-
-
Notifications
You must be signed in to change notification settings - Fork 739
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Partial RBAC in a pack. #6037
Comments
I didn't use RBAC for a long time and don't remember, but according to the docs https://docs.stackstorm.com/rbac.html#user-permissions
you indeed can't have a "blocklist" of permissions, only "whitelist", as I understand. @StackStorm/tsc and @StackStorm/contributors Any ideas from those who use RBAC? |
Sorry did not mean to close! I agree with @armab. You will need to list all the actions with the abilities you want and leave out the action you do not want access to. We have used RBAC in a few installations and it errors on the side of being very explicit. Which is good if thats what you want but can definitely be cumbersome. A potentially easier fix that we have done is to move the actions that you want more restricted to a different pack with other restricted actions. You can even use the pack dependancies to include the original pack and check for it during install. |
So, I understand that stackstorm does not have 'blocklist' and that it is hard to give a permission and later take away. I've been doing some trial and errors to find the most feasible way to achieve it but couldn't test out @bishopbm1 's suggestion to have a separate pack of secured actions. Is there any risks or conflicts in having multiple actions from all different packs to live in a single @stackstorm/contributors @bishopbm1 , also, could you tell me more about here? Is it also able to use lib files from the original pack?
Documentation about it would be great as well! Thanks a lot. |
can't you, instead of giving access to contributors the whole pack, give only access to the specific actions within the pack and leave out the delete action? |
That would work very well. However, I was concerned of a case where a pack has, for example, 99 accessible actions and 1 restricted action. It would be quite dirty to give same permission to all 99 actions, IMO |
Hi team, I was wondering if there is such feature in the current rbac system and if not, I wanted to see what should be correct workflow to achieve the goal.
Suppose I have a pack. Admin has full access to the pack and observer can only view the pack. There is a role between observer and admin (let's call it the 'contributor'). Contributor has most of the access in the pack but still needs to be restricted from 1 action, which is to delete an app. As an admin, I don't want a contributor to purposefully nor accidentally deletes it but still give the contributor access to the majority of the actions in the pack.
In the current document, I don't see a way to negate access that's already given in a simple manner. Is this possible?
The text was updated successfully, but these errors were encountered: