Identity and Access Management¶

Reading time: 5 minutes

The Scalr IAM is a Role Based Access Control (RBAC) system that controls access to all functionality in Scalr.

Terminology¶

Term	Description
Object	The target of permissions, e.g. environment, workspace etc.
Permission	The ability to perform an action on an object, thus enabling the corresponding functionality in the UI. API etc. e.g. `workspaces:create`, `vcs-providers:read`. Generally the actions are Create, Read, Update and Delete (CRUD), but some objects have specific actions, such as `runs:cancel`.
Role	A collection of permissions that can be assigned to a user or team via an access policy.
Access Policy	Grants a role to a user/team for either the whole account or a specific environment.

Tip

Access policies can be created in two places in the current release.
Access policies for the whole account are created on the Access Policies tab of the main IAM screen.

Access polices for specific environments are created on the Access policies tab of the Environment screen

IAM Summary¶

Access is granted by creating access policies that link users/teams to a role.
- Account access policies grant permissions to the account and to all environments in the account.
- Environment access policies only grant permissions to the specific environment.
A user/team can be granted multiple access policies for the account or an environment. The permissions from all the linked roles will be applied when multiple access policies exist.

This graphic shows how access policies assign roles to either the account or an environment for users and teams.

Configuring IAM¶

Teams¶

Teams configured in the account (green) and can be used to assign access policies to multiple users.

Inviting Users¶

Users are also managed in the account. Account owners and admins can invite users and either add them to a team or assign them to a role individually. Assigning a role in this way will create an account access policy for the user that gives them the role permissions for the account and all environments in the account.

Deleting Users¶

Users are deleted from the User section. Click on the user and click delete. This will remove the user from all teams and access policies.

Built-in Roles¶

Scalr currently only has a set of predefined roles as follows.

Role	Description	Applicable to
`account-min-access`	Minimum permissions required to be able to login to an account.	Account only.
`admin`	All permissions for all objects.	Account and environment.
`environment-min-access`	Minimum permissions required to be able to login or switch to an environment. Any user that needs access to an environment must have this policy assigned.	Account and environment.
`read-only`	Read only access to all objects.	Account and environment.
`user`	Full access to all objects in environments and READ ONLY access to account objects (teams, users etc).	Account or environment.

Note

Some built-in roles include permissions for both account objects and environment objects. When a role is applied only the permissions applicable to the objects in the current context are active.

The ability to create and edit roles will be added in a future release.

Access Policies - Account¶

Account access policies are managed under the Access Policies section of IAM.

Use account access policies to grant permissions on the account and all environments. Only use account access policies if it is intended to give users access to ALL environments.

Access Policies - Environment¶

Environment access policies are managed from the Access policies tab on the Environments screen.

Use environment access policies to grant permissions on specific environments. User will have access to ALL workspaces.

Warning

If a role is granted via an environment access policy that has less permissions than a role granted via an account access policy, this DOES NOT remove the account access policy permissions. i.e. if the account access policy grants full access to VCS Providers, but the environments access policy only grants vcs-providers:read the user/team will still have full access to VCS Providers.

In the account (green) go to environments and select the Access tab for the environment.
Click Grant Access and select the user/team and role.

Examples¶

All users require an account access policy with the role that has accounts:read permission.

A team requires read only access to all environments in the account.	Create an account access policy with the role `environment-min-access`. Create an account access policy with the role `account-min-access`.
A user requires full access to all environments in their account.	Create an account access policy with the role `user`.
A team requires full access to a specific environment.	Create an environment access policy with role `user`. Create an account access policy with the role `account-min-access`.
A team requires read only access to the account.	Create an account access policy with the role `read-only`.

What’s coming in future releases of IAM¶

This initial release of IAM introduces the basics of Roles and Access Policies. Our plans for IAM (subject to change) include the following.

Simplified management of access policies on one screen
User defined roles
Workspace access policies
Summary views of assigned permissions