Harness Key Concepts

Harness Products and Editions

Get Started with Cloud Cost Management

Harness Self-Managed Enterprise Edition Overview

New Docs Added Recently

Built-in App Tour Guide for Freemium Accounts

Tour Harness Manager

Supported Platforms and Technologies

View Account Info and Subscribe to Downtime Alerts

AWS AMI Quickstart

AWS CodeDeploy Quickstart

AWS ECS Quickstart

AWS Lambda Quickstart

Helm Quickstart

IIS (.NET) Quickstart

Kubernetes Quickstart

Tanzu Application Service (TAS) Quickstart

Traditional (SSH) Quickstart

Harness Delegate Overview

Delegate Requirements and Limitations

Delegate Installation Overview

Install the Harness Shell Script Delegate

Install the Harness Kubernetes Delegate

Install the Harness ECS Delegate

Install the Harness Helm Delegate

Install the Harness Docker Delegate

Approve or Reject Harness Delegates

Run Scripts on Delegates using Profiles

Use Secrets in a Delegate Profile

Delegate Task Category Mapping

Select Delegates with Selectors

Scope Delegates to Harness Components and Commands

Install the AWS CLI on a Delegate

Target Delegates to Specific Namespaces

Automate Harness Kubernetes Delegate Setup

Use Custom Helm Binaries on Harness Delegates

Add Self-Signed Certificates for Delegate Connections

Configure Delegate Proxy Settings

Update OpenShift CLI Binaries on Harness Delegates

Truststore Override for Delegates

Secure Delegates with Tokens

Connectors Overview

Add Cloud Providers

Add Kubernetes Cluster Cloud Provider

Add Google Cloud Platform Cloud Provider

Add Amazon Web Services (AWS) Cloud Provider

Add Microsoft Azure Cloud Provider

Add Tanzu Application Service (TAS) Cloud Provider

Add Physical Data Center as Cloud Provider

Add SpotInst Cloud Provider

Add Rancher Cloud Providers

Add Artifact Servers

Add Docker Registry Artifact Servers

Add Helm Repository Artifact Servers

Add AWS S3 and Google Cloud Storage Artifact Servers

Add Azure DevOps Artifact Servers

Add Jenkins Artifact Servers

Add Bamboo Artifact Servers

Add Nexus Artifact Servers

Add Artifactory Servers

Add Samba Server Artifact Servers

Add SFTP Artifact Servers

Add Source Repo Providers

Add a GitHub Repo

Add a Bitbucket Repo

Add a GitLab Repo

Add a CodeCommit Repo

Add an Azure DevOps Repo

Add Collaboration Providers

Add SMTP Collaboration Provider

Add Jira Collaboration Provider

Add ServiceNow Collaboration Provider

Add Verification Providers

Manage User Notifications

Send Notifications Using Slack

Send Slack Messages from Workflows

Send Notifications to Microsoft Teams

Manage Alert Notifications

Migrate to Harness Community

Add Application Stacks

Create an HTTP Workflow Step Template

Create a Shell Script Workflow Step Template

Create a Service Command Template

Add Service Command Templates into Command Units

Link Templates to Services and Workflows

Manage Tags

Apply Filters Using Tags

Assign Metadata Using Tags

Use Expressions in Workflow and Pipeline Tags

Deployments Overview

Filtering Deployments

View the Delegates Used in a Deployment

Export Deployment Logs

Restrict Deployment Access to Specific Environments

Deploy a Workflow to Multiple Infrastructures Simultaneously

Resume Pipeline Deployments

Deployment Logging Limitations

Publish Pipeline Events to an HTTP Endpoint

Publish Workflow Events to an HTTP Endpoint

CloudFormation How-tos

Set Up Your Harness Account for CloudFormation

Add CloudFormation Templates

Map CloudFormation Infrastructure

Provision using CloudFormation Create Stack

Using CloudFormation Outputs in Workflow Steps

Remove Provisioned Infra with CloudFormation Delete Stack

Set Amazon SDK Default Backoff Strategy Params for CloudFormation

AMI/ASG Deployments How-tos

AMI Basic Deployment

Create an AMI/ASG Canary Deployment

AMI Blue/Green Deployment

AMI Spotinst Elastigroup Deployment

Configure Spotinst Traffic Shift Verification

ECS Deployments Overview

1 - Harness ECS Delegate

2 - ECS Connectors and Providers Setup

3 - ECS Services

4 - ECS Environments

5 - ECS Basic and Canary Workflows

6 - ECS Blue/Green Workflows

7 - ECS Setup in YAML

8 - ECS Troubleshooting

Deploy Multiple ECS Sidecar Containers

Run an ECS Task

Use Remote ECS Task and Service Definitions in Git Repos

AWS Lambda How-tos

AWS Lambda Deployment Overview

Connect to AWS for Lambda Deployments

Add Lambda Functions

Define Your Lambda Target Infrastructure

Create a Basic Lambda Deployment

View Lambda Deployments in the Serverless Functions Dashboard

Azure Virtual Machine Scale Set Deployments Overview

Connect to Azure for VMSS Deployments

Add Your Azure VM Image for Deployment

Define Your Azure VMSS Target Infrastructure

Create an Azure VMSS Basic Deployment

Create an Azure VMSS Canary Deployment

Create an Azure VMSS Blue/Green Deployment

Azure VMSS Versioning and Naming

Azure Web App Deployments Overview

Connect to Azure and Artifact Repo for Your Web App Deployments

Add Your Docker Image for Azure Web App Deployment

Add Non-Containerized Artifacts for Azure Web App Deployment

Define Your Azure Web App Infrastructure

Create an Azure Web App Blue/Green Deployment

Create an Azure Web App Canary Deployment

Azure Web App Deployment Rollback

Azure ACR to AKS Deployments Overview

1 - Harness Account Setup for Azure ACR to AKS

2 - Harness Service Setup for Azure ACR and AKS

3 - Define Your AKS Target Infrastructure

4 - Azure ACR to AKS Workflows and Deployments

5 - Azure ACR to AKS Troubleshooting

Azure Resource Management (ARM) How-tos

Set Up Your Harness Account for Azure ARM

Add Azure ARM Templates to Harness

Provision and Deploy to ARM Provisioned Infrastructure

Provision Resources using a Harness ARM Infrastructure Provisioner

Use Azure ARM Template Outputs in Workflow Steps

Azure ARM Rollbacks

Azure Blueprint How-tos

Set Up Your Harness Account for Azure Blueprint

Add Azure Blueprints to Harness

Provision using Azure Blueprint Definitions

Build and Deploy Pipeline How-tos

Connect to Your Artifact Build and Deploy Pipeline Platforms

Add Your Build and Deploy Pipeline Artifacts

Create the Build Workflow for Build and Deploy Pipelines

Define Your Build and Deploy Pipeline Target Infrastructure

Create the Deploy Workflow for Build and Deploy Pipelines

Create the Build and Deploy Pipeline

Run Google Cloud Builds

Helm Native Deployment Guide Overview

1 - Delegate, Providers, and Helm Setup

2 - Helm Services

3 - Helm Environments

4 - Helm Workflows and Deployments

5 - Helm Troubleshooting

Upgrade Native Helm 2 Deployments to Helm 3

Custom Fetching and Preprocessing of Helm Charts

IIS (.NET) Deployment Overview

1 - Delegate and Connectors for IIS

2 - Services for IIS

3 - IIS Environments in AWS and Azure

4 - IIS Workflows and Pipelines

5 - Best Practices and Troubleshooting

Kubernetes How-tos

Connect to Your Target Kubernetes Platform

Add Container Images for Kubernetes Deployments

Pull an Image from a Private Registry for Kubernetes

Define or Add Kubernetes Manifests

Use Go Templating in Kubernetes Manifests

Adding and Editing Inline Kubernetes Manifest Files

Upload Kubernetes Resource Files

Use a Helm Repository with Kubernetes

Link Resource Files or Helm Charts in Git Repos

Using Harness Config Variables in Manifests

Use Harness Config Files in Manifests

Override Values YAML Files

Override Harness Kubernetes Service Settings

Override Variables at the Infrastructure Definition Level

Add Packaged Kubernetes Manifests

Ignore a Manifest File During Deployment

Define Your Kubernetes Target Infrastructure

Provision Kubernetes Infrastructures

Select Kubernetes Namespaces based on InfraMapping

Create Kubernetes Namespaces with Workflow Variables

Create a Kubernetes Canary Deployment

Create a Kubernetes Rolling Deployment

Create a Kubernetes Blue/Green Deployment

Deploy Manifests Separately using Apply Step

Deploy Helm Charts

Deploy Kubernetes Custom Resources using CRDs

Set Up Kubernetes Traffic Splitting with Istio

Traffic Splitting Without Istio

Set up Kubernetes Ingress Rules

Scale Kubernetes Pods

Run Kubernetes Jobs

Use Kustomize for Kubernetes Deployments

Delete Kubernetes Resources

Prune Kubernetes Resources

Kubernetes Workflow Variables and Expressions

Using OpenShift with Harness Kubernetes

Upgrade to Helm 3 Charts in Kubernetes Services

Use Helm Chart Hooks in Kubernetes Deployments

Deploy Services to Multiple Kubernetes Clusters Simultaneously using Rancher

Skip Harness Label Selector Tracking on Kubernetes Deployments

Tanzu Application Service Deployments

Connect to Your Target Tanzu Account

Add Container Images for Tanzu Deployments

Adding and Editing Inline Tanzu Manifest Files

Upload Local and Remote Tanzu Resource Files

Using Harness Config Variables in Tanzu Manifests

Tanzu App Naming

Override Tanzu Manifests and Config Variables and Files

Add Packaged Tanzu Manifests

Define Your Tanzu Target Infrastructure

Create a Basic Tanzu Deployment

Create a Canary Tanzu Deployment

Create a Blue/Green Tanzu Deployment

Run CF CLI Commands and Scripts in a Workflow

Tanzu Built-in Variables

Use CLI Plugins in Harness Tanzu Deployments

Use the App Autoscaler Service

Preprocess Tanzu Artifacts to Match Supported Types

Install Cloud Foundry CLI Versions on the Harness Delegate

Terraform How-tos

Set Up Your Harness Account for Terraform

Add Terraform Scripts

Map Dynamically Provisioned Infrastructure using Terraform

Provision using the Terraform Provision Step

Using the Terraform Apply Command

Perform a Terraform Dry Run

Remove Provisioned Infra with Terraform Destroy

Use Terraform Outputs in Workflow Steps

Terragrunt How-tos

Set Up Your Harness Account for Terragrunt

Add Terragrunt Configuration Files

Map Dynamically Provisioned Infrastructure using Terragrunt

Provision using the Terragrunt Provision Step

Perform a Terragrunt Dry Run

Remove Provisioned Infra with Terragrunt Destroy

Use Terragrunt Outputs in Workflow Steps

Traditional (SSH) Deployments How-tos

Connect to Your Repos and Target SSH Platforms

Add Artifacts and App Stacks for Traditional (SSH) Deployments

Add Scripts for Traditional (SSH) Deployments

Define Your Traditional (SSH) Target Infrastructure

Create a Basic Workflow for Traditional (SSH) Deployments

Create a Custom Deployment using Deployment Templates

Create an Application

Create Default Application Directories and Variables

Add Specs and Artifacts using a Harness Service

Use Script Based Services

Add Service Config Variables

Add Service Config Files

Using Custom Artifact Sources

Service Types and Artifact Sources

Add a Docker Image

Add an Azure DevOps Artifact Source

Add an Environment

Add an Infrastructure Definition

Migrating from Service Infrastructures to Infrastructure Definitions

Service Infrastructures (Note: Replaced Functionality)

Override a Service Configuration in an Environment

Create Environment-level Variables and Files for All Services

Workflows

Add a Workflow

Deploy Individual Workflows

Verify Workflow

Add a Workflow Notification Strategy

Define Workflow Failure Strategy

Set Workflow Variables

Use Steps for Different Workflow Tasks

Add Phases to a Workflow

Synchronize Workflow Deployments using Barriers

Templatize a Workflow

Clone a Workflow

Configure Workflows Using YAML

Using the HTTP Command

Run Shell Scripts in Workflows

Run Jenkins Jobs in Workflows

Jira Integration

ServiceNow Integration

Control Resource Usage

Workflow Queuing

Target Specific Hosts During Deployment

Skip Workflow Steps

Rollback Deployments

Select Nodes in a Rolling Deployment Workflow

Workflow Steps UI Changes

Integrate Tests into Harness Workflows

Deploy Multiple Services Simultaneously using Barriers

Send an Email from Your Workflow

Create a Pipeline

Create Pipeline Templates

Pipeline Skip Conditions

Shell Script Provisioner

Infrastructure Provisioners Overview

Provision Infrastructure Without Deploying to It

Trigger Workflows and Pipelines

Trigger Deployments When a New Artifact is Added to a Repo

Trigger Deployments when Pipelines Complete

Schedule Deployments using Triggers

Trigger Deployments using Git Events

Trigger a Deployment using cURL

Get Deployment Status using REST

Trigger a Deployment when a File Changes

Trigger a Deployment using a URL

Pause All Triggers using Deployment Freeze

Harness UI Approvals

Jira Approvals

Custom Shell Script Approvals

ServiceNow Approvals

Using Variables in Workflow Approvals

Slack Approvals in Workflows and Pipelines

Passing Variables into Workflows and Pipelines from Triggers

Pass Variables between Workflows

Harness Git Integration Overview

Onboard Teams Using Git

CCM Trial New User Signup (formerly CE)

CCM Trial Existing User Signup (formerly CE)

Set Up Cost Visibility for Kubernetes

Set Up Cost Visibility for Kubernetes Using an Existing Delegate

Set Up Cost Visibility for AWS

Set Up Cost Visibility for GCP

Set Up Cost Visibility for Azure

Analyze Cost for Kubernetes

Analyze Cost for AWS

Analyze Cost for GCP

Analyze Cost for Azure

Perform Root Cost Analysis

Create Cost Perspectives

Share Your Cost Perspective Report

Create Your Perspectives Budget

Create a Budget

Optimize Kubernetes Costs with Resource Recommendations

Detect Cloud Cost Anomalies with CCM (formerly CE)

Set Up Notifications for Cost Anomalies

Enable Cost Reports Using Email

Set Up Slack Notifications for CCM (formerly CE)

Use Cost Explorer APIs

Use Workload Recommendation APIs

Set Up 24/7 Service Guard

Apply Custom Thresholds to 24/7 Service Guard

Add AppDynamics as a Verification Provider

Monitor Applications 24/7 with AppDynamics

Verify Deployments with AppDynamics

Templatize AppDynamics Verification

Set AppDynamics Environment Variables

Connect to Bugsnag

Monitor Applications 24/7 with Bugsnag

Verify Deployments with Bugsnag

Connect to CloudWatch

Monitor Applications 24/7 with CloudWatch

Verify Deployments with CloudWatch

Connect to Datadog

Monitor Applications 24/7 with Datadog Logging

Monitor Applications 24/7 with Datadog Metrics

Verify Deployments with Datadog Logging

Verify Deployments with Datadog Metrics

Connect to Dynatrace

Monitor Applications 24/7 with Dynatrace

Verify Deployments with Dynatrace

Connect to Elasticsearch (ELK)

Monitor Applications 24/7 with Elasticsearch

Verify Deployments with Elasticsearch

Troubleshoot Verification with Elasticsearch

Connect to Logz.io

Verify Deployments with Logz.io

Connect to New Relic

Monitor Applications 24/7 with New Relic

New Relic Deployment Marker

Verify Deployments with New Relic

Troubleshooting New Relic

Connect to Prometheus

Monitor Applications 24/7 with Prometheus

Verify Deployments with Prometheus

Connect to Splunk

Monitor Applications 24/7 with Splunk

Verify Deployments with Splunk

Connect to Stackdriver

Monitor Applications 24/7 with Stackdriver Logging

Monitor Applications 24/7 with Stackdriver Metrics

Verify Deployments with Stackdriver Logging

Verify Deployments with Stackdriver Metrics

Connect to Sumo Logic

Monitor Applications 24/7 with Sumo Logic

Verify Deployments with Sumo Logic

1 – Instana Connection Setup

2 – 24/7 Service Guard for Instana

3 – Verify Deployments with Instana

Custom Verification Overview

Connect to Custom Verification for Custom Logs

Connect to Custom Verification for Custom Metrics

Monitor Applications 24/7 with Custom Logs

Monitor Applications 24/7 with Custom Metrics

Verify Deployments with Custom Logs

Verify Deployments with Custom Metrics

Connect to Datadog as a Custom APM

Verify Deployments with Datadog as a Custom APM

Connect to AppDynamics as a Custom APM

Verify Deployments with AppDynamics as a Custom APM

File Jira Tickets on Verification Events

Apply Custom Thresholds to Deployment Verification

Refine 24/7 Service Guard Verification Analysis

Refine Deployment Verification Analysis

Configuration as Code Overview

Harness Account-Level Git Sync

Harness Application-Level Git Sync

Edit Harness Components as YAML

Delink Git Sync

Config-As-Code Using REST APIs

View Harness Git Sync Activity

Managing Users and Groups (RBAC)

Set Up RBAC for Application Release Process

Authentication Settings

SSO Provider Overview

Single Sign-On (SSO) with OAuth 2.0

Single Sign-On (SSO) with LDAP

Single Sign-On (SSO) with SAML

Provisioning Users with Okta (SCIM)

Provision Users and Groups with OneLogin (SCIM)

Provision Azure AD Users and Groups (SCIM)

Two-Factor Authentication

IP Whitelist Management

API Keys

Restrict Access to Your Account

Add a Secrets Manager

View Secrets Usage

Add a CyberArk Secrets Manager

Add an AWS KMS Secrets Manager

Add an AWS Secrets Manager

Add an Azure Key Vault Secrets Manager

Add Google KMS as a Harness Secrets Manager

Add a Google Cloud Secrets Manager

Add a HashiCorp Vault Secrets Manager

Use Encrypted Text Secrets

Use Encrypted File Secrets

Add SSH Keys

Use SSH Key via Kerberos for Server Authentication

Add HashiCorp Vault Signed SSH Certificate Keys

Add WinRM Connection Credentials

Create WinRM Connection Using Kerberos

Scope Secret Managers to Applications and Environments

Restrict Secrets Usage

Reference Existing Secret Manager Secrets

Migrate Secrets between Secrets Managers

Add and Use a Custom Secrets Manager

Select Secrets in Scripts at Runtime

Audit Trail

Deployment Freeze

Pipeline Governance

Monitor Deployments in Dashboards

Custom Dashboards Overview

Primary Widgets

Custom Widgets

Filters, Groups, and Tags in Primary and Custom Widgets

Completed Custom Dashboards

Create and Manage Custom Dashboards

Add and Configure Primary Widgets

Add and Configure Custom Widgets

Share a Custom Dashboard

Harness Self-Managed Enterprise Edition - Kubernetes Cluster: Infrastructure Requirements

Harness Self-Managed Enterprise Edition - Kubernetes Cluster Setup

Harness Self-Managed Enterprise Edition - Kubernetes Cluster: Add Ingress Controller Service Annotations

Harness Self-Managed Enterprise Edition Support Policy for Kubernetes

Harness Self-Managed Enterprise Edition - Virtual Machine: Infrastructure Requirements

Harness Self-Managed Enterprise Edition - Virtual Machine: Installation Guide

Harness Self-Managed Enterprise Edition - Virtual Machine: Backup and Recovery

Harness Self-Managed Enterprise Edition Component Metrics for Scaling and Management

Monitor Harness Self-Managed Enterprise Edition

Introduction to Harness GraphQL API

Harness API Explorer

API Schema and Structure

Building Applications Using Postman

Trigger Workflows or Pipelines Using GraphQL API

Filter Harness Entities using Harness Tags in the API

Fetch Artifact Source Details Using GraphQL APIs

Use Cloud Providers API

Use Harness Applications API

Use Services API

Use Workflows API

Use Infrastructure Definition API

Use Pipelines API

Use Approvals API

Resume Pipeline Executions using API

Use Trigger APIs

Fetch Artifact Type Details Using GraphQL APIs

Fetch Deployment Artifact Information using GraphQL APIs

Sync and Clean Up Artifact Stream using the Harness API

Use Users and Groups API

Use Audit Trails API

Use API to Retrieve IDs by Name

Encrypted Text API

Encrypted Files API

SSH Credentials API

WinRM Credentials API

Add Git Connectors Using API

Add a Docker Artifact Source Using API

Add a Nexus Artifact Source Using API

Add a Helm Artifact Source Using the API

Fetch Users By Email Address

Use HashiCorp Vault Secrets Manager API

Deprecated API Features

Leverage Harness GraphQL APIs in Automation Scripts

Harness StartExecution API Deep Dive

Use Tags API

Deploy Helm Charts Using the API

Use Custom Secrets Manager API

Publish Pipeline Events to an HTTP Endpoint using the API

Manage API Keys using the Harness API

Use Metrics Collection API for Custom Dashboards

Use Deployment Freeze API

Harness YAML Code Reference

Recent YAML Schema Changes

What is a Harness Variable Expression?

Built-in Variables List

Availability and Scope of Harness Variables

Variable Override Priority

JSON and XML Functors

Extracting Characters from Harness Variable Expressions

Variable Expression Limitations and Restrictions

Serverless Functions Dashboard

Harness Search

Permissions and Ports for Harness Connections

Common Delegate Profile Scripts

Whitelist Harness Domains and IPs

Install Workflow Step

Workflow, Phase, and Step Name Restrictions

Select Nodes Workflow Step

Artifact Collection Tech Ref

Artifactory Artifact Sources

Nexus Artifact Sources

Harness Services Technical Reference

Kubernetes Versioning and Annotations

ECS Auto Scaling

What Can I Deploy in Kubernetes?

ECS Rollbacks

Kubernetes Rollback

Verification Event Classifications

Secrets and Log Sanitization

Troubleshooting

Diagnose Git Sync Errors

Deployment Concepts and Strategies

CI/CD with the Build Workflow

Artifact Build and Deploy Pipelines Overview

AWS AMI Deployments Overview

AMI Spotinst Elastigroup Deployments Overview

AWS ECS Deployments Overview

AWS Lambda Deployments Overview

Azure ARM and Blueprint Provisioning with Harness

Azure Kubernetes Service (AKS) Deployments Overview

Native Helm Deployments Overview

IIS (.NET) Deployments Overview

Kubernetes Deployments Overview

Tanzu Application Service Deployment Overview

Terraform Provisioning with Harness

Terragrunt Provisioning with Harness

CloudFormation Provisioning with Harness

Shell Script Provisioning with Harness

Account and Application Templates

Harness HashiCorp Integrations

Traditional Deployments (SSH) Overview

Triggers and RBAC

Cloud Cost Management Overview

Cost Explorer Walkthrough

What Is Continuous Verification (CV)?

Why Perform Continuous Verification?

When Does Harness Verify Deployments?

How Does Harness Perform Continuous Verification?

Who Are Harness' Verification Providers?

Verification Results Overview

Harness Verification Feedback Overview

24/7 Service Guard Overview

CV Strategies, Tuning, and Best Practices

Continuous Verification Metric Types

AppDynamics Verification Overview

Bugsnag Verification Overview

CloudWatch Verification Overview

Datadog Verification Overview

Dynatrace Verification Overview

Elasticsearch Verification Overview

Instana Verification Overview

Google Operations (formerly Stackdriver) Overview

New Relic Verification Overview

Prometheus Verification Overview

Splunk Verification Overview

Sumo Logic Verification Overview

Drone and Harness

What is Secrets Management?

Continuous Deployment FAQs

Cloud Cost Management FAQs

Continuous Verification FAQs

Harness Security FAQs

Harness GraphQL API FAQs

Harness Delegate FAQs

Harness Self-Managed Enterprise Edition Release Notes

Harness SaaS Release Notes

Harness Self-Managed Enterprise Edition Release Notes 2021

Harness SaaS Release Notes 2021

2019-2020 Harness Self-Managed Enterprise Edition Release Notes

Harness SaaS Release Notes Archive (2020)

Harness YouTube Channel

Customer Case Studies

Overview of Harness

Canary Deployment Video

Create an Application and Service Video

Create an Environment Video

Create a Workflow Video

Create a Pipeline Video

Create a Trigger Video

Overview of Continuous Efficiency

Cost Explorer Overview

All Categories > How-to Guides > Security > Access Management > Managing Users and Groups (RBAC)

Managing Users and Groups (RBAC)

Updated 1 month ago by Chakravarthy Tenneti

Harness provides Role-Based Access Control (RBAC) via User and User Group Account and Application permissions.

Users' login access is managed at the user level, and users' account and application permissions are managed via User Groups.

In this topic:

Visual Summary
Default User Groups
To Add Users
To Add a User Group
Permissions Overview
- Permissions Are Additive
- Permissions Example
Account Permissions
Application Permissions
Permissions and Configure as Code
Related Topics

Visual Summary

Here is an overview of Harness RBAC. It shows how a user is authenticated via its User settings and authorized via its User Group Account and Application Permissions.

Default User Groups

Each Harness account includes default User Groups to help you organize your users. The following table describes the default Harness User Groups.

Default Group	Account Permissions	Application Permissions
Account Administrator	Create/Delete Application Manage Users & Groups Manage Template Library Administer Other Account Functions	All Permission Types All Applications Actions: Create, Read, Update, Delete, Execute Pipeline, and Execute Workflow
Production Support	No Account Permissions	Pipelines: All Applications; Filters: Production Pipelines; Actions: Create, Read, Update, Delete Services: All Applications; Filters: All Services; Actions: Create, Read, Update, Delete Provisioners: All Applications; Filters: All Provisioners; Actions: Create, Read, Update, Delete Environments: All Applications; Filters: Production Environments; Actions: Create, Read, Update, Delete Workflows: All Applications; Filters: Workflow Templates, Production Workflows; Actions: Create, Read, Update, Delete Deployments: All Applications; Filters: Production Environments; Actions: Read, Execute Pipeline, Execute Workflow
Non-Production Support	No Account Permissions	Pipelines: All Applications; Filters: Non-Production Pipelines; Actions: Create, Read, Update, Delete Services: All Applications; Filters: All Services; Actions: Create, Read, Update, Delete Provisioners: All Applications; Filters: All Provisioners; Actions: Create, Read, Update, Delete Environments: All Applications; Filters: Non-Production Environments; Actions: Create, Read, Update, Delete Workflows: All Applications; Filters: Workflow Templates, Non-Production Workflows; Actions: Create, Read, Update, Delete Deployments: All Applications; Filters: Non-Production Environments; Actions: Read, Execute Pipeline, Execute Workflow

To Add Users

The following procedure adds a new user to a Harness account.

There is no limit to the number of users you may add. Harness Community Edition support 5 users.

To add a user, do the following:

Click Security, and click Access Management.
Click Users. The Users page appears.
Click Add User. The Add User dialog appears.
Enter the email address(es) that user will use to log into the Harness platform.
If you have User Groups defined, select the User Groups for this user. You can add a user before they are verified. You can also add this user to a group from the group's Add Members dialog when you manage the group.
Click SUBMIT. The user is added. The name provided for the user says user not registered.
The user will receive a verification email at the address(es) you provided. When the user logs into Harness, the user creates a password, the email address is verified, and the user name is updated.
You can reset the password in the user's information in Users.

Invite and User TTL

Each email invite has a TTL of 7 days. Additional invites can be resent to the same address for 30 days using the resend option.

After 30 days the user must be removed, added again, and invited again.

To Add a User Group

The following procedure creates a new User Group and defines permissions for its users:

Click Security, and click Access Management.
Click User Groups. The User Groups page appears.
Create the User Group.
1. Click Add User Group. The Add User Group dialog appears.
2. Enter a name and description for the new User Group, and click SUBMIT. The management page for the new group appears.
Add users to the group.
1. Click Member Users. The Add Members dialog appears.
2. Click in the text area and select the members for the group, and then click SUBMIT. The Member Users section of the group page is updated with the new members.
Set Account Permissions.
1. In Account Permissions, enable one or more of the account permissions for this group. For most users, you will enable only the Create/Delete Application permissions. For more information, see Permissions.
Add Application Permissions.
1. Click Add Permissions. The Add Application Permission dialog appears.
2. In Permission Type, select the permissions to apply to the group. These are the Harness components you want the group's members to use. For example, if you click Services, you can then use the Filter field to select the services on which the permission will apply. (For details, see Permissions below.)
3. In Application, select the applications where the permission will apply.
4. In Filter, select the entities (within the applications you selected in Application) that the group can use.
5. In Action, select the action(s) you want to authorize the group to perform.
6. Click SUBMIT. The User Groups page's Application Permissions section is updated.

Permissions Overview

Both sets of Permissions—Account Permissions and Application Permissions—are set on each group. Before setting these permissions, it's important to understand how they interact with each other:

Account permissions affect the high-level permissions for the users in a group, such as the ability to add an application, manage users and groups, and manage their account.
Application permissions affect the low-level permissions for the users in a group, such as the ability to place Usage Scope on a secret that applies to a specific service.

For most users, you will want to apply Application permissions. Account permissions are primarily for administration.

Permissions Are Additive

When a Harness User is a member of two or more User Groups, that user's permissions are a union (a combination) of both User Groups' permissions.

Permissions Example

A user group might have the Account permission to add an application, but only the Application permission to add services:

Users in this group will be able to create applications and add Services to them, but not will not be able to add Environments, Workflows, or other Application components.

Account Permissions

Account-level permissions are enabled in each User Group page, under Account Permissions.

Account permissions enable the following Harness features:

Account Permission	Details
Manage Applications	This permission is for managing Harness Application defaults. You can create, update, and delete Applications in your account. For the group to add entities to the Application, you must add Application Permissions.
View Users and User Groups	Read-only permission for the Users and User Groups in Access Management.
Manage Users and Groups	Create, update, and delete Users and User Groups.
Manage Account Template Library	Create, update, and delete Account Level Templates in the Template Library. See Use Templates.
Administer Other Account Functions	This permission is for managing other Account-Level permissions like Harness Account-Level Git Sync, scope encrypted file and text secrets to Account, Config-As-Code, etc.
Manage Account Defaults	This permission is for managing Harness account defaults. For Harness Application defaults, use the Manage Applications permission. Create, update, and delete Application Defaults. See Create Default Application Directories and Variables.
View Audit Trail	View the Audit Trail events. See Audit Trail.
Create Custom Dashboards	Create Custom Dashboards. Without this permission, you can still view and operate on a dashboard that has been shared with you. See Custom Dashboards Overview.
Manage Custom Dashboards	Manage Custom Dashboards. Without these permissions, you can still view and operate on a dashboard that has been shared with you. See Custom Dashboards Overview.
Manage Tags	Create, update, and delete Tags (key/value pairs) that can be attached to Application components, and impose Allowed Values restrictions on Tags. See Using Tags.
Manage Config as Code	Enable Git Sync for Harness Accounts and Applications. See Harness Account-Level Git Sync and Harness Application-Level Git Sync. You can also make changes using the Configuration as Code UI option (</>). See Edit Harness Components as YAML.
Manage Cloud Providers	Create, update, and delete Cloud Providers. If this permission is not enabled, the users within the user groups will be able to only view the Cloud Providers and their settings. See Add Cloud Providers.
Manage Connectors	Create, update, and delete Connectors (Artifact Servers, Source Repo Providers, Verification Providers, and Collaboration Providers). If this permission is not enabled, the Users within the User Groups will be able to only view the Connectors. See Connectors Overview.
Manage Application Stacks	Create, update, and delete Application Stacks. See Add Application Stacks.
Manage Alert Notification Rules	Create, update, and delete the notification alert settings configured for the account. See Manage Alert Notifications.
Manage Secrets Managers	Add, update, and delete Secrets Managers. If this permission is not enabled, the users within the user groups will be able to only view the list of Secrets Managers. See Add a Secrets Manager and Scope Secret Managers to Applications and Environments.
Manage Secrets	Add secrets for Account-level settings (Cloud Providers, Connectors, etc) and any Applications on which the user has the Application Permissions Create, Read, Update. If this permission is not enabled, the users within the User Groups will be able to view the secrets only (Encrypted Text and Encrypted Files). Secret Usage Scope: The Applications and Environments in a secret's Usage Scope must match the User Group Application Permissions' Applications and Environments. To use a secret, the Application Permission must be Update. Secrets in Delegate Profiles: If you have Manage Secrets enabled, you can use the Scope to Account feature of encrypted text and files secrets, and use those secrets in Delegate Profiles for usernames, passwords, etc. See Using Secrets in a Profile. See Managing Harness Secrets.
Manage Authentication Settings	Configure Authentication Settings. See Authentication Settings.
Manage IP Whitelist	Configure IPs to be whitelisted. See IP Whitelist Management.
Manage API Keys	Create, update, and delete API Keys. See API Keys
CE Admin	Enables the User Group members to administer CE for the account. Permissions include enabling CE, creating CE Explorer reports and budgets, and subscribing users to receive email reports. See Continuous Efficiency Overview.
CE Viewer	View CE Explorer reports. See Continuous Efficiency Overview. Soon the CE Viewer permission will enable users to subscribe people to CE email reports (not CE Explorer reports). This functionality is pending.
Manage Pipeline Governance Standards	Create, update, and delete Pipeline Governance Standards. See Pipeline Governance.
Manage Deployment Freezes	Create, update, and delete Deployment Freeze windows. See Deployment Freeze and Pause All Triggers using Deployment Freeze.
Manage Delegates	Enables User Group members to add, update, and configure Harness Delegates for the account.
Manage Delegate Profiles	Enables User Group members to add, update, and configure Delegate Profiles.
Manage SSH and WinRM Connection	Enables User Group members to add, update and delete SSH Keys and WinRM Connection Credentials.
Allow Deployments During Freeze	Enables Admin members to deploy even if there is an active Deployment Freeze window. See Deployment Freeze.

Application Permissions

Application permissions enable you to perform any activity on an Application level. This includes applying Secrets Management and some Account settings to specific Applications and Environments, via Usage Scope. It also includes adding and modifying Tags on Application components.

Enable Application Permissions

To enable a User Group to manage an Application, add Application Permissions for the Application, and include the Create, Read, Update, and Delete permissions as required. These permissions are called Actions in Application Permissions.

Application Templates Permissions

To enable a User Group to manage specific or all Application-level Templates, you use the Application Templates Permission Type.

Next, in Application, select the Application with the Templates. In Filter, select a specific Application Template or All Application Templates.

In Action, select the Create, Read, Update, and Delete permissions as required.

Exclude Applications

Currently, this feature is in Beta and behind a Feature Flag. Contact Harness Support to enable the feature. Feature Flags can only be removed for Harness Professional and Essentials editions. Once the feature is released to a general audience, it is available for Trial and Community Editions.

You can exclude applications when assigning permissions to User Groups in Harness.

Exclusion is only applicable to Applications and not to Filters or Actions.

For selecting applications while assigning permissions, you can choose one of the following options:

All Applications - This assigns permissions for all of your existing applications as well as any new ones you add later.
Include Selected - This assigns permissions for the applications you select. Any new application that you add afterward must be selected separately for permission assignment.
Let's look at an example. If you click Include Selected and select App 1, App 2, and App 3, permissions are assigned to these 3 applications only. For an application App 7 that you add later, you must select it separately to assign permissions to it.
Exclude Selected - This assigns permissions to all your applications except the selected ones. This applies to all of your existing applications as well as any new ones you add later.
Let's look at an example. If you click Exclude Selected and select App 1, App 2 and App 3, permissions are assigned to all the applications except these 3 applications.

If you choose Exclude Selected, you can no longer pick All Applications.

Assign Workflows and Pipelines to User Groups

To enable a User Group to manage a specific Workflow or Pipeline, you must use the Workflows or Pipelines Permission Type and include the Create, Read, Update, and Delete permissions as required. Select one of the following options to filter the permissions based on Environments or Entities:

By Environments/By Workflows — This will give access to all the workflows that use the environment you select, or as per the entities. Other workflows using the same environment won't be accessible.

You must have Create Workflow permission to create a new workflow in a particular Environment. To create a workflow that uses an Environment, you must have workflow permission with Create action type for that Environment.

By Environments/By Pipelines — This will give access to all the workflows that use the environment you select, or as per the pipeline you select.

You must have Create Pipeline permission to create a new pipeline in a particular Environment. To create a pipeline that uses an Environment, you must have pipeline permission with Create action type for that Environment.

Select All Workflows or All Pipelines to assign permissions for all Workflows or Pipelines.

To provide access to Workflows/Pipelines for a specific application, select the application in Application and then select the workflows/pipelines.

Deploying, Aborting, and Rolling Back Workflows and Pipelines

The following permission types and actions are needed for deploying, aborting, and rolling back Workflows and Pipelines.

Deployments

To enable a User Group to deploy Workflows and Pipelines, you must use the Deployments Permission Type.

The Workflows and Pipelines Permission Types are used for Create, Read, Update, and Delete permissions.

Production and Non-Production Pipelines and Permissions

You can filter the permissions to include either a Production Pipeline or a Non-production Pipeline.

When a Pipeline contains only all non-production stages, it is called as a Non-production Pipeline.

If a non-production environment is selected for the permission, the user will be able to trigger the pipeline as long as all the stages are deployed to non-production environments.

If a Pipeline has both non-production and production stages, the user needs to have access to all the production and non-production Environments to be able to trigger the Pipeline.

Deploy Pipelines in Specific Environments

You can restrict deployments in certain Environments by filtering the Deployment permissions by Pipeline. Only the Pipelines you choose can be deployed in the selected Environments.

If you have Execute Permissions on Pipelines from included Applications, you can run them from excluded Applications.

Currently, this feature is behind the Feature Flag PIPELINE_PER_ENV_DEPLOYMENT_PERMISSION. Contact Harness Support to enable the feature.

To select Pipelines to deploy to specific Environments, select the Environment in Filter and Execute Pipeline in Action.

Only those Environments for which you have Deployment permissions can be used to deploy templated Pipelines using Environment templates.

Abort and Rollback

To enable a User Group to abort or rollback Workflows and Pipelines, the Execute action is required.

Restricting Usage

You can restrict who can apply settings—such as Secrets Management and some Account settings—to specific Application entities. These are set up in the Usage Scope section of the corresponding setting's dialog. For example, here is the Usage Scope section of an Artifact Server dialog:

In this case, the Artifact Server may be used by the ExampleApp Application in both K8s-GCP and dev Environments.

For a User to modify Usage Scope, the User must belong to a Group that has read and update Application permissions for the Application and components on which the restrictions are placed.

In Usage Scope, click the drop-down under Applications, and click the name of the Application.
In Environments, click the name of the Environment.

Permissions and Configure as Code

Permissions for Harness Configure as Code YAML files are the same as those for the Harness Manager UI.

For example, to edit the YAML for a Harness Application, the User Group Account and Application permissions must be as follows:

Account Permissions: A user's Harness User Group must have the Account Permission Manage Applications enabled.
Applications Permissions: A user's Harness User Group must have the Application Permission Update enabled for the specific Applications.

Managing Users and Groups (RBAC)

Visual Summary

Default User Groups

To Add Users

Invite and User TTL

To Add a User Group

Permissions Overview

Permissions Are Additive

Permissions Example

Account Permissions

Application Permissions

Enable Application Permissions

Application Templates Permissions

Exclude Applications

Assign Workflows and Pipelines to User Groups

Deploying, Aborting, and Rolling Back Workflows and Pipelines

Deployments

Production and Non-Production Pipelines and Permissions

Deploy Pipelines in Specific Environments

Abort and Rollback

Restricting Usage

Permissions and Configure as Code

Related Topics

How did we do?

Related Articles Set Up RBAC for Application Release Process Assign Metadata Using Tags Manage Tags

Feedback

Related Articles

Set Up RBAC for Application Release Process

Assign Metadata Using Tags

Manage Tags