_images/login_button.png _images/signup_button.png



Identity and Access Management

Reading time: 5 minutes

The Scalr IAM is a Role Based Access Control (RBAC) system that controls access to all functionality in Scalr.

Terminology

Term

Description

Object

The target of permissions, e.g. environment, workspace, runs, state-versions etc.

Permission

The ability to perform an action on an object, thus enabling the corresponding functionality in the UI. API etc. e.g. workspaces:create, vcs-providers:read. Generally the actions are Create, Read, Update and Delete (CRUD), but some objects have specific actions, such as runs:cancel.

Role

A collection of permissions that can be assigned to a user or team via an access policy.

Access Policy

Grants a role to a user/team for whole account, a specific environment or a specific workspace.

IAM Summary

  • Access is granted by creating access policies that link users/teams to a role.

    • Account access policies can grant permissions to the account and to all environments and workspaces in the account.

    • Environment access policies can grant permissions to the specific environment and all its workspaces.

    • Workspace access policies can grant permissions to the specific workspace only.

  • A user/team can be granted multiple access policies for the account, environments and workspaces. The permissions from all the applicable roles will be applied when multiple access policies exist.

This graphic shows how access policies assign roles the account an environment or a workspace for users and teams.

_images/iam_account_roles.png


Configuring IAM

Teams

Teams configured in the account (green) and can be used to assign access policies to multiple users.

_images/iam_teams.png


Inviting Users

Users are also managed in the account. Account owners and admins can invite users and either add them to a team or assign them to a role individually. Assigning a role in this way will create an account access policy for the user that gives them the role permissions for the account and all environments in the account.

_images/iam_invite.png


Deleting Users

Users are deleted from the User section. Click on the user and click delete. This will remove the user from all teams and access policies.

_images/user_delete.png

Built-in Roles

Scalr has a set of predefined roles as follows.

Role

Description

Applicable to

account-min-access

Minimum permissions required to be able to login to an account.

Account only.

admin

All permissions for all objects.

Account and environment.

environment-min-access

Minimum permissions required to be able to login or switch to an environment. Any user that needs access to an environment must have this policy assigned.

Account and environment.

read-only

Read only access to all objects.

Account and environment.

user

Full access to all objects in environments and READ ONLY access to account objects (teams, users etc).

Account or environment.

Note

Some built-in roles include permissions for account objects, environment objects and workspace objects. When a role is applied only the permissions applicable to the objects in the current context are active.

Custom Roles

If the built-in roles do not meet requirements then custom roles can be defined for an account.

  • On the IAM -> Roles screen click “New Role” and give the role a name.

  • Use the checkboxes to select/deselect the permissions and click “Save”.

_images/custom_roles.png

Warning

The default setting for a new custom role is ALL PERMISSIONS ENABLED.

Access Policies

Access policies can be granted on accounts, environments and workspaces. Access policies link users/teams to a role.

  • Account access policies can grant permissions to the account and to all environments and workspaces in the account.

  • Environment access policies can grant permissions to the specific environment and all its workspaces.

  • Workspace access policies can grant permissions to the specific workspace only.

Warning

If multiple access policies are applicable the user/team will have the combined permissions (logical AND) from all of them. An individual access policy cannot revoke permissions granted by another access policy. For example if one applicable access policy grants full access to VCS Providers, but the another applicable access policy only grants vcs-providers:read the user/team will still have full access to VCS Providers.

Account Access Policies

Account access policies are managed under the Access Policies section of IAM.

_images/iam_acc_pol.png

Use account access policies to grant permissions on the account and all environments and workspaces in the account. Only use account access policies if it is intended to give users the same permissions to all environments and workspaces.

Environment Access Policies

Environment access policies are managed from the Access policies tab on the Environments screen.

_images/iam_env_access0.png

Use environment access policies to grant permissions on specific environments. User will have the same permissions to ALL workspaces in the environment.

  • In the account (green) go to environments and select the Access tab for the environment.

  • Click Grant Access and select the user/team and role.

_images/iam_env_access.png

Workspace Access Policies

Workspace access policies are managed from the Access Policies tab of a workspace.

_images/iam_ws_access.png

Use workspace access policies to grant permissions to one specific workspace. If you intend to give a user/team the same permissions to all workspaces in an environment then use an environment access policy instead.

Examples

All users require an account access policy with the role that has accounts:read permission. All users that need to login to and environment must have an access policy that has ``environment:read` permission.

A team requires read only access to all environments in the account.

  • Create an account access policy with the role environment-min-access.

  • Create an account access policy with the role account-min-access.

A user requires full access to all environments in their account.

  • Create an account access policy with the role user.

A team requires full access to a specific environment.

  • Create an environment access policy with role user.

  • Create an account access policy with the role account-min-access.

A team requires read only access to the account.

  • Create an account access policy with the role read-only.

A user needs full access to only one workspace.

  • Assign account-min-access to a team/user as an account access policy.

  • Assign environment-min-access to a team/user as an environment access policy.

  • Assign user to a team/user as the workspace access policy.

A user requires access to one workspace to read plan outputs and state files.

  • Assign account-min-access to a team/user as an account access policy.

  • Assign environment-min-access to a team/user as an environment access policy.

  • Create a custom role with permissions plans:read-json-output, state-versions:read, workspaces:read.

  • Create a workspace access policy with the custom role.

Single Sign-On

Note

Scalr supports multiple methods of SSO including Google and Github auth. To use a provider other than Google and Github, you must upgrade to a paid tier. If you want to configure SSO on a self-hosted installation, please see External Authentication

Configuration

Scalr support SSO providers that use SAML 2.0. When SSO is activated, it will move the authentication step outside of Scalr and hand it over to the SSO provider that you have configured. During the login in to Scalr, the user will be transferred to a sign in page provided by the SSO server. After sign in, the user will then be redirected back to Scalr which will subsequently treat the user as signed in.

To enable SSO, you must configure it at the account scope of the Scalr UI. To do this:

  1. Click on the Scalr icon on the top left, click IAM, and then SSO:

    _images/saas_saml_setup.png
  2. Click on Identity Providers, New Identity Provider, and then choose SAML. Note down the SP endpoint as that will be used with the SSO provider. For example: https://scalr-account.scalr.io/public/saml/idp-sp986542njcvhj123?metadata and https://scalr-account.scalr.io/public/saml/idp-sp986542njcvhj123?acs

  3. Fill in the fields required by your SSO provider and verify the connection when prompted.

  4. After you save the configuration, turn on the SSO authentication by selecting the SAML provider in the dropdown:

    _images/saas_enable_sso.png

Okta Example

Note

Scalr supports all SAML 2.0 providers, this is just an example of a commonly used one.

  1. Go to Okta’s administration interface by pressing the “Admin” button within the Okta UI:

    _images/okta_admin.png
  2. Select Applications > Applications from the toolbar:

    _images/okta_app.png
  3. Select “Add Application”:

    _images/okta_add_app.png
  4. Select “Create New App”:

    _images/okta_new_app.png
  5. Select SAML 2.0 in the “Create a new application integration” dialogue message:

    _images/saml2.png
  6. Enter the “App name”, then select Next:

    _images/saml_app_name.png
  7. Configure SAML settings. Fill in the form as shown in the example below. Be sure to swap out the example URL host with your own Scalr server. Ensure the “Group Attribute Statements (Optional)” field is populated in order for the user groups to be sent to Scalr correctly. It’s extremely important to correctly enter the “Attribute name”, “Format”, and “Filter” option as shown below:

    _images/configure_saml.png
  8. Finishing the SAML integration:

    _images/okta_finish.png
  9. When complete, you will be forwarded to a Sign On page where the SAML Service Provider configuration options link can be found. Click “View Setup Instructions” to see details:

    _images/okta_instructions.png
  10. Enter the following settings in to the SAML setup in the Scalr UI. Be sure to use the ID and URL that you obtained previously:

  1. Click save and you will now see the SSO option in Scalr upon the next login.

Azure AD SSO Example

Note

Scalr supports all SAML 2.0 providers, this is just an example of a commonly used one.

  1. Go to Azure Active Directory and click on Enterprise applications:

    _images/azure1.png
  2. Select New application and Create your own application:

    _images/azure2.png
  3. Name the application and select “integrate any other application you don’t find in the gallery”:

    _images/azure3.png
  4. Select “Set up single sign on”:

    _images/azure4.png
  5. Click edit on the Basic SAML Configuration option and enter the following:

  1. Open the User Attributes & Claims, click add new claim, add user.groups [All], and save:

    _images/azure6.png
  2. On the Single sign-on page, go to the SAML Signing Certificate section and download the Certificate (Base64). Paste that into the IDP x509cert section in Scalr:

Azure:
_images/azure7.png
Scalr:
_images/azure8.png
  1. On the Azure Single sign-on page, go to the Set up <your app name> section:

  • Login URL = the IDP single sign on service URL in Scalr

  • Azure AD Identifier = the IDP entity ID in Scalr

  • Logout URL = the is the IDP single logout service URL in Scalr

Azure:
_images/azure9.png
Scalr:
_images/azure10.png
  1. In Azure, go to App registrations, find your app and click on it. Copy the Application (client) ID and Directory (tenant) ID, paste the IDs into the respective fields in Scalr:

Azure:
_images/azure11.png
Scalr:
_images/azure12.png
  1. In Azure, click on Certificate & Secrets and generate a Client secret. Paste the secret into the respective field in Scalr:

Azure:
_images/azure13.png
Scalr:
_images/azure12.png
  1. In Azure, click on API Permissions. Add a permission, select Microsoft Graph, Application permissions, and add Directory.Read.All

    _images/azure14.png
  2. In Scalr, add the following settings in the mapping section:

  1. In Scalr, click on the advanced section and update the following fields:

  1. Click save and you will now see the SSO option in Scalr upon the next login.

Users and Teams with SSO

After Scalr has been reconfigured for SSO, users and teams work as follows.

  1. Teams map to SSO groups. Account admins have access to create teams in Scalr and the team name will be validated against the groups in SSO, so the team name must match the group name.

  2. Teams must linked to at least one environment and account.

  3. Once a team has been linked and given the proper permissions, any member of the related SSO group can attempt to login to Scalr. On first login a user record gets created in Scalr and set as SSO authenticated.