because I m an Admin in the slack org is it inferring granti Pulumi Community #general

Join Slack

because I’m an Admin in the slack org is it inferr...

# general

orange-tailor-85423

05/01/2019, 6:14 PM

because I’m an Admin in the slack org is it inferring/granting me something I can’t see?

white-balloon-205

05/01/2019, 7:30 PM

I expect you are an

Admin

in the organization, which gives you

ADMIN

permission for all stacks in the organization. See https://pulumi.io/reference/service/roles-and-access-controls.html#default-stack-permission for more details. Definitively interested in any feedback on the set of options you'd like for configuring these roles to fit your organization better. cc @colossal-beach-47527 and @clever-sunset-76585.

clever-sunset-76585

05/01/2019, 7:31 PM

(subscribe)

colossal-beach-47527

05/01/2019, 7:35 PM

Yeah, +1 to what Luke was saying. Would love your feedback here, especially were things are surprising. Members with the

ADMIN

role have full access to all stacks. But one thing that we don’t show in the UI (and will fix that soon), is that the person who created the stack may have permissions to modify it, even if the organization’s default stack settings don’t allow for it. i.e. if the organization allows members to create new stacks, but the default stack permission is

READ

, we still grant the person who created the stack read/write access. Otherwise being able to create a stack but not use it would be kind of lame. Like I said, that’s one of the finer details of our RBAC settings that we don’t show in the UI. But it will be fixed in the next week or so.

orange-tailor-85423

05/01/2019, 8:27 PM

ok cool - thanks for the feedback. I have some thoughts and will write up a brief Google doc

orange-tailor-85423

05/01/2019, 8:27 PM

kind of experience plus wishlist

orange-tailor-85423

05/01/2019, 10:08 PM

I mentioned this in a conversation with Cameron the other day and it dovetails a little bit with this. Naming of things

orange-tailor-85423

05/01/2019, 10:09 PM

Or I should say visualizing the naming of things. The stacks have absolute names but in the UI they can show up 3 different ways.

orange-tailor-85423

05/01/2019, 10:09 PM

orange-tailor-85423

05/01/2019, 10:10 PM

Also, it would be nice to ensure nobody but Admin and/or the defined group would have access to any stack created for x, y or z environments

orange-tailor-85423

05/01/2019, 10:10 PM

ex: https://app.pulumi.com/MINDBODY-Platform/teams/pulumi-stack-admins

orange-tailor-85423

05/01/2019, 10:11 PM

if any stack gets stood up in alpha, prod or staging - I want this set of permissions to apply

orange-tailor-85423

05/01/2019, 10:11 PM

as far as I can tell there is no dynamic permissioning - you have to explicitly add them

colossal-beach-47527

05/01/2019, 10:58 PM

The stacks have absolute names but in the UI they can show up 3 different ways.

Yeah, that’s a bug. It will be fixed sometime in the next few weeks. (Sorry about that :P)

it would be nice to ensure nobody but Admin and/or the defined group would have access to any stack created for x, y or z environments

Yeah. We’ll add a feature where you can (1) drill into an organization member and see what stack(s) they have access to, and how they were granted that access. And (2) from a stack, go backwards and see which teams and users have access to it. That should help determining that. (Again, should be fixed in a few weeks. Sorry we don’t have that right now.)

colossal-beach-47527

05/01/2019, 11:00 PM

as far as I can tell there is no dynamic permissioning - you have to explicitly add them

That is generally correct. To get access to a stack, you need to be explicitly added. e.g. that stack added to an existing Team, or you get added to a Team.

Open in Slack

Previous Next