๐ Set Catalog RBAC
Port provides granular control to make sure every user sees only the parts of the catalog that are relevant for them.
Port's catalog RBAC capabilities are enabled by Port's permissions controls.
In order to manage who can view which pages in Port, check out page permissions.
๐ก Common Catalog RBAC usageโ
Catalog RBAC allows admins to finely control which users have access to which information from the catalog, for example:
- Show developers only the services that they owns;
- Allow a user to edit just a specific property on an entity;
- Create a fully read-only view for a developer;
- etc.
Set global access controls to catalog dataโ
The default permissions assigned to every blueprint upon creation specify that users with the admin role, and users with the specific blueprint moderator role, can perform any action over a blueprint.
It is also possible to assign global permissions controls on entities:
- Create (register)
- Update
- Delete (unregister)
To assign permissions to create an entity, give the desired persona permissions under the register object as shown below:
- Role
- User
- Team
- Ownership
To give create permissions to another role, add it to the roles array:
{
"entities": {
... other permissions
"register": {
"roles": ["my-blueprint-moderator", "Admin", "my-role"], // added my-role
"users": [],
"teams": [],
"ownedByTeam": false
}
}
}
To give create permissions to another user, add it to the users array:
{
"entities": {
... other permissions
"register": {
"roles": ["my-blueprint-moderator", "Admin"],
"users": ["my-user@example.com"], // added my-user@example.com
"teams": [],
"ownedByTeam": false
}
}
}
To give create permissions to another team, add it to the teams array:
{
"entities": {
... other permissions
"register": {
"roles": ["my-blueprint-moderator", "Admin"],
"users": [],
"teams": ["my-team"], // added my-team
"ownedByTeam": false
}
}
}
Teams can be assigned to entities, denoting the team's ownership of the entity.
To give create permissions to members of the owning team of an entity, change the ownedByTeam key:
{
"entities": {
... other permissions
"register": {
"roles": ["my-blueprint-moderator", "Admin"],
"users": [],
"teams": [],
"ownedByTeam": true // changed from false
}
}
}
In the context of the create permission, owned by team means that a user can only create a new entity if he assigns to it a team that he is a member of.
To assign permissions to update an entity, give the desired persona permissions under the update object as shown below:
- Role
- User
- Team
- Ownership
To give update permissions to another role, add it to the roles array:
{
"entities": {
... other permissions
"update": {
"roles": ["my-blueprint-moderator", "Admin", "my-role"], // added my-role
"users": [],
"teams": [],
"ownedByTeam": false
}
}
}
To give update permissions to another user, add it to the users array:
{
"entities": {
... other permissions
"update": {
"roles": ["my-blueprint-moderator", "Admin"],
"users": ["my-user@example.com"], // added my-user@example.com
"teams": [],
"ownedByTeam": false
}
}
}
To give update permissions to another team, add it to the teams array:
{
"entities": {
... other permissions
"update": {
"roles": ["my-blueprint-moderator", "Admin"],
"users": [],
"teams": ["my-team"], // added my-team
"ownedByTeam": false
}
}
}
Teams can be assigned to entities, denoting the team's ownership of the entity.
To give update permissions to members of the owning team of an entity, change the ownedByTeam key:
{
"entities": {
... other permissions
"update": {
"roles": ["my-blueprint-moderator", "Admin"],
"users": [],
"teams": [],
"ownedByTeam": true // changed from false
}
}
}
To assign permissions to delete an entity, give the desired persona permissions under the delete object as shown below:
- Role
- User
- Team
- Ownership
To give delete permissions to another role, add it to the roles array:
{
"entities": {
... other permissions
"unregister": {
"roles": ["my-blueprint-moderator", "Admin", "my-role"], // added my-role
"users": [],
"teams": [],
"ownedByTeam": false
}
}
}
To give delete permissions to another user, add it to the users array:
{
"entities": {
... other permissions
"unregister": {
"roles": ["my-blueprint-moderator", "Admin"],
"users": ["my-user@example.com"], // added my-user@example.com
"teams": [],
"ownedByTeam": false
}
}
}
To give delete permissions to another team, add it to the teams array:
{
"entities": {
... other permissions
"unregister": {
"roles": ["my-blueprint-moderator", "Admin"],
"users": [],
"teams": ["my-team"], // added my-team
"ownedByTeam": false
}
}
}
Teams can be assigned to entities, denoting the team's ownership of the entity.
To give delete permissions to members of the owning team of an entity, change the ownedByTeam key:
{
"entities": {
... other permissions
"unregister": {
"roles": ["my-blueprint-moderator", "Admin"],
"users": [],
"teams": [],
"ownedByTeam": true // changed from false
}
}
}
Set granular access controls to catalog dataโ
It is also possible to assign more granular permissions controls on entities:
- Update specific property
- Update specific relation
To assign permissions to update a specific entity property, give the desired persona permissions under the updateProperties -> propertyName object as shown below:
- Role
- User
- Team
- Ownership
To give property update permissions to another role, add it to the roles array:
{
"entities": {
... other permissions
"updateProperties": {
"myProperty": {
"roles": ["my-blueprint-moderator", "Admin", "my-role"], // added my-role
"users": [],
"teams": [],
"ownedByTeam": false
}
}
}
}
To give property update permissions to another user, add it to the users array:
{
"entities": {
... other permissions
"updateProperties": {
"myProperty": {
"roles": ["my-blueprint-moderator", "Admin"],
"users": ["my-user@example.com"], // added my-user@example.com
"teams": [],
"ownedByTeam": false
}
}
}
}
To give property update permissions to another team, add it to the teams array:
{
"entities": {
... other permissions
"updateProperties": {
"myProperty": {
"roles": ["my-blueprint-moderator", "Admin"],
"users": [],
"teams": ["my-team"], // added my-team
"ownedByTeam": false
}
}
}
}
Teams can be assigned to entities, denoting the team's ownership of the entity.
To give property update permissions to members of the owning team of an entity, change the ownedByTeam key:
{
"entities": {
... other permissions
"updateProperties": {
"myProperty": {
"roles": ["my-blueprint-moderator", "Admin"],
"users": [],
"teams": [],
"ownedByTeam": true // changed from false
}
}
}
}
To assign permissions to update a specific entity relation, give the desired persona permissions under the updateRelations -> relationName object as shown below:
- Role
- User
- Team
- Ownership
To give relation update permissions to another role, add it to the roles array:
{
"entities": {
... other permissions
"updateRelations": {
"myRelation": {
"roles": ["my-blueprint-moderator", "Admin", "my-role"], // added my-role
"users": [],
"teams": [],
"ownedByTeam": false
}
}
}
}
To give relation update permissions to another user, add it to the users array:
{
"entities": {
... other permissions
"updateRelations": {
"myRelation": {
"roles": ["my-blueprint-moderator", "Admin"],
"users": ["my-user@example.com"], // added my-user@example.com
"teams": [],
"ownedByTeam": false
}
}
}
}
To give relation update permissions to another team, add it to the teams array:
{
"entities": {
... other permissions
"updateRelations": {
"myRelation": {
"roles": ["my-blueprint-moderator", "Admin"],
"users": [],
"teams": ["my-team"], // added my-team
"ownedByTeam": false
}
}
}
}
Teams can be assigned to entities, denoting the team's ownership of the entity.
To give relation update permissions to members of the owning team of an entity, change the ownedByTeam key:
{
"entities": {
... other permissions
"updateRelations": {
"myRelation": {
"roles": ["my-blueprint-moderator", "Admin"],
"users": [],
"teams": [],
"ownedByTeam": true // changed from false
}
}
}
}
Software catalog RBAC examplesโ
Refer to the examples page for practical examples of Port's RBAC.
FAQโ
Since the catalog RBAC can be very granular, in some instances it might not be perfectly clear what the resulting assigned permissions would do, this part aims to provide some real-world examples and the behavior of Port's RBAC in those instances:
What happens if a user lacks the permissions to edit a required property of the blueprint?โ
In this case the user will not be able to register or update entities as a whole because they can't provide a value for the required property;
What happens if the ownedByTeam setting is enabled for entity registration, but the user can't edit the team property?โ
In this case the user will not be able to register a new entity since they can't select a value for the entity's team field and mark it as owned by their team.