|
| 1 | +:_mod-docs-content-type: PROCEDURE |
| 2 | + |
| 3 | +[id="proc-managing-orchestrator-plugin-permissions-using-rbac-policies_{context}"] |
| 4 | += Managing Orchestrator plugin permissions using RBAC policies |
| 5 | + |
| 6 | +You can configure Role-Based Access Control (RBAC) policies so that users can view workflow details without the permission to run those workflows. This configuration limits user interaction to explicitly authorized workflows. |
| 7 | + |
| 8 | +.Prerequisites |
| 9 | +• You have identified the specific [`workflowId`] for each workflow you want to restrict. |
| 10 | +• You have enabled the RBAC plugin and configured the `policies-csv-file` path in your `{my-app-config-file}`. |
| 11 | + |
| 12 | +.Procedure |
| 13 | +. Identify the `workflowId` from your workflow definition file as shown in the following example: |
| 14 | ++ |
| 15 | +[source,yaml] |
| 16 | +---- |
| 17 | +id: greeting |
| 18 | +version: '1.0' |
| 19 | +---- |
| 20 | +. Create or update your RBAC policy CSV file to define permissions. Use the format `p, role, permission, action, allow`. |
| 21 | ++ |
| 22 | +[NOTE] |
| 23 | +==== |
| 24 | +You can grant access using generic permissions, (for example, `orchestrator.workflow`) or specific permissions targeting a `workflowId`, (for example, `orchestrator.workflow.greeting`). Generic permissions take precedence; you cannot grant generic access and then selectively deny a specific ID. |
| 25 | +==== |
| 26 | + |
| 27 | +. Add the following example policies to your CSV file to establish basic user and administrator roles: |
| 28 | ++ |
| 29 | +[source,yaml] |
| 30 | +---- |
| 31 | +# Minimal user role - can only view and run specific workflows |
| 32 | +p, role:default/workflowUser, orchestrator.workflow.greeting, read, allow |
| 33 | +p, role:default/workflowUser, orchestrator.workflow.use.greeting, update, allow |
| 34 | +# Support role - can view all workflows and instances, but not execute |
| 35 | +p, role:default/workflowSupport, orchestrator.workflow, read, allow |
| 36 | +p, role:default/workflowSupport, orchestrator.instanceAdminView, read, allow |
| 37 | +# Full admin role - complete access to all Orchestrator functions |
| 38 | +p, role:default/workflowAdmin, orchestrator.workflow, read, allow |
| 39 | +p, role:default/workflowAdmin, orchestrator.workflow.use, update, allow |
| 40 | +p, role:default/workflowAdmin, orchestrator.workflowAdminView, read, allow |
| 41 | +p, role:default/workflowAdmin, orchestrator.instanceAdminView, read, allow |
| 42 | +# Assign users to the roles |
| 43 | +g, user:default/example_user, role:default/workflowUser |
| 44 | +---- |
| 45 | +. Enable permissions in your `{my-app-config-file}` file by adding the `orchestrator` plugin to the `rbac` section and set `policyFileReload` to true. |
| 46 | ++ |
| 47 | +[source,subs="+attributes,+quotes"] |
| 48 | +---- |
| 49 | +permission: |
| 50 | + enabled: true |
| 51 | + rbac: |
| 52 | + policies-csv-file: <absolute_path_to_the_policy_file> |
| 53 | + pluginsWithPermission: |
| 54 | + - orchestrator |
| 55 | + policyFileReload: true |
| 56 | + admin: |
| 57 | + users: |
| 58 | + - name: user:default/YOUR_USER |
| 59 | +---- |
| 60 | +. Restart the application to apply the changes. |
| 61 | + |
| 62 | +.Verification |
| 63 | +. Log in as a user assigned to the `workflowUser` role. |
| 64 | +. Navigate to the Orchestrator plugin and verify that you can see the workflow in the list. |
| 65 | + |
| 66 | +[IMPORTANT] |
| 67 | +==== |
| 68 | +You can view dynamic permissions containing a `workflowId` in the RBAC UI, but you cannot modify them in the interface. Use the policy CSV file or the RBAC API to manage these specific workflow permissions. |
| 69 | +==== |
| 70 | + |
| 71 | +[role="_additional-resources"] |
| 72 | +.Additional resources |
| 73 | +* For more information on `casbin` rules, see link:https://www.casbin.org/docs/rbac[RBAC documentation]. |
0 commit comments