Restrict Deployment Access to Specific Environments
By default, all Harness User Group members have full permissions on all Applications.
Using Harness RBAC functionality, you can restrict the deployments a User Group may perform to specific Harness Applications and their subordinate Environments.
Restricting a User Group's deployments to specific Environments enables you to manage which target infrastructures are impacted by your different teams. For example, you can have Dev environments only impacted by Dev teams, and QA environments only impacted by QA teams.
In this topic:
- Before You Begin
- Visual Summary
- Step 1: Create or Edit a User Group
- Step 2: Set Application Permissions
Before You Begin
Ensure you are familiar with the following Harness features:
In the following image, you can see that the Application Permissions for a Harness User Group are set for a specific Application and three of its Environments:
Members of this User Group will have permission to execute Workflow and Pipeline deployments for those target Environments only.
Step 1: Create or Edit a User Group
Harness User Groups are managed in Security > Access Management > User Groups.
Open a User Group. You will edit its Application Permissions to restrict its members deployment permissions to specific Application Environments.
For steps on setting up a User Group, see Managing Users and Groups (RBAC).
Step 2: Set Application Permissions
By default, all Harness User Groups members have full permissions on all Applications.
In Application Permissions, click the pencil icon to edit the default permissions.
The Application Permission settings appear. Configure the following settings:
- In Permission Type, enable Deployments and any other permissions other than All Permission Types.
- In Application, select the Application(s) you want to grant deployment permissions for. Use the search feature if needed.
- In Filter, select the Environments in the Applications you selected. These are the Environments that you want to allow the User Group members to deploy to. Use the search feature if needed.
- In Action, select Read, Execute Workflow, and Execute Pipeline.
When you're done, the Application Permission will look something like this:
Now this User Group's members can only deploy to the Environments you selected.
Add and remove members as needed.