Last updated

rbac

Access control is done using RBAC (role-based access control). Use team-based access controls to assign permissions required to files and project access. By default, all authenticated users are assigned to the authenticated team, and unauthenticated users are automatically assigned to the anonymous team. All other configuration is done through team-role mapping.

Options

Configuration map

OptionTypeDescription
reunite[Team to role map]Describes project role for the given team. Use this option when needs to manage project access to a specific team, like allowing the team to manage branches or builds.
content[Content configuration]Describes file access for the given team. Use this option when needs to manage file access to a specific team. This option is used for page access as well.
teamFolders[Team folder]Use with pattern-based access to describe the folders that can be accessed in this way. Only folders listed here can have access granted through pattern-based access. This option is used in combination with the teamNamePatterns option.
teamFoldersBaseRoles[Team to role map]Default access for named teams to the folders defined in the teamFolders list.
teamNamePatterns[Team name pattern]Team name pattern for giving pattern-based access to the folders in teamFolders. This option is used in combination with the teamFolders option.

Team to role map

OptionTypeDescription
team namenone, read, write, triage, maintain, or adminMap of teams to project roles. The team names come from a possible list of anonymous (meaning all users who are not logged in), authenticated (meaning any user who is logged in), and team names that come from the identity provider through the single-sign-on (SSO) configuration. In addition, the team name * represents the rest of the teams not defined in sibling properties including anonymous and authenticated. Possible values for project roles are: none, read, write, triage, maintain, or admin.

Content configuration

OptionTypeDescription
{glob pattern}*[Team to role map]Use the glob pattern to define the team and role for specific page access, or using the unique key ** to describe all pages.

When describing team to project role relations, a special key * may be used. A project role assigned to that key will be applied to the rest of the teams that are not described for the given glob pattern.

In the following example, only users assigned to the Admin team can view the content on the secrets.md file:

rbac:
  content:
    secrets.md:
      'Admin': read

Team folder

OptionTypeDescription
/some/path/{teamPathSegment}stringTeam folder pattern. The {teamPathSegment} segment is used as the path segment.

Team name pattern

OptionTypeDescription
PREFIX-{teamPathSegment}-{projectRole}stringThe format that the team name follows. The prefix is optional but can be useful if you have many teams. The {teamPathSegment} is used as the path segment where the role access is applied, and the {projectRole} part sets the access level. The {teamPathSegment} segments are transformed to lower case.

Examples

File access

In the following example, default team permissions are assigned to all pages that do not match any other glob patterns. Different permissions are assigned to the developer-keys.md page, the pages in the /secret/chapter folder, and any TypeScript (.tsx) pages:

rbac:
  content:
    '**':
      Admin: admin
      Developer: maintain
      Employee: read
      anonymous: none
      authenticated: read
    developer-keys.md:
      Developer: read
    '/secret/chapter':
      Admin: write
      Developer: read
      Employee: read
      authenticated: none
    '**/*.tsx':
      Developer: write

Project access

In the following example, only the Developer team can create a branch, create a pull request, or create a deploy.

rbac:
  reunite:
    Developer: write

Pattern-based access

Define the folders and the patterns that the team names match. The following is an example configuration; the curly braces { and } and the placeholder names are shown as they should be used in a configuration file.

  teamFolders:
    - /docs/{teamPathSegment}
    - /apis/{teamPathSegment}
  teamNamePatterns:
    - REDOCLY-{teamPathSegment}-{projectRole}
    - BUSINESS-{teamPathSegment}-{projectRole}

Given the above configuration and the following list of team names:

  • REDOCLY-PEARL-triage
  • REDOCLY-PEARL-admin
  • BUSINESS-AMETHYST-maintain

The effective access control settings would be like the following example configuration:

rbac:
  reunite:
    REDOCLY-PEARL-triage: triage
    REDOCLY-PEARL-admin: admin
    BUSINESS-AMETHYST-maintain: maintain
  content:
    '/docs/pearl/**':
      REDOCLY-PEARL-triage: triage
      REDOCLY-PEARL-admin: admin
      authenticated: read
    '/apis/pearl/**':
      REDOCLY-PEARL-triage: triage
      REDOCLY-PEARL-admin: admin
      authenticated: read
    '/docs/amethyst/**':
      BUSINESS-AMETHYST-maintain: maintain
      authenticated: read
    '/apis/amethyst/**':
      BUSINESS-AMETHYST-maintain: maintain
      authenticated: read
  • sso is used to identify users.

Resources