RBAC for CDE - Role-Based Access Control
Harness CDE provides granular role-based access control (RBAC) for all CDE resources. RBAC allows you to control who can view, access, and modify resources across different scopes. By defining roles and resource groups, you can ensure that only authorized users can take actions on CDE resources, adding an extra layer of security and compliance.
This document introduces the core RBAC concepts for CDE and explains how to configure RBAC for CDE users. For a deeper overview of Harness RBAC, go to Harness RBAC Configuration Guide.
To assign roles, you must have administrative privileges at the Account level (i.e., Account Admin role).
Harness RBAC Components
Harness CDEs utilize Platform Hierarchy and RBAC to provide fine-grained control over CDE resources. There are three key components for Harness RBAC:
- Principals – Entities that take action within the system. (e.g., users, user groups, etc.)
- Resource Groups – Define which objects can be acted upon (e.g., gitspaces, infrastructure providers).
- Roles – Define what actions can be taken on those objects (e.g., view, create, edit, delete).
Principals: User Groups & Users
In Harness CDE, principals refer to entities that take action in the system — namely, User Groups and Users. You assign permissions and access to CDE resources via roles and resource groups applied to these principals.
Permissions define what actions a principal can take. Access defines which objects they can act on.
To learn more about users, go to Manage Users. To learn more about user groups, go to Manage User Groups.
Resource Groups
A resource group is a collection of Harness resources a principal can access. These are scope-specific, and can be created at the Account, Organization, or Project level.
For example, a group created at the project level will only be available within that project. Resource groups are always assigned alongside roles.
- Roles = define actions (permissions)
- Resource Groups = define scope (access)
To understand more about resource groups, go to Manage Resource Groups.
Resource Group Scope
Each group also includes Resource Scope options that control sub-level access. For example, a group created at the Org level can provide access to:
- All projects within that Org
- Or only selected projects
To learn more about the resource scope options, go to Scopes and Refinement.
Roles
Roles are sets of permissions that allow or restrict specific operations on resources. They are applied along with resource groups to create effective RBAC policies.
Harness CDE offers predefined roles, and you can also create custom roles to enforce fine-grained access control. Roles are scope-specific and can be created at any scope.
To learn more about roles, go to Manage Roles.
CDE Resources & Permissions
CDE resources can be managed and configured using granular RBAC. Each resource has its own specific set of permissions that can be assigned to roles. When roles are combined with resource groups, they define the access levels and permissions that users have within CDE.
CDE RBAC supports two resources:
- Gitspaces - Created at the Project scope.
- Infrastructure Providers - Configured at the Account scope.
Resources
| Resource | Permissions | Account Scope | Org Scope | Project Scope | Notes |
|---|---|---|---|---|---|
| Gitspaces |
| ✅ | ✅ | ✅ | Created at project scope; managed across all scopes. |
| Infrastructure Providers |
| ✅ | ✅ | ✅ | Configured at account scope; accessible across all scopes. |
Permission Details
| Permission | Description |
|---|---|
| View | Allow users read-only access to resources. |
| Create/Edit | Allow users to configure, create or edit resources. |
| Delete | Allow users to delete resources. |
| Execute | Allow users to execute Gitspaces (use them). |
CDE Roles
Harness CDE provides three built-in roles specifically designed for CDE resources and use cases. These roles come preconfigured with certain permissions on CDE resources. Below is a detailed explanation of each role.
CDE Admin
This role should be assigned to users who require full control over CDE resources. It is an admin role that grants administrative access to all CDE resources. The following permissions are included:
| Resource | Permissions |
|---|---|
| Gitspaces | View, Create/Edit, Delete, Execute |
| Infrastructure Providers | View, Edit, Delete |
CDE Creator
This role should be assigned to users who need create access for Gitspaces only. It is a Creator role and applies exclusively to the Gitspaces resource. The following permissions are included:
| Resource | Permissions |
|---|---|
| Gitspaces | Create |
CDE User
This role should be assigned to users who should not have create access to CDE resources. The following permissions are included:
| Resource | Permissions |
|---|---|
| Gitspaces | View, Edit, Delete, Execute |
| Infrastructure Providers | View |
RBAC Workflow
Follow these steps to configure RBAC in Harness CDE:
- Go to your administrative settings and select the scope (Account, Organization, or Project) where you want to configure RBAC for CDE resources.
- Create custom roles with the required permissions, or use the default CDE roles.
- Create resource groups to define the CDE resources and scope for the principals.
- Create user groups and add users to them.
- Perform role binding: Assign roles and resource groups to users or user groups.
CDE RBAC Example
Here’s an example of configuring RBAC for CDE resources:
- Create a custom resource group, select Gitspaces as the resource type, and choose the appropriate scope.
- Create a user group and add all relevant users to it.
- Assign the CDE User role to the user group, and bind it to the resource group created in step 1.