Restrict Secrets Usage

Updated 1 week ago by Chakravarthy Tenneti

You can restrict the usage of secrets only to Delegates or to specific Harness User Groups. You can set up restrictions using the secret's Usage Scope and the User Group's Application Permissions.

In this topic:

Before You Begin

Review: Secret Scope

When creating secrets, it's important to understand their scope in your Harness account.

There are three areas in Harness where secrets are scoped:

  • Harness User Group Account Permission Manage Secrets:
    • Required to add secrets for Account-level settings (Cloud Providers, Connectors, etc) and to any Applications on which the user has the Application Permissions Create, Read, and Update.
      If this permission is not enabled, the users within the User Groups will be able to view the secrets only.
  • Harness User Group Application Permissions:
    • Add the Actions Create, Read, and Update to the Applications and Environments where Users in the User Group may use secrets.
  • Secret Usage Scope—Each secret has Usage Scope settings for Applications and Environments. For Encrypted Text and Files, you also have Scope to Account:
    You have two options:
    • Scope to Account: Use allows the secret to be used in a Harness Delegate Profile only.
    • Applications and Environments: Scope the usage to specific Applications and their Production and Non-Production Environments.

Since User Group permissions are the broadest method for controlling secret usage, set those permissions first.

A user can only create a secret according to the scope set by its Harness User Group Account and Application permissions.

For example, if you have access to Application A only, you can create a secret scoped to Application A.

If you have access to Application A and B, you may still narrow the secret's scope to Application A, B, or both.

If the scope of a secret is only Application A, then only users with Read permission for Application A may see that secret. Users with Write permission to Application A may edit it also.

The following table explains the secret Usage Scope options and how they apply to Harness RBAC:

Usage Scope Scenario

Result

Scope to Account is selected.

The secret can be used in a Harness Delegate Profile only.

The secret can be managed by members of User Groups with the following Account Permission enabled:

  • Manage Secrets

Or the following Application Permission:

  • All Permissions Types and all items under Action

No Usage Scope:

  • Scope to Account is not selected.
  • No Application and Environment are selected.

The secret can be used in a Harness Delegate Profile only.

The secret can be managed by members of User Groups with the following Account Permission enabled:

  • Manage Secrets

A single Application and Environment are selected.

The secret can be used in that Application and Environment.

The secret cannot be used in a Harness Delegate Profile.

The secret can only be managed by the user that created it, and members of User Groups with the following Account Permission enabled:

  • Manage Secrets
If the Environment is deleted from your Harness Application, the secret will revert to No Usage Scope.

Multiple or All Applications and Environments are selected.

The secret can be used in those Applications and Environments.

The secret cannot be used in a Harness Delegate Profile.

The secret can only be managed by the user that created it, and members of User Groups with the following Account Permission enabled:

  • Manage Secrets

Option 1: Scope to Account

If your Harness User account is part of a User Group with the Manage Secrets Account Permission enabled, you will see the Scope to Account option in the Encrypted Text and File dialogs.

Select Scope to Account to make this encrypted file secret available to Delegate Profile scripts only. Only secrets scoped to the account are available to use in Delegate Profiles.

For more information, see Managing Users and Groups (RBAC) and Delegate Profiles.

Option 2: Applications and Environments

You might want to restrict which Harness User Groups can use a secret. Restrictions are set up using the secret's Usage Scope and the User Group's Application Permissions.

For example, in the following image, the Usage Scope of the secret is limited to the ExampleForDoc Application, and a User Group's Application Permissions are also limited to ExampleForDoc:

This limits the User Group to using only that secret (assuming that no other secrets Usage Scopes include ExampleForDoc).

it is important to remember that in order for a user to use the secret, the user's User Group must also have Applications Permissions (Create, Read, Update) set for the same Applications and Environments (or all Applications and Environments).

If you select the Scope to Account setting, the secret can be used in a Delegate Profile, as described in Using Secrets.


How did we do?