Restrict Secrets Usage

Updated 1 month ago by Chakravarthy Tenneti

You can restrict the usage of secrets only to Delegates or to specific Harness User Groups. You can set up restrictions using the secret's Usage Scope and the User Group's Application Permissions.

In this topic:

Before You Begin

Review: Secret Scope

When creating secrets, it's important to understand their scope in your Harness account.

A user can only create a secret according to the scope set by its Harness User permissions.

For example, if you have access to Application A only, you can create a secret scoped to Application A.

If you have access to Application A and B, you may still narrow the secret's scope to Application A only.

If the scope of a secret is only Application A, then only users with Read permission for Application A may see that secret. Users with Write permission to Application A may edit it also.

Option 1: Scope to Account

If your Harness User account is part of a User Group with the Administer Other Account Functions permission enabled, you will see the Scope to Account option in the Encrypted Text and File dialogs.

Select Scope to Account to make this encrypted file secret available to Delegate Profile scripts only. Only secrets scoped to the account are available to use in Delegate Profiles.

For more information, see Managing Users and Groups (RBAC) and Delegate Profiles.

Option 2: Usage Scope

You might want to restrict which Harness User Groups can use a secret. Restrictions are set up using the secret's Usage Scope and the User Group's Application Permissions.

For example, in the following image, the Usage Scope of the secret is limited to the ExampleForDoc Application, and a User Group's Application Permissions are also limited to ExampleForDoc:

This limits the User Group to using only that secret (assuming that no other secrets Usage Scopes include ExampleForDoc).

If you select the Scope to Account setting, the secret can be used in a Delegate Profile, as described in Using Secrets.

How did we do?