Restrict Secrets Usage

Updated 1 month ago by Chakravarthy Tenneti

You can restrict the usage of secrets only to Delegates or to specific Harness User Groups. You can set up restrictions using the secret's Usage Scope and the User Group's Application Permissions.

In this topic:

Before You Begin

Review: Secret Scope

When creating secrets, it's important to understand their scope in your Harness account.

A user can only create a secret according to the scope set by its Harness User permissions.

For example, if you have access to Application A only, you can create a secret scoped to Application A.

If you have access to Application A and B, you may still narrow the secret's scope to Application A, B, or both.

If the scope of a secret is only Application A, then only users with Read permission for Application A may see that secret. Users with Write permission to Application A may edit it also.

The following table explains the secret Usage Scope options and how they apply to Harness RBAC:

Usage Scope Scenario

Result

Scope to Account is selected.

The secret can be used in a Harness Delegate Profile only.

The secret can be managed by members of User Groups with the following Account Permission enabled:

  • Administer Other Account Functions

Or the following Application Permission:

  • All Permissions Types and all Actions

No Usage Scope:

  • Scope to Account is not selected.
  • No Application and Environment are selected.

The secret can be used in a Harness Delegate Profile only.

The secret can be managed by members of User Groups with the following Account Permission enabled:

  • Administer Other Account Functions

A single Application and Environment are selected.

The secret can be used in that Application and Environment.

The secret cannot be used in a Harness Delegate Profile.

The secret can only be managed by the user that created it, and members of User Groups with the following Account Permission enabled:

  • Administer Other Account Functions
If the Environment is deleted from your Harness Application, the secret will revert to No Usage Scope.

Multiple or All Applications and Environments are selected.

The secret can be used in those Applications and Environments.

The secret cannot be used in a Harness Delegate Profile.

The secret can only be managed by the user that created it, and members of User Groups with the following Account Permission enabled:

  • Administer Other Account Functions

Option 1: Scope to Account

If your Harness User account is part of a User Group with the Administer Other Account Functions permission enabled, you will see the Scope to Account option in the Encrypted Text and File dialogs.

Select Scope to Account to make this encrypted file secret available to Delegate Profile scripts only. Only secrets scoped to the account are available to use in Delegate Profiles.

For more information, see Managing Users and Groups (RBAC) and Delegate Profiles.

Option 2: Usage Scope

You might want to restrict which Harness User Groups can use a secret. Restrictions are set up using the secret's Usage Scope and the User Group's Application Permissions.

For example, in the following image, the Usage Scope of the secret is limited to the ExampleForDoc Application, and a User Group's Application Permissions are also limited to ExampleForDoc:

This limits the User Group to using only that secret (assuming that no other secrets Usage Scopes include ExampleForDoc).

If you select the Scope to Account setting, the secret can be used in a Delegate Profile, as described in Using Secrets.


How did we do?