Managing Users and Groups (RBAC)

Harness provides Role-Based Access Control (RBAC) via user and group permissions. User login access is managed at the user-level, and user account and application permissions are managed via groups.

Here is an overview of Harness RBAC.

Intended Audience

  • DevOps

Before You Begin

Default User Groups

Each Harness account includes default user groups to help you organize your users. The following table describes the default Harness user groups.

Default Group

Account Permissions

Application Permissions

Account Administrator

  • Create/Delete Application
  • Manage Users & Groups
  • Manage Account
  • All Permission Types
  • All Applications
  • Actions: create, read, update, delete, execute

Production Support

No Account Permissions

  • Pipelines: All Applications; Filters: Production Pipelines; Actions: create, read, update, delete
  • Services: All Applications; Filters: All Services; Actions: create, read, update, delete
  • Provisioners: All Applications; Filters: All Provisioners; Actions: create, read, update, delete
  • Environments: All Applications; Filters: Production Environments; Actions: create, read, update, delete
  • Workflows: All Applications; Filters: Workflow Templates, Production Workflows; Actions: create, read, update, delete
  • Deployments: All Applications; Filters: Production Environments; Actions: execute, read

Non-Production Support

No Account Permissions

  • Pipelines: All Applications; Filters: Non-Production Pipelines; Actions: create, read, update, delete
  • Services: All Applications; Filters: All Services; Actions: create, read, update, delete
  • Provisioners: All Applications; Filters: All Provisioners; Actions: create, read, update, delete
  • Environments: All Applications; Filters: Non-Production Environments; Actions: create, read, update, delete
  • Workflows: All Applications; Filters: Workflow Templates, Non-Production Workflows; Actions: create, read, update, delete
  • Deployments: All Applications; Filters: Non-Production Environments; Actions: execute, read

To add Users

The following procedure adds a new user to a Harness account.

To add a user, do the following:

  1. Mouseover Continuous Security, and click Users and Permissions. The Users and Permissions page appears.
  2. Expand Users and click Add User. The Add User dialog appears.
  3. Enter the email address(es) that user will use to log into the Harness platform.
  4. If you have User Groups defined, select the User Groups for this user. You can add a user before they are verified. You can also add this user to a group from the group's Add Members dialog when you manage the group.
  5. Click SUBMIT. The user is added. The name provided for the user says user not registered.



    The user will receive a verification email at the address(es) you provided. When the user logs into Harness, the user creates a password and the email address is verified and the user name is updated.
    You can reset the password in the user's information in Users.

To add a User Group

The following procedure creates a new user group and defines permissions for its users.

To add a user group, do the following:

  1. Mouseover Continuous Security, and click Users and Permissions. The Users and Permissions page appears.
  2. Create the User Group.
    1. Expand User Groups, and click Add User Group. The Add User Group dialog appears.
    2. Enter a name and description for the new user group, and click SUBMIT. The management page for the new group appears.
  3. Add users to a group.
    1. In Member Users, click Add Members. The Add Members dialog appears.
    2. Click the dropdown and select the members for the group, and then click SUBMIT. The Member Users section of the group page is updated with the new members.
  4. Set Account Permissions.


    1. In Account Permissions, enable one or more of the account permissions for this group. For most users, you will only enable the Create/Delete Application permissions. For more information, see Permissions.
  5. Add Application Permissions.


    1. Click Add Permissions. The Add Application Permission dialog appears.
    2. In Permission Type, select the permissions to apply to the group. These are the Harness components you want them to use. For example, if you click Services, you can filter which services to apply the permission to in Filter. For more information, see Permissions.
    3. In Application, select the applications to apply the permission to.
    4. In Filter, select the entities from the application you selected in Application that the group can use.
    5. In Action, click the action(s) the group may perform.
    6. Click SUBMIT. The Application Permissions section of the group page is updated.

Permissions

Account and Application Permissions are set on a group. Before setting these permissions, it's important to understand how they impact each other:

  • Account permissions effect the high-level permissions for the users in a group, such as the ability to add an application, manage users and groups, and manage their account.
  • Application permissions effect the low-level permissions for the users in a group, such as the ability to place Usage Scope on a secret that applies to a specific service.

For most users, you will want to apply Application permissions. Account permissions are for administration primarily.

Permissions Examples

A user might have the Account permission to add an application, but only the Application permission to add services:

Users in this group will be able to create applications and add services to them, but not add environments, workflows, and other entities.

Account Permissions

Account-level permissions are enabled in each User Group page, under Account Permissions.

Account permissions enable the following Harness features:

Account Permission

User Can...

Create/Delete Application

Create and delete their own applications. For the group to add entities to the application, you must add Application Permissions.

Manage User & Groups

Manage all user and groups.

Manage Account

Account settings: Add Account settings, such as Connectors and Cloud Providers, but the group must have the necessary Application Permissions.

Secrets Management: Add secrets for any applications on which the user has the necessary Application Permissions.

Access Management: Single Sign-On (SSO), IP Whitelist, API Keys, set up and enforce Two Factor Authentication, and enforce password strength.

Application Permissions

Application permissions enable the user to perform any activity on an application-level, including applying Secrets Management and Account setting, to specific applications and environments via Usage Settings.

Restricting Usage

You can restrict who can apply settings such as Secrets Management and Account settings to specific application entities. These are set up in the Usage Scope section of the setting's dialog. For example, here is the Usage Scope section of an Artifact Server dialog:

In this case, the user can add an Artifact Server that may be used by the ExampleApp application, and whatever environment the user selects.

For a user to use Usage Scope, the user must belong to a group that has read and update Application permissions for the application and entities on which the restrictions are placed.

  1. In Usage Scope, click the drop-down under Applications, and click the name of the application.
  2. In Environments, click the name of the environment.

How did we do?