Groups, Roles and Access Policies
A user group is a convenient way to associate a set of users to roles and access policies. You can create groups specific to your workspace and associate them to the access policies you require.
Wayfinder comes with default user groups that appear in all workspaces and you can add your own.
Each default group is associated with an access policy, so that users in each group have a set of permissions and access controls associated with that group. For example, users in the owner group in a workspace have more access than users in the member group. Your Wayfinder administrator may also add more default user groups that appear in your workspace.
Workspaces can add users to default groups as needed, but cannot change the group's default access policy. However, you can create a new access policy, and apply it to a default group in your workspace.
If you are a Wayfinder administrator then you can administer groups, roles and access policies across all workspaces.
Create a workspace user group
In Wayfinder's web interface:
- Select Workspaces > Your-Workspace-Name, then navigate to Settings and select the Groups tab.
- You are presented with the groups overview
- Click on the Create Group button
- Fill in the properties
Properties
This section specifies the properties to create a new group.
| Field | Description |
|---|---|
| Name | The name for the new group. |
| Description | Meaningful description for this workspace. |
| Add users to group | Add one or more users to the group. |
| Access Polcies | Use the 'Go to Access Policies' button to give this new group access to Kubernetes clusters |
Edit or delete a group
The delete action cannot be undone.
In Wayfinder's web interface:
- Select Workspaces > Your-Workspace-Name, then navigate to Settings and select the Groups tab.
- Expand the group you want.
- Click the Actions tab, and then click either the Edit or Delete buttons.
Add Roles and Access Policies
Roles permit permissions against Kuernetes resources and Access Policies constrain a role's permitted permissions to specific resources and conditions.
Workspace roles and access policies are specific to each workspace and you can create your own as needed. By default, Wayfinder includes global (platform-level) roles and access policies that are available in all workspaces and you cannot edit or delete them. You however have full control over the roles and access policies you create.
Create a workspace access policy
In Wayfinder's web interface:
-
Select Workspaces > Your-Workspace-Name, then navigate to Settings and select the Cluster Access Policies tab.
-
Click the +Policy tab.
-
Enter a name and description of the policy, and the Roles, user Groups, and Workspaces (if you're a Wayfinder Admin) the policy applies to.
- Groups indicates the user group(s) who can assume the selected role(s) for a limited time, or who can assign the selected role(s) to a access token permanently.
- Workspaces is shown only for Wayfinder Admins (in Wayfinder settings).
-
Set these policy constraints as needed in the fields provided:
noteIf this is a access token access policy, the constraints apply to creating the access token not the access token itself.
- Max expiration—the maximum length of a session that a human user can assume the specified roles. Does not apply to access token roles, which are permanent.
- Clusters—which clusters can be accessed. Click Advanced mode to match cluster labels.
- Namespaces—which namespaces can be accessed
- Source Networks—which source networks can be used to access the specified roles, or to create an access token with those roles
- Days of week—allowed days to assume the specified roles, or to create an access token with those roles
- Time of day—allowed time of day to assume the specified roles, or to create an access token with those roles
-
Click Save.
Related Reading
- Cluster Access Policies
- Managing User Access (Clusters) section for full details on how to administer roles and access policies in your workspace.