An Access Manager cannot modify Super-Admin permissions. If an Access Manager attempts to perform any action beyond their granted scope, the system will display an appropriate error message. For example, when modifying the permissions of an existing user, if the Access Manager only has the **View only** permission, but attempt to assign **Build and Deploy** permission to the existing user, an error message is displayed. - -![Figure 13: Not Authorized Error](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-access/not-authorized.gif) - -Similarly, if an Access Manager has **View only** access and attempts to modify an existing user who currently has **Admin** access, the Access Manager can downgrade the user's access to **View only**. However, the Access Manager cannot reassign **Admin** access afterward, as they do not hold that permission, and an appropriate error message is displayed. Access Managers can only modify permissions that fall within their own granted scope. - -{% hint style="info" %} - -### Note - -When an Access Manager modifies and assigns the **Artifact Promoter** permission to an existing user, for example, then that user will only have **Artifact Promoter** permission selected and displayed in the **Role** drop-down box. The other permissions, **Config Approver** and **Deployment approver**, will not be displayed. - -{% endhint %} - -However, Super-Admin users have unrestricted access to all Devtron resources. They can create, modify, delete, and manage any resource, including user access, Git repositories, container registries, clusters, and environments. +#### Roles and Scopes | Role | View | Create | Edit | Delete | Build & Deploy | Approve Images | Approve Config Change | Approve Artifacts | Manage User Access | |-----------------------|:----:|:------:|:----:|:------:|:--------------:|:--------------:|:--------------:|:----------------:|:----------------:| @@ -230,7 +251,7 @@ However, Super-Admin users have unrestricted access to all Devtron resources. Th Here you can grant your user the permissions for Helm apps deployed from Devtron or outside Devtron. -![Figure 14: Granting Helm Apps Permissions](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/helm-apps-perm.jpg) +![Figure 13: Granting Helm Apps Permissions](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/helm-apps-perm.jpg) | Field | Description | | --- | --- | @@ -259,7 +280,7 @@ There are three role-based access levels for Helm Apps: Here you can grant your user the permissions to access the jobs created in Devtron. -![Figure 15: Granting Jobs Permissions](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/jobs-perm.jpg) +![Figure 14: Granting Jobs Permissions](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/jobs-perm.jpg) | Field | Description | | --- | --- | @@ -298,10 +319,10 @@ Here you can provide permission to view, inspect, manage, and delete resources i To grant Kubernetes resource permission, click **Add permission**. -![Figure 16a: Adding Permissions for Kubernetes Resources](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/k8s-perm1.jpg) +![Figure 15a: Adding Permissions for Kubernetes Resources](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/k8s-perm1.jpg) -![Figure 16b: Granting Permissions for Kubernetes Resources](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/k8s-perm2.jpg) +![Figure 15b: Granting Permissions for Kubernetes Resources](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/k8s-perm2.jpg) | Field | Description | | --- | --- | @@ -335,7 +356,7 @@ The 'Chart Groups' tab will be available only if the [CI/CD module](../../integr Here you can grant your user the permissions for accessing Chart Groups. Note that you can only give users the permission to either create chart groups or edit them, but not both. -![Figure 17: Granting Chart Group Permissions](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/chart-group-perm.jpg) +![Figure 16: Granting Chart Group Permissions](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/chart-group-perm.jpg) | Action | Permissions | | :--- | :--- | @@ -356,19 +377,6 @@ Here you can grant your user the permissions for accessing Chart Groups. Note th | **Edit** | ✅ | ❌ | ❌ | None/Specific Groups | ❌ | | **Super Admin** | ✅ | ✅ | ✅ | ✅ | ✅ | -### Can Manage Access For All Roles Toggle - -{% hint style="warning" %} -### Who Can Perform This Action? -Only a [Super Admin](#grant-super-admin-permission) can enable the **Can manage access for all roles** toggle for other users. This toggle is available only to Super-Admin and not to other users. -{% endhint %} - -![Figure 18: 'Can manage access for all roles' Toggle](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-access/cmafar-highlighted.jpg) - -The **Can manage access for all roles** toggle allows you to grant a user the permission to manage access for all roles across Devtron apps, Helm Apps, Jobs, Kubernetes Resources, and Chart Groups. - -When you enable this toggle for a user, they can then manage access for all roles of existing users. However, they cannot create new users. By default, the **Can manage access for all roles** toggle is disabled. - --- ## Making Users Active/Inactive [![](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/elements/EnterpriseTag.svg)](https://devtron.ai/pricing) @@ -381,7 +389,7 @@ When you enable this toggle for a user, they can then manage access for all role When working with multiple collaborators in Devtron, you may need to deactivate users who no longer require access and reactivate them when needed. This applies to users of Devtron Apps, Helm Apps, Jobs, and Kubernetes Resources. -![Figure 19: Active/Inactive Options](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/active-inactive-levels.jpg) +![Figure 17: Active/Inactive Options](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/active-inactive-levels.jpg) You can manage a user's active status at three levels: * [User-level](#at-user-level) @@ -391,7 +399,7 @@ You can manage a user's active status at three levels: ### At User level -![Figure 20: Active/Inactive User](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/user-level-activation.jpg) +![Figure 18: Active/Inactive User](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/user-level-activation.jpg) * **Active/Activate** - Use this option to activate a deactivated user while retaining their previous roles and permissions. * **Inactive/Inactivate** - Use this option to deactivate an existing active user and save the changes. If the user has an ongoing session, they will be logged out permanently on their next action or refresh. @@ -399,7 +407,7 @@ You can manage a user's active status at three levels: ### At Permission Group level -![Figure 21: Active/Inactive User from Permission Group](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/group-level-activation.jpg) +![Figure 19: Active/Inactive User from Permission Group](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/group-level-activation.jpg) * **Active/Activate** - Use this option to allow permissions from the group to take effect for the user. * **Inactive/Inactivate** - Use this option to prevent permissions from the group from taking effect for the user. However, they can still log in/log out of Devtron if [active at the user-level](#at-user-level). @@ -407,7 +415,7 @@ You can manage a user's active status at three levels: ### At Direct Permissions level -![Figure 22: Active/Inactive User for Project Access](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/permission-level-activation.jpg) +![Figure 20: Active/Inactive User for Project Access](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/permission-level-activation.jpg) * **Active/Activate** - Use this option to grant the project/resource access to the user. * **Inactive/Inactivate** - Use this option to revoke the project/resource access from the user. **Note**: The user will still be able to log in/log out of Devtron if [active at user-level](#at-user-level). @@ -430,7 +438,7 @@ Direct user permissions cannot be edited if you're using [LDAP](./sso/ldap.md)/[ You can edit the user permissions by clicking the edit icon. Click **Save** after editing the permissions. -![Figure 23: Editing User Permissions](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/edit-permissions.gif) +![Figure 21: Editing User Permissions](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/edit-permissions.gif) --- @@ -445,7 +453,7 @@ You may download the user data of current users and deleted users in a CSV forma * Role * Timestamps for User Addition, Updation, and Deletion -![Figure 24: Exporting User Data](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/export-users-csv-v2.gif) +![Figure 22: Exporting User Data](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/export-users-csv-v2.gif) --- @@ -459,6 +467,6 @@ You may download the user data of current users and deleted users in a CSV forma If you want to delete a user, click **Delete**. -![Figure 25: Deleting a User](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/delete-user.jpg) +![Figure 23: Deleting a User](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/delete-user.jpg) This will remove the user from the system along with all the permissions granted earlier. The user will no longer be able to log in to Devtron unless added again. \ No newline at end of file From 939fff80e9dbfa5793d74c5bc071ca4530015703 Mon Sep 17 00:00:00 2001 From: Bharathvaj Date: Thu, 19 Jun 2025 10:01:25 +0530 Subject: [PATCH 08/14] Fixed Review Comments --- .../authorization/user-access.md | 34 ++++++++++++------- 1 file changed, 21 insertions(+), 13 deletions(-) diff --git a/docs/user-guide/global-configurations/authorization/user-access.md b/docs/user-guide/global-configurations/authorization/user-access.md index 24774d00f..4596fe041 100644 --- a/docs/user-guide/global-configurations/authorization/user-access.md +++ b/docs/user-guide/global-configurations/authorization/user-access.md @@ -88,19 +88,19 @@ The **Permission Groups** drop-down box allows you to select from a list of perm ![Figure 9: Permission Groups](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/assign-permission-groups.gif) -You can select one or more permission groups, and the user will automatically inherit all the permissions to the projects and resources defined for those groups. Once you select permission group(s), assigning specific permissions can be skipped (unless you wish to grant additional permissions). +You can select one or more permission groups, and the user will automatically inherit all the permissions to the projects and resources defined for those groups. Once you select permission group(s), assigning direct permissions can be skipped (unless you wish to grant additional permissions). You can also make users [Active/Inactive](#making-users-activeinactive) at permission group-level. {% hint style="info" %} -### What happens when a user has specific permissions as well as permissions inherited from a group? +### What happens when a user has direct permissions as well as permissions inherited from a group? -If you assign a permission group as well as specific permissions, the user will have the combined permissions of both. +If you assign a permission group as well as direct permissions, the user will have the combined permissions of both. **For example**: -* A user is granted **Build & Deploy** access to three apps via specific permissions. +* A user is granted **Build & Deploy** access to three apps via direct permissions. * The same user is part of a group that has **View only** access to five apps (including those three apps). @@ -108,21 +108,21 @@ If you assign a permission group as well as specific permissions, the user will {% endhint %} -### Can Manage Access For All Roles Toggle +### Can Manage Access For All Roles (Toggle) {% hint style="warning" %} ### Who Can Perform This Action? -Only a [Super Admin](#grant-super-admin-permission) can enable the **Can manage access for all roles** toggle for other users. This toggle is available only to Super-Admins. +Only a [Super Admin](#grant-super-admin-permission) can enable the **Can manage access for all roles** toggle for other users. {% endhint %} ![Figure 10: 'Can manage access for all roles' Toggle](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-access/cmafar-highlighted.jpg) -The **Can manage access for all roles** toggle allows you to grant a user the permission to manage access for all roles across Devtron apps, Helm Apps, Jobs, Kubernetes Resources, and Chart Groups. However, they cannot create new users. +By enabling the **Can manage access for all roles** toggle, you can grant a user the permission to manage access for all roles across Devtron apps, Helm Apps, Jobs, Kubernetes Resources, and Chart Groups. However, they cannot create new users. -By default, the **Can manage access for all roles** toggle is disabled. +By default, this toggle is disabled. {% hint style="warning" %} @@ -202,12 +202,20 @@ An Access Manager cannot create other Access Managers or add new users. Creation {% endhint %} -| Users | Base Role(s) | Access Manager Role(s) | What's Allowed | What's Not Allowed | -|:-----------------------|:----|:------|:----|:------| -| User A | Admin | View Only | Changing user B's **Manager** role to **View Only** role (Manager → View Only) |
  • Reverting to User B's **Manager** role (View Only → Manager)
  • Changing User B's **Manager** role to any other role, except for **View Only**
  • Performing operations beyond the base role (i.e., **Admin**)
  • Modifying Super-Admin permissions
| -| User B | Manager | Not Applicable | Perform the operations under the scope of **Manager** role across Devtron |
  • Manage user access for other users
  • Perform operations beyond the base role (i.e., **Manager**)
  • Modifying Super-Admin permissions
| +A user who is an Access Manager can grant or change permissions for other existing users only within the permissions assigned to them under the **Access Manager** role in the **Role** drop-down box. For example, refer to the tables below to understand what an Access Manager is allowed and not allowed to do. -{% hint style="warning" %} +| Users | Base Role(s) | Access Manager Role(s) | +|:-----------------------|:----|:------| +| User A | Admin | View Only | +| User B | Manager | Not Applicable | + +| What's Allowed | What's Not Allowed | +|:----|:------| +| Changing user B's **Manager** role to **View Only** role (Manager → View Only) |
  • Reverting to User B's **Manager** role (View Only → Manager)
  • Changing User B's **Manager** role to any other role, except for **View Only**
  • Performing operations beyond the base role (i.e., **Admin**)
  • Modifying Super-Admin permissions
| +| Perform the operations under the scope of **Manager** role across Devtron |
  • Manage user access for other users
  • Perform operations beyond the base role (i.e., **Manager**)
  • Modifying Super-Admin permissions
| + + +{% hint style="info" %} ### Note From d7783902cc15e9045437e1a20b5f19c1f034c4e2 Mon Sep 17 00:00:00 2001 From: Bharathvaj Date: Thu, 19 Jun 2025 10:05:09 +0530 Subject: [PATCH 09/14] Fixed Review Comments --- .../global-configurations/authorization/user-access.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/user-guide/global-configurations/authorization/user-access.md b/docs/user-guide/global-configurations/authorization/user-access.md index 4596fe041..cb0f607c6 100644 --- a/docs/user-guide/global-configurations/authorization/user-access.md +++ b/docs/user-guide/global-configurations/authorization/user-access.md @@ -202,7 +202,7 @@ An Access Manager cannot create other Access Managers or add new users. Creation {% endhint %} -A user who is an Access Manager can grant or change permissions for other existing users only within the permissions assigned to them under the **Access Manager** role in the **Role** drop-down box. For example, refer to the tables below to understand what an Access Manager is allowed and not allowed to do. +A user who is an Access Manager can grant or change permissions for other existing users only within the permissions assigned to them under the **Access Manager** role in the **Role** drop-down box. For example, refer to the tables below to understand what an Access Manager (User A) is allowed and not allowed to do with the permissions of an existing user (User B). | Users | Base Role(s) | Access Manager Role(s) | |:-----------------------|:----|:------| @@ -211,7 +211,7 @@ A user who is an Access Manager can grant or change permissions for other existi | What's Allowed | What's Not Allowed | |:----|:------| -| Changing user B's **Manager** role to **View Only** role (Manager → View Only) |
  • Reverting to User B's **Manager** role (View Only → Manager)
  • Changing User B's **Manager** role to any other role, except for **View Only**
  • Performing operations beyond the base role (i.e., **Admin**)
  • Modifying Super-Admin permissions
| +| Changing User B's **Manager** role to **View Only** role (Manager → View Only) |
  • Reverting to User B's **Manager** role (View Only → Manager)
  • Changing User B's **Manager** role to any other role, except for **View Only**
  • Performing operations beyond the base role (i.e., **Admin**)
  • Modifying Super-Admin permissions
| | Perform the operations under the scope of **Manager** role across Devtron |
  • Manage user access for other users
  • Perform operations beyond the base role (i.e., **Manager**)
  • Modifying Super-Admin permissions
| From d90ee095a78b6d0fe6ba308456ce56312c7ac156 Mon Sep 17 00:00:00 2001 From: Bharathvaj Date: Fri, 27 Jun 2025 07:26:51 +0530 Subject: [PATCH 10/14] Rearranged AM Section --- .../authorization/user-access.md | 191 +++++++++--------- 1 file changed, 101 insertions(+), 90 deletions(-) diff --git a/docs/user-guide/global-configurations/authorization/user-access.md b/docs/user-guide/global-configurations/authorization/user-access.md index cb0f607c6..6014cd98a 100644 --- a/docs/user-guide/global-configurations/authorization/user-access.md +++ b/docs/user-guide/global-configurations/authorization/user-access.md @@ -108,30 +108,6 @@ If you assign a permission group as well as direct permissions, the user will ha {% endhint %} -### Can Manage Access For All Roles (Toggle) - -{% hint style="warning" %} - -### Who Can Perform This Action? - -Only a [Super Admin](#grant-super-admin-permission) can enable the **Can manage access for all roles** toggle for other users. - -{% endhint %} - -![Figure 10: 'Can manage access for all roles' Toggle](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-access/cmafar-highlighted.jpg) - -By enabling the **Can manage access for all roles** toggle, you can grant a user the permission to manage access for all roles across Devtron apps, Helm Apps, Jobs, Kubernetes Resources, and Chart Groups. However, they cannot create new users. - -By default, this toggle is disabled. - -{% hint style="warning" %} - -### Important Note - -If you enable the **Can manage access for all roles** toggle for a user, then that user can modify permissions of all the users including super-admins. - -{% endhint %} - ### Devtron Apps permissions {% hint style="warning" %} @@ -144,7 +120,7 @@ The **Devtron Apps** tab is displayed only when the [Build and Deploy (CI/CD)](. The **Devtron Apps** tab allows you to grant user permissions for Devtron applications. -![Figure 11: Granting Devtron Apps Permissions](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/devtron-apps-perm.jpg) +![Figure 10: Granting Devtron Apps Permissions](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/devtron-apps-perm.jpg) | Field | Description | | --- | --- | @@ -180,66 +156,7 @@ The role-based access for Devtron Apps are as follows: * **Deployment Approver**: You can approve the deployment requests for the selected applications and environments. -**Access Manager** [![](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/elements/EnterpriseTag.svg)](https://devtron.ai/pricing) - -{% hint style="warning" %} - -### Who Can Perform This Action? - -Only [Super-Admins](#grant-super-admin-permission) can grant an **Access Manager** role. - -{% endhint %} - -![Figure 12: Access Manager](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-access/access-manager-highlighted.jpg) - -Enabling **Access Manager** for a user allows that user to further grant or change permissions of existing users. - -{% hint style="warning" %} - -### Important Note - -An Access Manager cannot create other Access Managers or add new users. Creation of new users and Access Manager is restricted only to Super-Admins. - -{% endhint %} - -A user who is an Access Manager can grant or change permissions for other existing users only within the permissions assigned to them under the **Access Manager** role in the **Role** drop-down box. For example, refer to the tables below to understand what an Access Manager (User A) is allowed and not allowed to do with the permissions of an existing user (User B). - -| Users | Base Role(s) | Access Manager Role(s) | -|:-----------------------|:----|:------| -| User A | Admin | View Only | -| User B | Manager | Not Applicable | - -| What's Allowed | What's Not Allowed | -|:----|:------| -| Changing User B's **Manager** role to **View Only** role (Manager → View Only) |
  • Reverting to User B's **Manager** role (View Only → Manager)
  • Changing User B's **Manager** role to any other role, except for **View Only**
  • Performing operations beyond the base role (i.e., **Admin**)
  • Modifying Super-Admin permissions
| -| Perform the operations under the scope of **Manager** role across Devtron |
  • Manage user access for other users
  • Perform operations beyond the base role (i.e., **Manager**)
  • Modifying Super-Admin permissions
| - - -{% hint style="info" %} - -### Note - -If you need to grant someone global control over modifying the roles of other users, enable the [Can manage access for all roles](#can-manage-access-for-all-roles-toggle) toggle instead. - -{% endhint %} - -The **Access Manager** toggle in the **Role** drop-down box is disabled by default. - -When enabling the **Access Manager** toggle, make sure to select at least one permission from the checkboxes displayed beneath the toggle to ensure the role is active. - -The following permissions are currently available in the Access Manager role: - -* **View only**: When selected, this permission allows the Access Manager to grant or revoke View Only access to other users. - -* **Build and Deploy**: When selected, this permission allows the Access Manager to grant or revoke Build and Deploy access to other users. - -* **Admin**: When selected, this permission allows the Access Manager to grant or revoke Admin access to other users. - -* **Config Approver**: When selected, this permission allows the Access Manager to grant or revoke Config Approver access to other users. - -* **Artifact promoter**: When selected, this permission allows the Access Manager to grant or revoke Artifact promoter access to other users. - -The **Deployment approver** permission is not currently available within the **Access Manager** role. If you would like to see this permission included, we encourage you to [raise a feature request on GitHub](https://github.com/devtron-labs/devtron/issues). +To make a user an Access Manager with global or Devtron app-specific control over user permissions, refer to [Access Manager](#access-manager). #### Roles and Scopes @@ -259,7 +176,7 @@ The **Deployment approver** permission is not currently available within the **A Here you can grant your user the permissions for Helm apps deployed from Devtron or outside Devtron. -![Figure 13: Granting Helm Apps Permissions](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/helm-apps-perm.jpg) +![Figure 11: Granting Helm Apps Permissions](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/helm-apps-perm.jpg) | Field | Description | | --- | --- | @@ -288,7 +205,7 @@ There are three role-based access levels for Helm Apps: Here you can grant your user the permissions to access the jobs created in Devtron. -![Figure 14: Granting Jobs Permissions](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/jobs-perm.jpg) +![Figure 12: Granting Jobs Permissions](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/jobs-perm.jpg) | Field | Description | | --- | --- | @@ -327,10 +244,10 @@ Here you can provide permission to view, inspect, manage, and delete resources i To grant Kubernetes resource permission, click **Add permission**. -![Figure 15a: Adding Permissions for Kubernetes Resources](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/k8s-perm1.jpg) +![Figure 13a: Adding Permissions for Kubernetes Resources](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/k8s-perm1.jpg) -![Figure 15b: Granting Permissions for Kubernetes Resources](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/k8s-perm2.jpg) +![Figure 13b: Granting Permissions for Kubernetes Resources](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/k8s-perm2.jpg) | Field | Description | | --- | --- | @@ -364,7 +281,7 @@ The 'Chart Groups' tab will be available only if the [CI/CD module](../../integr Here you can grant your user the permissions for accessing Chart Groups. Note that you can only give users the permission to either create chart groups or edit them, but not both. -![Figure 16: Granting Chart Group Permissions](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/chart-group-perm.jpg) +![Figure 14: Granting Chart Group Permissions](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/chart-group-perm.jpg) | Action | Permissions | | :--- | :--- | @@ -387,6 +304,100 @@ Here you can grant your user the permissions for accessing Chart Groups. Note th --- +## Access Manager [![](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/elements/EnterpriseTag.svg)](https://devtron.ai/pricing) + +### Can Manage Access For All Roles (Toggle) + +{% hint style="warning" %} + +### Who Can Perform This Action? + +Only a [Super Admin](#grant-super-admin-permission) can enable the **Can manage access for all roles** toggle for other users. + +{% endhint %} + +![Figure 15: 'Can manage access for all roles' Toggle](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-access/cmafar-highlighted.jpg) + +By enabling the **Can manage access for all roles** toggle, you can grant a user the permission to manage access for all roles across Devtron apps, Helm Apps, Jobs, Kubernetes Resources, and Chart Groups. However, they cannot create new users. + +By default, this toggle is disabled. + +{% hint style="warning" %} + +### Important Note + +If you enable the **Can manage access for all roles** toggle for a user, then that user can modify permissions of all the users including super-admins. + +{% endhint %} + +### Access Manager (Devtron Apps) + +{% hint style="warning" %} + +### Who Can Perform This Action? + +Only [Super-Admins](#grant-super-admin-permission) can grant an **Access Manager** role. + +{% endhint %} + +![Figure 16: Access Manager](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-access/access-manager-highlighted.jpg) + +Enabling **Access Manager** for a user allows that user to further grant or change permissions of existing users. + +{% hint style="warning" %} + +### Important Note + +An Access Manager cannot create other Access Managers or add new users. Creation of new users and Access Manager is restricted only to Super-Admins. + +{% endhint %} + +A user who is an Access Manager can grant or change permissions for other existing users only within the permissions assigned to them under the **Access Manager** role in the **Role** drop-down box. For example, refer to the tables below to understand what an Access Manager (User A) is allowed and not allowed to do with the permissions of an existing user (User B). + +| Users | Base Role(s) | Access Manager Role(s) | +|:-----------------------|:----|:------| +| User A | Admin | View Only | +| User B | Manager | Not Applicable | + +| What's Allowed | What's Not Allowed | +|:----|:------| +| Changing User B's **Manager** role to **View Only** role (Manager → View Only) |
  • Reverting to User B's **Manager** role (View Only → Manager)
  • Changing User B's **Manager** role to any other role, except for **View Only**
  • Performing operations beyond the base role (i.e., **Admin**)
  • Modifying Super-Admin permissions
| +| Perform the operations under the scope of **Manager** role across Devtron |
  • Manage user access for other users
  • Perform operations beyond the base role (i.e., **Manager**)
  • Modifying Super-Admin permissions
| + +{% hint style="info" %} + +### Note + +If you need to grant someone global control over modifying the roles of other users, enable the [Can manage access for all roles](#can-manage-access-for-all-roles-toggle) toggle instead. + +{% endhint %} + +The **Access Manager** toggle in the **Role** drop-down box is disabled by default. + +When enabling the **Access Manager** toggle, make sure to select at least one permission from the checkboxes displayed beneath the toggle to ensure the role is active. + +The following permissions are currently available in the Access Manager role: + +* **View only**: When selected, this permission allows the Access Manager to grant or revoke View Only access to other users. + +* **Build and Deploy**: When selected, this permission allows the Access Manager to grant or revoke Build and Deploy access to other users. + +* **Admin**: When selected, this permission allows the Access Manager to grant or revoke Admin access to other users. + +* **Config Approver**: When selected, this permission allows the Access Manager to grant or revoke Config Approver access to other users. + +* **Artifact promoter**: When selected, this permission allows the Access Manager to grant or revoke Artifact promoter access to other users. + +The **Deployment approver** permission is not currently available within the **Access Manager** role. If you would like to see this permission included, we encourage you to [raise a feature request on GitHub](https://github.com/devtron-labs/devtron/issues). + +#### Role and Scope + +| Role | View | Create | Edit | Delete | Build & Deploy | Approve Images | Approve Config Change | Approve Artifacts | Manage User Access | +|-----------------------|:----:|:------:|:----:|:------:|:--------------:|:--------------:|:--------------:|:----------------:|:----------------:| +| **Access Manager** | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | + +--- + ## Making Users Active/Inactive [![](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/elements/EnterpriseTag.svg)](https://devtron.ai/pricing) {% hint style="warning" %} From 4d28ce78c5524f8bd166de343b65029d3cd636d9 Mon Sep 17 00:00:00 2001 From: Bharathvaj Date: Fri, 27 Jun 2025 07:58:02 +0530 Subject: [PATCH 11/14] Removed a Couple of Hintblocks --- .../authorization/user-access.md | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/docs/user-guide/global-configurations/authorization/user-access.md b/docs/user-guide/global-configurations/authorization/user-access.md index 6014cd98a..2d1ac83d6 100644 --- a/docs/user-guide/global-configurations/authorization/user-access.md +++ b/docs/user-guide/global-configurations/authorization/user-access.md @@ -48,14 +48,6 @@ Only managers and super-admins can add users. ## Grant Super Admin Permission -{% hint style="warning" %} - -### Who Can Perform This Action? - -Only existing super-admins can assign super-admin permissions to another user. - -{% endhint %} - ![Figure 7: Granting Superadmin Access](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/superadmin-perm.jpg) Super-Admins have unrestricted access to all Devtron resources. They can create, modify, delete, and manage any resource, including user access, Git repositories, container registries, clusters, and environments. Before assigning this permission, please note: @@ -70,14 +62,6 @@ Super-Admins have unrestricted access to all Devtron resources. They can create, ## Grant Specific Permissions -{% hint style="warning" %} - -### Who Can Perform This Action? - -Only managers and super-admins can assign specific permissions to a user. - -{% endhint %} - ![Figure 8: Granting Specific Access](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-access/specific-permissions.jpg) ### Permission Groups From b1322a1097514d1d1c7339c2e5b0f9fa3c53a1d8 Mon Sep 17 00:00:00 2001 From: Bharathvaj Date: Sat, 28 Jun 2025 08:59:03 +0530 Subject: [PATCH 12/14] Replaced SS + Fixed Review Comments --- .../authorization/user-access.md | 42 ++++++++++--------- 1 file changed, 22 insertions(+), 20 deletions(-) diff --git a/docs/user-guide/global-configurations/authorization/user-access.md b/docs/user-guide/global-configurations/authorization/user-access.md index 2d1ac83d6..600d04744 100644 --- a/docs/user-guide/global-configurations/authorization/user-access.md +++ b/docs/user-guide/global-configurations/authorization/user-access.md @@ -4,7 +4,7 @@ Here you can manage who can access your Devtron instance and what actions they can perform. Use this section to add team members, assign them roles, and control their access by granting fine-grained permissions. Moreover, you can also download all user data in a CSV format. -![Figure 1: User Permissions - Example](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/user-sample.jpg) +![Figure 1: User Permissions - Example](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-access/add-user.jpg) --- @@ -22,25 +22,25 @@ Only managers and super-admins can add users. 1. Go to **Global Configurations** → **Authorization** → **User Permissions**. - ![Figure 2: User Permissions in Global Configurations](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/user-permissions-screen.jpg) + ![Figure 2: User Permissions in Global Configurations](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-access/user-permissions-gc.jpg) 2. Click **Add Users**. - ![Figure 3: 'Add Users' Button](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/add-users.jpg) + ![Figure 3: 'Add Users' Button](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-access/user-permissions-add.jpg) 3. In the **Email addresses** field, type the email address of the user you wish to add. You may add more than one email address. - ![Figure 4: Adding Email Addresses of Users](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/adding-email-address.gif) + ![Figure 4: Adding Email Addresses of Users](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-access/adding-user.gif) 4. (Optional) From the **Assign user groups** dropdown, you may assign one or more user groups to the user. This helps in identifying the group/team to which the user belongs (e.g., Security Team, Frontend Team, Department Leads) especially when adding larger teams. - ![Figure 5: Assigning User Group(s)](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/assign-user-group.gif) + ![Figure 5: Assigning User Group(s)](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-access/assigning-user-groups.gif) 5. There are two types of permissions in Devtron (click the links below to learn more): * [Super admin permission](#grant-super-admin-permission) for granting full access. * [Specific permissions](#grant-specific-permissions) for granting cherry-picked access. - ![Figure 6: Granting Specific or Superadmin Access](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/superadmin-or-specific.gif) + ![Figure 6: Granting Specific or Superadmin Access](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-access/two-permissions.gif) 6. Click **Save**. You have successfully added your user(s). @@ -70,7 +70,7 @@ Super-Admins have unrestricted access to all Devtron resources. They can create, The **Permission Groups** drop-down box allows you to select from a list of permission groups already created in the [Permission Groups](../authorization/permission-groups.md) page. -![Figure 9: Permission Groups](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/assign-permission-groups.gif) +![Figure 9: Permission Groups](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-access/assigning-permission-groups.gif) You can select one or more permission groups, and the user will automatically inherit all the permissions to the projects and resources defined for those groups. Once you select permission group(s), assigning direct permissions can be skipped (unless you wish to grant additional permissions). @@ -104,7 +104,7 @@ The **Devtron Apps** tab is displayed only when the [Build and Deploy (CI/CD)](. The **Devtron Apps** tab allows you to grant user permissions for Devtron applications. -![Figure 10: Granting Devtron Apps Permissions](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/devtron-apps-perm.jpg) +![Figure 10: Granting Devtron Apps Permissions](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-access/devtron-apps.jpg) | Field | Description | | --- | --- | @@ -140,7 +140,7 @@ The role-based access for Devtron Apps are as follows: * **Deployment Approver**: You can approve the deployment requests for the selected applications and environments. -To make a user an Access Manager with global or Devtron app-specific control over user permissions, refer to [Access Manager](#access-manager). +You also have the provision of granting Access Manager role to a user. Refer [Access Manager](#access-manager) to know more. #### Roles and Scopes @@ -160,7 +160,7 @@ To make a user an Access Manager with global or Devtron app-specific control ove Here you can grant your user the permissions for Helm apps deployed from Devtron or outside Devtron. -![Figure 11: Granting Helm Apps Permissions](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/helm-apps-perm.jpg) +![Figure 11: Granting Helm Apps Permissions](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-access/helm-apps.jpg) | Field | Description | | --- | --- | @@ -189,7 +189,7 @@ There are three role-based access levels for Helm Apps: Here you can grant your user the permissions to access the jobs created in Devtron. -![Figure 12: Granting Jobs Permissions](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/jobs-perm.jpg) +![Figure 12: Granting Jobs Permissions](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-access/jobs.jpg) | Field | Description | | --- | --- | @@ -228,10 +228,10 @@ Here you can provide permission to view, inspect, manage, and delete resources i To grant Kubernetes resource permission, click **Add permission**. -![Figure 13a: Adding Permissions for Kubernetes Resources](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/k8s-perm1.jpg) +![Figure 13a: Adding Permissions for Kubernetes Resources](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-access/k8s-resources-1.jpg) -![Figure 13b: Granting Permissions for Kubernetes Resources](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/k8s-perm2.jpg) +![Figure 13b: Granting Permissions for Kubernetes Resources](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-access/k8s-resources-2.jpg) | Field | Description | | --- | --- | @@ -265,7 +265,7 @@ The 'Chart Groups' tab will be available only if the [CI/CD module](../../integr Here you can grant your user the permissions for accessing Chart Groups. Note that you can only give users the permission to either create chart groups or edit them, but not both. -![Figure 14: Granting Chart Group Permissions](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/chart-group-perm.jpg) +![Figure 14: Granting Chart Group Permissions](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-access/chart-groups.jpg) | Action | Permissions | | :--- | :--- | @@ -380,6 +380,8 @@ The **Deployment approver** permission is not currently available within the **A |-----------------------|:----:|:------:|:----:|:------:|:--------------:|:--------------:|:--------------:|:----------------:|:----------------:| | **Access Manager** | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | +The app-specific Access Manager role is currenly available only for Devtron Apps. If you would like to have this role for Helm apps, Jobs, Kubernetes Resources, or Chart Groups, please [Raise a Feature Request](https://github.com/devtron-labs/devtron/issues) on GitHub. + --- ## Making Users Active/Inactive [![](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/elements/EnterpriseTag.svg)](https://devtron.ai/pricing) @@ -392,7 +394,7 @@ The **Deployment approver** permission is not currently available within the **A When working with multiple collaborators in Devtron, you may need to deactivate users who no longer require access and reactivate them when needed. This applies to users of Devtron Apps, Helm Apps, Jobs, and Kubernetes Resources. -![Figure 17: Active/Inactive Options](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/active-inactive-levels.jpg) +![Figure 17: Active/Inactive Options](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-access/active-inactive.jpg) You can manage a user's active status at three levels: * [User-level](#at-user-level) @@ -402,7 +404,7 @@ You can manage a user's active status at three levels: ### At User level -![Figure 18: Active/Inactive User](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/user-level-activation.jpg) +![Figure 18: Active/Inactive User](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-access/user-level.jpg) * **Active/Activate** - Use this option to activate a deactivated user while retaining their previous roles and permissions. * **Inactive/Inactivate** - Use this option to deactivate an existing active user and save the changes. If the user has an ongoing session, they will be logged out permanently on their next action or refresh. @@ -410,7 +412,7 @@ You can manage a user's active status at three levels: ### At Permission Group level -![Figure 19: Active/Inactive User from Permission Group](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/group-level-activation.jpg) +![Figure 19: Active/Inactive User from Permission Group](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-access/permission-group-level.jpg) * **Active/Activate** - Use this option to allow permissions from the group to take effect for the user. * **Inactive/Inactivate** - Use this option to prevent permissions from the group from taking effect for the user. However, they can still log in/log out of Devtron if [active at the user-level](#at-user-level). @@ -418,7 +420,7 @@ You can manage a user's active status at three levels: ### At Direct Permissions level -![Figure 20: Active/Inactive User for Project Access](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/permission-level-activation.jpg) +![Figure 20: Active/Inactive User for Project Access](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-access/direct-permissions-level.jpg) * **Active/Activate** - Use this option to grant the project/resource access to the user. * **Inactive/Inactivate** - Use this option to revoke the project/resource access from the user. **Note**: The user will still be able to log in/log out of Devtron if [active at user-level](#at-user-level). @@ -441,7 +443,7 @@ Direct user permissions cannot be edited if you're using [LDAP](./sso/ldap.md)/[ You can edit the user permissions by clicking the edit icon. Click **Save** after editing the permissions. -![Figure 21: Editing User Permissions](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/edit-permissions.gif) +![Figure 21: Editing User Permissions](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-access/editing-permissions.gif) --- @@ -470,6 +472,6 @@ You may download the user data of current users and deleted users in a CSV forma If you want to delete a user, click **Delete**. -![Figure 23: Deleting a User](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-permissions/delete-user.jpg) +![Figure 23: Deleting a User](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-access/delete-user.jpg) This will remove the user from the system along with all the permissions granted earlier. The user will no longer be able to log in to Devtron unless added again. \ No newline at end of file From bd9539a503518bf8f3390d547d7f483cd2efce36 Mon Sep 17 00:00:00 2001 From: Bharathvaj Date: Sat, 28 Jun 2025 09:10:58 +0530 Subject: [PATCH 13/14] Replaced a SS --- .../global-configurations/authorization/user-access.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/user-guide/global-configurations/authorization/user-access.md b/docs/user-guide/global-configurations/authorization/user-access.md index 600d04744..f9f8d17d1 100644 --- a/docs/user-guide/global-configurations/authorization/user-access.md +++ b/docs/user-guide/global-configurations/authorization/user-access.md @@ -62,7 +62,7 @@ Super-Admins have unrestricted access to all Devtron resources. They can create, ## Grant Specific Permissions -![Figure 8: Granting Specific Access](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-access/specific-permissions.jpg) +![Figure 8: Granting Specific Access](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-access/specific-permissions-1.jpg) ### Permission Groups From 7835c0de8c58aac82e1ee5a0f8325259ec57a42e Mon Sep 17 00:00:00 2001 From: Bharathvaj Date: Sun, 29 Jun 2025 14:38:04 +0530 Subject: [PATCH 14/14] Fixed Review Comments --- .../authorization/user-access.md | 20 ++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/docs/user-guide/global-configurations/authorization/user-access.md b/docs/user-guide/global-configurations/authorization/user-access.md index f9f8d17d1..971c943f7 100644 --- a/docs/user-guide/global-configurations/authorization/user-access.md +++ b/docs/user-guide/global-configurations/authorization/user-access.md @@ -345,8 +345,8 @@ A user who is an Access Manager can grant or change permissions for other existi | What's Allowed | What's Not Allowed | |:----|:------| -| Changing User B's **Manager** role to **View Only** role (Manager → View Only) |
  • Reverting to User B's **Manager** role (View Only → Manager)
  • Changing User B's **Manager** role to any other role, except for **View Only**
  • Performing operations beyond the base role (i.e., **Admin**)
  • Modifying Super-Admin permissions
| -| Perform the operations under the scope of **Manager** role across Devtron |
  • Manage user access for other users
  • Perform operations beyond the base role (i.e., **Manager**)
  • Modifying Super-Admin permissions
| +| **For User A:**
Changing User B's **Manager** role to **View Only** role (Manager → View Only) |
  • Reverting to User B's **Manager** role (View Only → Manager)
  • Changing User B's **Manager** role to any other role, except for **View Only**
  • Performing operations beyond the base role (i.e., **Admin**)
  • Modifying Super-Admin permissions
| +| **For User B:**
Perform the operations under the scope of **Manager** role across Devtron |
  • Manage user access for other users
  • Perform operations beyond the base role (i.e., **Manager**)
  • Modifying Super-Admin permissions
| {% hint style="info" %} @@ -356,8 +356,6 @@ If you need to grant someone global control over modifying the roles of other us {% endhint %} -The **Access Manager** toggle in the **Role** drop-down box is disabled by default. - When enabling the **Access Manager** toggle, make sure to select at least one permission from the checkboxes displayed beneath the toggle to ensure the role is active. The following permissions are currently available in the Access Manager role: @@ -372,15 +370,23 @@ The following permissions are currently available in the Access Manager role: * **Artifact promoter**: When selected, this permission allows the Access Manager to grant or revoke Artifact promoter access to other users. -The **Deployment approver** permission is not currently available within the **Access Manager** role. If you would like to see this permission included, we encourage you to [raise a feature request on GitHub](https://github.com/devtron-labs/devtron/issues). - #### Role and Scope | Role | View | Create | Edit | Delete | Build & Deploy | Approve Images | Approve Config Change | Approve Artifacts | Manage User Access | |-----------------------|:----:|:------:|:----:|:------:|:--------------:|:--------------:|:--------------:|:----------------:|:----------------:| | **Access Manager** | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ✅ | -The app-specific Access Manager role is currenly available only for Devtron Apps. If you would like to have this role for Helm apps, Jobs, Kubernetes Resources, or Chart Groups, please [Raise a Feature Request](https://github.com/devtron-labs/devtron/issues) on GitHub. +{% hint style="info" %} + +### Note + +[Raise a feature request on GitHub](https://github.com/devtron-labs/devtron/issues) if: + +* You would like to see the **Deployment approver** permission also within the **Access Manager** role. + +* You would like to have the app-specific **Access Manager** role (currently available only for Devtron Apps) for Helm apps, Jobs, Kubernetes Resources, or Chart Groups as well. + +{% endhint %} ---