Harness Key Concepts

Quick Start Setup Guide

Checklist Builder

What's Harness?

How Does Harness Work?

Tour Harness Manager

Harness Architecture

Supported Technologies

Delegate Installation and Management

Delegate Connection Requirements

Delegate Server Requirements

Common Delegate Profile Scripts

Using the Helm Delegate

Connectors Overview

Add Artifact Servers

Add Cloud Providers

Add Source Repo Providers

Add Verification Providers

Add Collaboration Providers

User Notifications and Alert Settings

Harness Editions

Migrating to Harness Community

Add Application Stacks

Use Templates

Using Tags

Deployments Overview

AMI Deployments Overview

AMI Basic Deployment

AMI Canary Deployment

AMI Blue/Green Deployment

AMI Spotinst Elastigroup Deployment

ECS Deployments Overview

1 - Harness ECS Delegate

2 - ECS Connectors and Providers Setup

3 - ECS Services

4 - ECS Environments

5 - ECS Workflows

6 - ECS Blue/Green Workflows

7 - ECS Setup in YAML

8 - ECS Troubleshooting

Lambda Deployment Overview

1 - Delegate and Connectors for Lambda

2 - Services for Lambda

3 - Lambda Environments

4 - Lambda Workflows and Deployments

5 - Verifications and Troubleshooting

Build and Deploy Pipelines Overview

1 - Harness Account Setup

2 - Service and Artifact Source

3 - Build Workflow

4 - Environment

5 - Deploy Workflow

6 - Artifact Build and Deploy Pipelines

7 - Triggers

Azure Deployments Overview

1 - Harness Account Setup for Azure

2 - Service and Azure Artifact Source

3 - Azure Environment

4 - Azure Workflows and Deployments

5 - Azure Troubleshooting

Helm Deployments Overview

1 - Delegate, Providers, and Helm Setup

2 - Helm Services

3 - Helm Environments

4 - Helm Workflows and Deployments

5 - Helm Troubleshooting

IIS (.NET) Deployment Overview

1 - Delegate and Connectors for IIS

2 - Services for IIS (.NET)

3 - IIS Environments in AWS and Azure

4 - IIS Workflows and Pipelines

5 - Best Practices and Troubleshooting

Kubernetes Deployments Overview

1 - Harness Kubernetes Delegate

2 - Connectors and Providers Setup

3 - Kubernetes Services

4 - Kubernetes Environments

5 - Kubernetes Canary Workflows

6 - Kubernetes Blue/Green Workflows

7 - Kubernetes Rolling Update Workflows

8 - Kubernetes Workflow Commands

9 - Workflow Variable Expressions

10 - Traffic Management

11 - Versioning and Annotations

12 - Ingress Rules

13 - Troubleshooting Kubernetes

14 - Harness Kubernetes V2 Changes

Pivotal Cloud Foundry Overview

1 - Delegate and Connectors for PCF

2 - Services for PCF

3 - PCF Environments

4 - PCF Workflows and Deployments

Traditional Deployments Overview

1 - Delegate, Providers, and Connectors Setup

2 - Services for App Packages

3 - App Stacks and Default Variables

4 - Commands and Scripts

5 - Environments for Traditional Deployments

6 - Traditional Workflows and Deployments

Application Components

Services

Custom Artifact Source

Service Types and Artifact Sources

Add a Docker Artifact Source

Environments

Infrastructure Definitions

Migrating from Service Infrastructures to Infrastructure Definitions

Service Infrastructures

Workflows

Using the HTTP Command

Using the Shell Script Command

Using the Jenkins Command

Jira Integration

ServiceNow Integration

Passing Variables into Workflows and Pipelines from Triggers

Resource Restrictions

Workflow Queuing

Using the Terraform Apply Command

Pipelines

Pipeline Skip Conditions

Infrastructure Provisioners Overview

Terraform Provisioner

Shell Script Provisioner

CloudFormation Provisioner

Triggers

Approvals

JSON and XML Functors

Variables and Expressions in Harness

Configuration as Code

Harness YAML Code Reference

Harness GitOps

CV Summary and Provider Support

24/7 Service Guard Overview

Set Up 24/7 Service Guard

AppDynamics Verification Overview

1 - AppDynamics Connection Setup

2 - 24/7 Service Guard for AppDynamics

3 - Verify Deployments with AppDynamics

Bugsnag Verification Overview

1 - Bugsnag Connection Setup

2 - 24/7 Service Guard for Bugsnag

3 - Verify Deployments with Bugsnag

CloudWatch Verification Overview

1 - CloudWatch Connection Setup

2 - 24/7 Service Guard for CloudWatch

3 - Verify Deployments with CloudWatch

Datadog Verification Overview

1 - Datadog Connection Setup

2 - 24/7 Service Guard for Datadog

3 - Verify Deployments with Datadog

Dynatrace Verification Overview

1 - Dynatrace Connection Setup

2 - 24/7 Service Guard for Dynatrace

3 - Verify Deployments with Dynatrace

Elasticsearch Verification Overview

1 - Elasticsearch Connection Setup

2 - 24/7 Service Guard for Elasticsearch

3 - Verify Deployments with Elasticsearch

4 - Troubleshooting Elasticsearch

New Relic Verification Overview

1 - New Relic Connection Setup

2 - 24/7 Service Guard for New Relic

3 - New Relic Deployment Marker

4 - Verify Deployments with New Relic

5 - Troubleshooting New Relic

Prometheus Verification Overview

1 - Prometheus Connection Setup

2 - 24/7 Service Guard for Prometheus

3 - Verify Deployments with Prometheus

Splunk Verification Overview

1 - Splunk Connection Setup

2 - 24/7 Service Guard for Splunk

3 - Verify Deployments with Splunk

Stackdriver Verification Overview

1- Stackdriver Connection Setup

2 - 24/7 Service Guard for Stackdriver

3 - Verify Deployments with Stackdriver

Sumo Logic Verification Overview

1 - Sumo Logic Connection Setup

2 - 24/7 Service Guard for Sumo Logic

3 - Verify Deployments with Sumo Logic

Custom Verification Overview

1 - Custom Verification Connection Setup

2 - Verify Deployments with Custom APMs

3 - Datadog as a Custom APM

File Jira Tickets on Verification Events

CV Strategies, Tuning, and Best Practices

Harness Verification Feedback Overview

Verification Event Classifications

Refine 24/7 Service Guard Verification Analysis

Refine Deployment Verification Analysis

Managing Users and Groups (RBAC)

Authentication Settings

SSO Provider Overview

Single Sign-On (SSO) with OAuth 2.0

Single Sign-On (SSO) with LDAP

Single Sign-On (SSO) with SAML

Two Factor Authentication

Secrets Management

Deployment Freeze

IP Whitelist Management

API Keys

Audit Trail

Pipeline Governance

Main and Services Dashboards

Custom Dashboards

Harness API

Harness On-Prem Release Notes

On-Prem Overview

Kubernetes Connected On-Prem Setup

Docker Connected On-Prem Setup

Harness Disconnected On-Prem Setup

OpenShift Connected On-Prem Setup

Connected On-Prem Disaster Recovery Strategy (3 Node Architecture)

Connected On-Prem Backup and Restore Strategy

Harness Troubleshooting

Harness Kubernetes v1 FAQ

Customer Case Studies

Overview of Harness

Canary Deployment Video

Create an Application and Service Video

Create an Environment Video

Create a Workflow Video

Create a Pipeline Video

Create a Trigger Video

All Categories > Security > Managing Users and Groups (RBAC)

Managing Users and Groups (RBAC)

Intended Audience
Related Topics
Default User Groups
To Add Users
To Add a User Group
Permissions

Harness provides Role-Based Access Control (RBAC) via user and group permissions. Users' login access is managed at the user level, and users' account and application permissions are managed via groups.

Here is an overview of Harness RBAC.

Intended Audience

DevOps

Default User Groups

Each Harness account includes default User Groups to help you organize your users. The following table describes the default Harness User Groups.

Default Group	Account Permissions	Application Permissions
Account Administrator	Create/Delete Application Manage Users & Groups Manage Template Library Administer Other Account Functions	All Permission Types All Applications Actions: create, read, update, delete, execute
Production Support	No Account Permissions	Pipelines: All Applications; Filters: Production Pipelines; Actions: create, read, update, delete Services: All Applications; Filters: All Services; Actions: create, read, update, delete Provisioners: All Applications; Filters: All Provisioners; Actions: create, read, update, delete Environments: All Applications; Filters: Production Environments; Actions: create, read, update, delete Workflows: All Applications; Filters: Workflow Templates, Production Workflows; Actions: create, read, update, delete Deployments: All Applications; Filters: Production Environments; Actions: execute, read
Non-Production Support	No Account Permissions	Pipelines: All Applications; Filters: Non-Production Pipelines; Actions: create, read, update, delete Services: All Applications; Filters: All Services; Actions: create, read, update, delete Provisioners: All Applications; Filters: All Provisioners; Actions: create, read, update, delete Environments: All Applications; Filters: Non-Production Environments; Actions: create, read, update, delete Workflows: All Applications; Filters: Workflow Templates, Non-Production Workflows; Actions: create, read, update, delete Deployments: All Applications; Filters: Non-Production Environments; Actions: execute, read

To Add Users

The following procedure adds a new user to a Harness account.

To add a user, do the following:

Mouseover Continuous Security, and click Access Management.
Click Users. The Users page appears.
Click Add User. The Add User dialog appears.
Enter the email address(es) that user will use to log into the Harness platform.
If you have User Groups defined, select the User Groups for this user. You can add a user before they are verified. You can also add this user to a group from the group's Add Members dialog when you manage the group.
Click SUBMIT. The user is added. The name provided for the user says user not registered.
The user will receive a verification email at the address(es) you provided. When the user logs into Harness, the user creates a password, the email address is verified, and the user name is updated.
You can reset the password in the user's information in Users.

To Add a User Group

The following procedure creates a new User Group and defines permissions for its users:

Mouseover Continuous Security, and click Access Management.
Click User Groups. The User Groups page appears.
Create the User Group.
1. Click Add User Group. The Add User Group dialog appears.
2. Enter a name and description for the new User Group, and click SUBMIT. The management page for the new group appears.
Add users to the group.
1. Click Member Users. The Add Members dialog appears.
2. Click in the text area and select the members for the group, and then click SUBMIT. The Member Users section of the group page is updated with the new members.
Set Account Permissions.
1. In Account Permissions, enable one or more of the account permissions for this group. For most users, you will enable only the Create/Delete Application permissions. For more information, see Permissions.
Add Application Permissions.
1. Click Add Permissions. The Add Application Permission dialog appears.
1. In Permission Type, select the permissions to apply to the group. These are the Harness components you want the group's members to use. For example, if you click Services, you can then use the Filter field to select the services on which the permission will apply. (For details, see Permissions below.)
2. In Application, select the applications where the permission will apply.
3. In Filter, select the entities (within the applications you selected in Application) that the group can use.
4. In Action, select the action(s) you want to authorize the group to perform.
5. Click SUBMIT. The User Groups page's Application Permissions section is updated.

Permissions

Both sets of Permissions—Account Permissions and Application Permissions—are set on each group. Before setting these permissions, it's important to understand how they interact with each other:

Account permissions affect the high-level permissions for the users in a group, such as the ability to add an application, manage users and groups, and manage their account.
Application permissions affect the low-level permissions for the users in a group, such as the ability to place Usage Scope on a secret that applies to a specific service.

For most users, you will want to apply Application permissions. Account permissions are primarily for administration.

Permissions Example

A user group might have the Account permission to add an application, but only the Application permission to add services:

Users in this group will be able to create applications and add Services to them, but not will not be able to add Environments, Workflows, or other Application components.

Account Permissions

Account-level permissions are enabled in each User Group page, under Account Permissions.

Account permissions enable the following Harness features:

Account Permission	Details
Create/Delete Application	Create and delete their own Applications. For the group to add entities to the Application, you must add Application Permissions.
Read Users and Groups	Read-only permission for the Users and User Groups in Access Management.
Manage Users and Groups	Manage all user and groups.
Manage Template Library	Add, edit, and remove templates from the Template Library. See Use Templates.
Administer Other Account Functions	Application settings: Add/edit Application Defaults. Account settings: Add Account settings, such as Connectors and Cloud Providers, but the group must have the necessary Application Permissions. Secrets Management: Add secrets for any Applications on which the user has the necessary Application Permissions. Secrets in Delegate Profiles: If you have Administer Other Account Functions enabled, you can use the Scope to Account feature of encrypted text and files secrets, and use those secrets in Delegate Profiles for usernames, passwords, etc. See Using Secrets in a Profile. Access Management: Configure Single Sign-On (SSO), IP Whitelist, and API Keys; set up and enforce Two Factor Authentication, and enforce password strength.
View Audit Trail	View the Audit Trail events. See Audit Trail.
Manage Tags	Create and delete Tags (key/value pairs) that can be attached to Application components; impose Allowed Values restrictions on Tags. See Using Tags.

Application Permissions

Application permissions enable you to perform any activity on an Application level. This includes applying Secrets Management and some Account settings to specific Applications and Environments, via Usage Scope. It also includes adding and modifying Tags on Application components.

Restricting Usage

You can restrict who can apply settings—such as Secrets Management and some Account settings—to specific Application entities. These are set up in the Usage Scope section of the corresponding setting's dialog. For example, here is the Usage Scope section of an Artifact Server dialog:

In this case, the Artifact Server may be used by the ExampleApp Application in both K8s-GCP and dev Environments.

For a User to modify Usage Scope, the User must belong to a Group that has read and update Application permissions for the Application and components on which the restrictions are placed.

In Usage Scope, click the drop-down under Applications, and click the name of the Application.
In Environments, click the name of the Environment.

Managing Users and Groups (RBAC)

Intended Audience

Related Topics

Default User Groups

To Add Users

To Add a User Group

Permissions

Permissions Example

Account Permissions

Application Permissions

Restricting Usage

How did we do?

Related Articles 5 - Troubleshooting New Relic Single Sign-On (SSO) with OAuth 2.0 User Notifications and Alert Settings

Contact

Related Articles

5 - Troubleshooting New Relic

Single Sign-On (SSO) with OAuth 2.0

User Notifications and Alert Settings