Roles
Every user has one or more roles that regulate which actions that user can execute. We have roles that are oriented towards managers, developers, operations, security, CI, and more.
These are the existing roles on nullplatform:
Management roles:
- Admin: create and destroy resources and invite users with other roles.
| Role | Level | ID | Slug | Description |
|---|---|---|---|---|
| Admin | Organization | 511311886 | organization:admin | Manage the organization. |
| Admin | Account | 535953428 | account:admin | Manage the account. |
| Admin | Namespace | 548274199 | namespace:admin | Modify the namespace, create and delete applications. |
| Admin | Application | 560594970 | application:admin | Create, modify, delete the applications and it's scopes. |
Developer centric roles:
- Developer: operate applications (eg: create applications, parameters, deployments, see logs and performance, troubleshoot, metadata).
- Member: read-only access to resources.
| Role | Level | ID | Slug | Description |
|---|---|---|---|---|
| Developer | Organization | 515440655 | organization:developer | Fully contribute in any of this organization's applications. Cannot make organization-level changes |
| Developer | Account | 540082197 | account:developer | Fully contribute in any of this account's applications. Cannot make account-level changes |
| Developer | Namespace | 552402968 | namespace:developer | Same as application:developer but at namespace level. |
| Developer | Application | 564723739 | application:developer | Can create builds and releases, scopes, and start deployments. |
| Member | Organization | 507183117 | organization:member | Read information about the organization but cannot make changes |
| Member | Account | 531824659 | account:member | Read information about the account but cannot make changes |
| Member | Namespace | 544145430 | namespace:member | Read access to the namespace's information |
| Member | Application | 556531737 | application:member | Read access to the application's information. |
DevOps / Infrastructure / Security / FinOps centric roles:
- Ops: operate on infrastructure-related entities such as runtime configurations.
- SecOps: operate on entities related to security and policies.
- CI: for workflows that need to push images and manipulate build & release metadata.
Roles can have their corresponding NRN level attached, therefore a role such as Admin will exist in different
flavors such as: organization:admin, account:admin, namespace:admin, application:admin.
| Role | Level | ID | Slug | Description |
|---|---|---|---|---|
| Ops | Organization | 572915741 | organization:ops | Configure infrastructure for the organization |
| Ops | Account | 577044510 | acconunt:ops | Configure infrastructure for the account |
| Ops | Namespace | 581173279 | namespace:ops | Configure infrastructure for the namespace |
| Ops | Application | 585236512 | application:ops | Configure infrastructure for the application |
| SecOps | Organization | 593494050 | organization:secops | Configure security-related features for the organization |
| SecOps | Account | 597557283 | account:secops | Configure security-related features for the account |
| SecOps | Namespace | 601686052 | namespace:secops | Configure security-related features for the namespace |
| SecOps | Application | 605814821 | application:secops | Configure security-related features for the application |
| CI | (all) | 1855672260 | organization:machine:ci | Create builds, assets, releases, and metadata |
Having a role on a certain resource doesn't necessarily translate into being able to execute actions on your own as your company might have configured approval flows that will be triggered upon your action. Check the Approvals section for more information.
Who is allowed to grant permissions
Granting a permission is the act of assigning a role to a particular user on certain NRN (and its children)
Users can grant permissions on other user's following these rules:
- Users can only grant permissions at the same or lower NRN level where they have their own grant
- The role being granted must be assignable according to this table (for simplicity we're ommiting the role's level):
| Granter | Roles that can be granted |
|---|---|
| Admin | Admin, Member, Ops, Developer, SecOps |
| Ops | CI |
To grant permissions you have to select the Team Management option on the top bar:
Grant removal
At this time grant removal rules are:
- it is only allowed for Admin roles
- you can only remove a grant at or below the level where you have the admin role