Creating Assignment Policies

By default, Wayfinder does not assign static permissions to robots/service accounts when they are created. Instead, users must explicitly assign roles to robots. Assignment Policies put constraints on how users are permitted to assign static permissions to a robot. For more information, see Assigning Roles.

As a workspace administrator, you can use Wayfinder's default assignment policy, or create new assignment policies that are either more restrictive or less so. Wayfinder's default assignment policy is assignment.members.

To see details of policies, see View all policies below.

caution

We do not recommend allowing users to assign permissions permanently to a human user of Wayfinder. Human users should use wf assume instead, as described in Assuming Roles.

Create an assignment policy

As a workspace admin, when you create an assigment policy for a role, you are telling Wayfinder:

• Whom are you allowing to assign this role: one or more workspace members, a workspace role, everyone, etc.
• The constraints on what they are permitted to assign the role to. In nearly all cases this is a robot. You can restrict the assignment to a specific robot, or all robots if needed.

Here are the options you can control on an assignment policy. These options can be used to allow someone to assign a role or to constrain the assignment:

Option	Description
Workspace Member	Allow one or more specific workspace members to assign the role
All Subjects	Allow everyone to assign the role
Robot Account	Constrain the assignment to a selected robot
All Robots	Constrain the assignment to all robots
Subject Scope	Allow or constrain the assignment to a scope: users, robots, or kubernetes tokens
Workspace Role	Allow someone with a specific workspace role to assign the role. Example workspace roles: member, admin, or a workspace role you've created

To create an assignment policy:

1. Run the command wf create policy assignment. For example:

   wf create policy assignment --role cluster.deployment

2. Follow the prompts to answer questions that will create the policy.

   1. Answer Who should be able to apply this role. You can answer the question more than once to add to your selection. When done with this question, select Next.

      $ wf create policy assignment --role cluster.deployment
      ✔ Creating assignment policy on role: cluster.deployment
      ? Who should be able to apply this role
        ▸ Workspace Member   - allows you to limit the scope by the workspace member
          All Subjects  - allows you to scope to all subjects
          Robot Account - allows you to limit the scope by a specific robot
          All Robots    - scopes the permission to all robots in wayfinder
          Subject Scope - limits the by the scope of the token (user, robot)
          Workspace Role     - limits the scope by workspace role membership of the user
          ↷ Next

   2. Answer How should the role be constrained. You can answer the question more than once to add to your selection. When done with this question, select Next.

   3. Answer Cluster to apply the permission to, and then select Next. You can choose only one cluster.

3. Confirm you want to apply this policy.

   Once you confirm, the policy is submitted and applied.

4. To view all the policies, run wf get policy. Check the AGE column to see the policy you've just created.

View all policies

You can list all types of Wayfinder policies as well as see the details of the policy definitions. To identify the policies associated with robot role assignments, look for assign within the name of the policy.

To list policies or view policy details:

1. To list all Wayfinder policies, run wf get policy.

   The response is something like the one below. This includes default Wayfinder policies, policies created by assignment or assume policies, or other custom policies:

     NAME                              ROLE                ENABLED     STATUS     AGE
   assignment.members                 -                     true       Success    70d
   assume.admin                       -                     true       Success    70d
   assume.members                     -                     true       Success    70d
   cluster.admin-assume-tjh2d         cluster.admin         true       Success    155m  cluster.deployment-assign-fkbdl    cluster.deployment    true       Success    7m22s
   cluster.deployment-assign-m5vlh    cluster.deployment    true       Success    4m40s
   cluster.ingress.v1                 -                     false      Success    28d
   cluster.networkpolicies.v1         -                     true       Success    28d
   cluster.serviceaccounts.v1         -                     true       Success    28d
   cluster.services.v1                -                     true       Success    28d
   default.clusters-release           default.clusters      true       Success    28d
   default.members-release            default.members       true       Success    28d
   default.robots-release             default.robots        true       Success    28d

2. To view the details of any policy, run wf get policy POLICY-NAME -o yaml.

   The kubernetes resource definition for the policy is displayed.

Disable or delete assignment policies

To disable a policy:

1. Select a workspace in the UI, and then navigate to Access policy > User access policies.

2. Find the policy you want to disable, and then click Disable.

   The policy is disabled, and an Enable button appears. You can re-enable the policy later by clicking this button.

CLI:

wf get policy
wf disable policy POLICY-NAME

To delete a policy:

caution

This cannot be undone.

1. Select a workspace in the UI, and then navigate to Access policy > User access policies.
2. Find the policy you want to delete, click the down arrow to expand its details, and then click Delete policy.
3. Confirm that you want to delete the policy.

Create more roles

See Creating New Roles and Policies.

Revoke robot access

See Revoking Access.