Restrict Deployment Access to Specific Environments

Updated 4 months ago by Michael Cretzman

By default, all Harness User Group members have full permissions on all Applications.

Using Harness RBAC functionality, you can restrict the deployments a User Group may perform to specific Harness Applications and their subordinate Environments.

Restricting a User Group's deployments to specific Environments enables you to manage which target infrastructures are impacted by your different teams. For example, you can have Dev environments only impacted by Dev teams, and QA environments only impacted by QA teams.

In this topic:

Before You Begin

Ensure you are familiar with the following Harness features:

Visual Summary

In the following image, you can see that the Application Permissions for a Harness User Group are set for a specific Application and three of its Environments:

Members of this User Group will have permission to execute Workflow and Pipeline deployments for those target Environments only.

Step 1: Create or Edit a User Group

Harness User Groups are managed in Security > Access Management > User Groups.

Open a User Group. You will edit its Application Permissions to restrict its members deployment permissions to specific Application Environments.

For steps on setting up a User Group, see Managing Users and Groups (RBAC).

Step 2: Set Application Permissions

By default, all Harness User Groups members have full permissions on all Applications.

In Application Permissions, click the pencil icon to edit the default permissions.

The Application Permission settings appear. Configure the following settings:

  1. In Permission Type, enable Deployments and any other permissions other than All Permission Types.
  2. In Application, select the Application(s) you want to grant deployment permissions for. Use the search feature if needed.
  3. In Filter, select the Environments in the Applications you selected. These are the Environments that you want to allow the User Group members to deploy to. Use the search feature if needed.
  4. In Action, select Read, Execute Workflow, and Execute Pipeline.

When you're done, the Application Permission will look something like this:

Now this User Group's members can only deploy to the Environments you selected.

Add and remove members as needed.

How did we do?