Configure RBAC for projects

Configure RBAC globally inside the redocly.yaml file in the root of your project. Team role assignments in the redocly.yaml file are applied to all pages in your project, unless there are rbac configurations in the front matter or content of a page. RBAC configuration has two different scopes to manage access: files and project access. Files access is specified under content object and project administration access under reunite.

Specify roles in the defaults scope

The defaults scope sets team permissions for otherwise non-specified files. If you do not set the defaults scope, teams are assigned the write role as the public scope for any unspecified files in the project.

To specify roles in the defaults scope:

In your redocly.yaml configuration file, add the ** scope option in the rbac configuration under the content object. For example:
```
rbac:
  content:
    '**':
```
Add the team names with the value of the role you want to assign them. For example, the following example configuration assigns the maintain role to the Developers team in the ** scope:
```
rbac:
  content:
    '**':
      Developers: maintain
```

Team names must match the team names imported from your identity provider, configured in your SSO configuration, or added in the Admin panel.

Specify roles in specific scopes

If you want to limit access for specific files in your project you can create specific scopes using a glob pattern and assign teams roles within those scopes.

To specify roles in scopes:

In your redocly.yaml configuration file, add the glob pattern scope option inside the rbac configuration under the content object. For example, the following example configuration creates a scope that includes all Markdown files:
```
rbac:
  content:
    '*.md':
```
Add the team names with the value of the role you want to assign them. For example, the following example configuration assigns the write role to the Writers team in the '*.md' scope:
```
rbac:
  content:
    '*.md':
      Writers: write
```

Specify roles for project access

If you need to manage access to the project, like allowing users to create branches or deploy, you can assign teams roles inside the rbac configuration under the reunite object.

To specify roles for project:

In your redocly.yaml configuration file, add the reunite object under the rbac object. For example:
```
rbac:
  reunite:
```
Add the team names with the value of the role you want to assign them. For example, the following example configuration assigns the write role to the Writers team in the project:
```
rbac:
  reunite:
    Writers: write
```

Use environment variables for roles

You can use environment variables to specify roles in the rbac configuration of redocly.yaml file. This is useful if you want to use different roles for different environments. To use environment variables, you can use the following syntax:

rbac:
  reunite:
    Writers: '{{process.env.RBAC_WRITERS_ROLE}}'
  content:
    '**':
      Developers: '{{process.env.RBAC_DEVELOPERS_ROLE}}'
      Writers: write

To require users to log in to your project to view content, you must add the following rbac configuration to your redocly.yaml file:

rbac:
  content:
    '**':
      authenticated: read

This configuration adds a login page where users can log in using the identity providers you have added in Reunite. For more information on adding IdPs in Reunite, see Add an identity provider. If you want to limit users to a particular IdP, see Configure SSO.

Resources

Learn more about RBAC (role-based access control) in the concept documentation.
Follow step-by-step instructions for How to configure RBAC.
See full configuration details in the rbac configuration reference.
Check out the x-rbac OpenAPI extension documentation to apply RBAC permissions to specific objects in OpenAPI reference documentation.