Skip to main content
Version: 1.6

About Role Based Access Control (RBAC)

Wayfinder provides a detailed, highly configurable, policy-based engine to permit access to the infrastructure it manages. Wayfinder ships with a default Compliance Package constraining what all workspaces can do, and workspace administrators can create appropriate access policies for their workspace members and robots.

Additional compliance packages and the application of custom Wayfinder-wide compliance packages will be available in future releases of Wayfinder.

This table describes the RBAC terms and Wayfinder concepts that work together to control user access.

TermDescription
PermissionThe ability to create, modify, delete, or perform other operations on a resource (such as a cluster, namespace, ingress, etc.)
RoleA group of generic permissions that can be granted to a subject (human or robot). For example, a Workspace Admin has permissions to create and delete clusters, create namespaces, etc. Roles provide a set of templates for permissions that can be assumed by, or assigned to, subjects. Human subjects can assume roles for a limited time. Robots are assigned roles permanently. Roles are often bundled in a compliance package.
Access policyWhile a role provides generic permissions, an access policy constrains those permissions to specific resources and conditions. Access policies are a set of rules about what a specific subject (human or robot) can do to specific infrastructure. For example, the Wayfinder deployment role lets a robot deploy to a cluster and namespace. When Robot A is created and assigned that role, the access policy assigned constrains Robot A to deploy to a specific cluster and namespace, and only during working hours.
Compliance packageA collection of roles and policies. In Wayfinder, compliance packages are associated with an infrastructure stage (like prod or nonprod). The stage is chosen when creating a cluster. For example, when a Workspace Admin creates a cluster and chooses whether it’s for production or non-production, the appropriate compliance package is automatically applied.
GroupsA group of users. Groups facilitate creating and adjusting roles and policies for a group of users who share the same set of permissions.
Live sessionsWayfinder shows you who currently has access to resources. This lets you revoke those sessions if needed.
WorkspacesA way of putting related users, teams, projects, etc., and their associated infrastructure together in once space. All user access permissions are bound to the scope of a workspace. So, the roles and access policies in a workspace are limited to accessing the infrastructure in that workspace.
StagesUsed to separarate production environments from non-production, and any other stage you optionally define. Access policies are scoped to a specific stage by default.

Wayfinder's user access model​

Wayfinder leverages the same mechanics and best practice employed within cloud vendors.

  • All user access is driven by accessing a role on a specific resource such as a cluster or namespace. This access can be by humans or robots/service accounts. Human users never have permanent access to anything. Instead, they are given a limited subset of permissions. When they need additional permissions, they are prompted to assume or escalate their permissions via a Role. Robots/service accounts can be assigned permanent access.
  • All sessions (for human users) have a natural expiration time, so nothing needs to be invalidated.
  • All credentials are rotated on a configurable period.
  • When escalating permissions users are filtered through a series of policies that govern the how, when, what and why a user can assume the role.

For more information, see Understanding roles and policies.

More information​

For more information, see: