Role-based and relationship-based access control
This example outlines current access controls for Admin, Editor, and Viewer roles across Organization, Project, Application, and Environment resources. Permissions are enforced through calls to an Open Policy Agent (OPA) server, which serves as the Policy Decision Point (PDP) located within the same Kubernetes cluster as the application. Policy updates are orchestrated through an Open Policy Administration Layer (OPAL), and the application handles policy enforcement.
--- config: theme: default themeVariables: noteBkgColor: white noteBorderColor: gray --- sequenceDiagram participant A as Policy Admin (OPAL) participant D as Policy Decision (OPA) participant E as Policy Enforcement (Application) A->>D: Policy updates Note over D, E: Local requests E->>D: Checks permissions Note right of E: User input
Note - this page is render via golang and the below polices are checked each time this page renders.
fred@initialcapacity.io has the below permissions for the resource -
Organization:16af5c5e-e6aa-4cd8-a9d0-6541d03c1581
- organization.create not permitted
- organization.delete not permitted
- organization.read permitted
- organization.update not permitted
fred@initialcapacity.io has the below permissions for the resource -
Project:f5e5338c-b5f3-4768-823c-15863c443010
- project.create not permitted
- project.delete not permitted
- project.read permitted
- project.update permitted
fred@initialcapacity.io has the below permissions for the resource -
Application:a903d2be-55e7-4703-9525-a7f92075bf62
- application.create permitted
- application.delete permitted
- application.read permitted
- application.update permitted
fred@initialcapacity.io has the below permissions for the resource -
Environment:fdd20547-40ec-43b9-bf41-03f39c5a2421
- environment.create permitted
- environment.delete permitted
- environment.read permitted
- environment.update permitted
fred@initialcapacity.io has the below permissions for the resource -
IdentityProvider:0e4d2072-b303-4fae-a755-46ee6a931082
- identityprovider.create permitted
- identityprovider.delete permitted
- identityprovider.read permitted
- identityprovider.update permitted
fred@initialcapacity.io has the below permissions for the resource -
Project:97819b8e-411e-4702-ad30-d75bf00031cb
- project.create not permitted
- project.delete not permitted
- project.read not permitted
- project.update not permitted
fred@initialcapacity.io has the below permissions for the resource -
IdentityProvider:dc17acb6-d7a8-46f1-8fdb-c8488fce21ce
- identityprovider.create not permitted
- identityprovider.delete not permitted
- identityprovider.read not permitted
- identityprovider.update not permitted