Skip to main content

Set catalog RBAC

Port provides granular control to make sure every user sees only the parts of the catalog that are relevant for them.

Port's catalog RBAC capabilities are enabled by Port's permissions controls.

tip

In order to manage who can view which pages in Port, check out page permissions.

๐Ÿ’ก Common Catalog RBAC usageโ€‹

Catalog RBAC allows admins to finely control which users have access to which information from the catalog, for example:

  • Show developers only the services that they owns;
  • Allow a user to edit just a specific property on an entity;
  • Create a fully read-only view for a developer;
  • etc.

Set global access controls to catalog dataโ€‹

The default permissions assigned to every blueprint upon creation specify that users with the admin role, and users with the specific blueprint moderator role, can perform any action over a blueprint.

It is also possible to assign global permissions controls on entities:

To assign permissions to create an entity, give the desired persona permissions under the register object as shown below:

To give create permissions to another role, add it to the roles array:

{
"entities": {
... other permissions
"register": {
"roles": ["my-blueprint-moderator", "Admin", "my-role"], // added my-role
"users": [],
"teams": [],
"ownedByTeam": false
}
}
}

Set granular access controls to catalog dataโ€‹

It is also possible to assign more granular permissions controls on entities:

To assign permissions to update a specific entity property, give the desired persona permissions under the updateProperties -> propertyName object as shown below:

To give property update permissions to another role, add it to the roles array:

{
"entities": {
... other permissions
"updateProperties": {
"myProperty": {
"roles": ["my-blueprint-moderator", "Admin", "my-role"], // added my-role
"users": [],
"teams": [],
"ownedByTeam": false
}
}
}
}

Software catalog RBAC examplesโ€‹

Refer to the examples page for practical examples of Port's RBAC.

FAQโ€‹

Since the catalog RBAC can be very granular, in some instances it might not be perfectly clear what the resulting assigned permissions would do, this part aims to provide some real-world examples and the behavior of Port's RBAC in those instances:

What happens if a user lacks the permissions to edit a required property of the blueprint?โ€‹

In this case the user will not be able to register or update entities as a whole because they can't provide a value for the required property;

What happens if the ownedByTeam setting is enabled for entity registration, but the user can't edit the team property?โ€‹

In this case the user will not be able to register a new entity since they can't select a value for the entity's team field and mark it as owned by their team.