_images/login_button.png _images/signup_button.png



Identity and Access Management

Reading time: 5 minutes

The Scalr IAM is a Role Based Access Control (RBAC) system that controls access to all functionality in Scalr.

Terminology

Term

Description

Object

The target of permissions, e.g. environment, workspace etc.

Permission

The ability to perform an action on an object, thus enabling the corresponding functionality in the UI. API etc. e.g. workspaces:create, vcs-providers:read. Generally the actions are Create, Read, Update and Delete (CRUD), but some objects have specific actions, such as runs:cancel.

Role

A collection of permissions that can be assigned to a user or team via an access policy.

Access Policy

Grants a role to a user/team for either the whole account or a specific environment.

Tip

Access policies can be created in two places in the current release.
Access policies for the whole account are created on the Access Policies tab of the main IAM screen.

_images/iam_acc_pol.png


Access polices for specific environments are created on the Access policies tab of the Environment screen

_images/iam_env_access0.png

IAM Summary

  • Access is granted by creating access policies that link users/teams to a role.

    • Account access policies grant permissions to the account and to all environments in the account.

    • Environment access policies only grant permissions to the specific environment.

  • A user/team can be granted multiple access policies for the account or an environment. The permissions from all the linked roles will be applied when multiple access policies exist.

This graphic shows how access policies assign roles to either the account or an environment for users and teams.

_images/iam_account_roles.png


Configuring IAM

Teams

Teams configured in the account (green) and can be used to assign access policies to multiple users.

_images/iam_teams.png


Inviting Users

Users are also managed in the account. Account owners and admins can invite users and either add them to a team or assign them to a role individually. Assigning a role in this way will create an account access policy for the user that gives them the role permissions for the account and all environments in the account.

_images/iam_invite.png


Deleting Users

Users are deleted from the User section. Click on the user and click delete. This will remove the user from all teams and access policies.

_images/user_delete.png


Built-in Roles

Scalr currently only has a set of predefined roles as follows.

Role

Description

Applicable to

account-min-access

Minimum permissions required to be able to login to an account.

Account only.

admin

All permissions for all objects.

Account and environment.

environment-min-access

Minimum permissions required to be able to login or switch to an environment. Any user that needs access to an environment must have this policy assigned.

Account and environment.

read-only

Read only access to all objects.

Account and environment.

user

Full access to all objects in environments and READ ONLY access to account objects (teams, users etc).

Account or environment.

Note

Some built-in roles include permissions for both account objects and environment objects. When a role is applied only the permissions applicable to the objects in the current context are active.

The ability to create and edit roles will be added in a future release.

Access Policies - Account

Account access policies are managed under the Access Policies section of IAM.

_images/iam_acc_pol.png

Use account access policies to grant permissions on the account and all environments. Only use account access policies if it is intended to give users access to ALL environments.

Access Policies - Environment

Environment access policies are managed from the Access policies tab on the Environments screen.

_images/iam_env_access0.png

Use environment access policies to grant permissions on specific environments. User will have access to ALL workspaces.

Warning

If a role is granted via an environment access policy that has less permissions than a role granted via an account access policy, this DOES NOT remove the account access policy permissions. i.e. if the account access policy grants full access to VCS Providers, but the environments access policy only grants vcs-providers:read the user/team will still have full access to VCS Providers.

  • In the account (green) go to environments and select the Access tab for the environment.

  • Click Grant Access and select the user/team and role.

    _images/iam_env_access.png

Examples

All users require an account access policy with the role that has accounts:read permission.

A team requires read only access to all environments in the account.

Create an account access policy with the role environment-min-access.
Create an account access policy with the role account-min-access.

A user requires full access to all environments in their account.

Create an account access policy with the role user.

A team requires full access to a specific environment.

Create an environment access policy with role user.
Create an account access policy with the role account-min-access.

A team requires read only access to the account.

Create an account access policy with the role read-only.

What’s coming in future releases of IAM

This initial release of IAM introduces the basics of Roles and Access Policies. Our plans for IAM (subject to change) include the following.

  • Simplified management of access policies on one screen

  • User defined roles

  • Workspace access policies

  • Summary views of assigned permissions