Skip to main content

Set catalog RBAC


Port provides granular control to ensure that every user only sees the parts of the catalog that are relevant to them.

Port's catalog RBAC capabilities are enabled by utilizing permissions controls.

Page permissions

In order to manage who can view certain pages in Port, check out page permissions.

Common Catalog RBAC usage

Catalog RBAC allows admins to finely control which users have access to specific information in the software catalog, for example:

  • Allow a user to edit a single specific property on an entity.
  • Create a fully read-only view for a developer.

Set global access controls to catalog data

The default permissions assigned to every blueprint upon creation specify that users with the admin role, and users with the specific blueprint moderator role, can perform any action on a blueprint.
See RBAC permissions for more information about the different roles.

It is possible to assign global permissions controls on entities, using these steps:

  1. Go to the Builder page of your portal.

  2. Select your desired blueprint, click on the ... button in the top-right corner, and select Permissions:

  3. A JSON editor will open, where you can set the permissions for the blueprint.

To assign permissions to read (view) an entity, give the desired persona permissions under the read object as shown below:

To give read permissions to another role, add it to the roles array:

{
"entities": {
... other permissions
"read": {
"roles": ["my-blueprint-moderator", "Admin", "my-role"], // added my-role
"users": [],
"teams": [],
"ownedByTeam": false
}
}
}

Note that assigning create, update, or delete permissions to a user or team will automatically grant them read permissions as well, as they need to be able to see the entities they are allowed to interact with.

Affected components

Setting read permissions on entities takes effect at the API level, meaning that any component in Port that fetches entities will be affected by these permissions.
For example, a table widget that displays entities will only show entities that the user has read permissions for.

Set granular access controls to catalog data

It is possible to assign more granular permissions controls on entities:

To assign permissions to update a specific entity property, give the desired persona permissions under the updateProperties -> propertyName object as shown below:

To give property update permissions to another role, add it to the roles array:

{
"entities": {
... other permissions
"updateProperties": {
"myProperty": {
"roles": ["my-blueprint-moderator", "Admin", "my-role"], // added my-role
"users": [],
"teams": [],
"ownedByTeam": false
}
}
}
}

Software catalog RBAC examples

Refer to the examples page for practical examples of Port's RBAC.

FAQ

Since the catalog RBAC can be very granular, in some instances it might not be perfectly clear what the resulting assigned permissions would do, this part aims to provide some real-world examples and the behavior of Port's RBAC in those instances.

What happens if a user lacks the permissions to edit a required property of the blueprint?

In this case the user will not be able to register or update entities as a whole because they can't provide a value for the required property.

What happens if the ownedByTeam setting is enabled for entity registration, but the user can't edit the team property?

In this case the user will not be able to register a new entity since they can't select a value for the entity's team field and mark it as owned by their team.