Custom Roles
env0's Custom Roles
env0's Custom Role allows you to restrict access based on predefined roles of individual users & teams within your organization. It helps ensure users access only information they need to do their jobs and prevents them from accessing information that doesn't pertain to them.
Feature Availability
Custom Roles are only available to Enterprise level customers. Click here for more details
Role Creation & Management
First, create a role with your desired permissions.
This can be done in the organization settings page -> roles tab -> add role button.
You can also edit or delete roles from that page.
More On Role Deletion
When roles are deleted while being assigned the users \ team will update according to the role assignment level:
If the role assignment level is by the organization, the user will receive the default "User" role.
If the role assignment level is by the project the user will lose access to that project and have no role in it.
If the role assignment level is by the environment the user will lose access to that environment and have no role in it.
Role Assignment
Roles can be assigned to users or to teams.
- "Organization Roles" - can be assigned on the organization settings page in the Users tab (Teams can only be assigned as a Project Role)
- "Project Roles" - can be assigned on the project setting page in either the Users or Teams tab.
- "Environment Roles" - can be assigned on the environment page in the Access tab.
More On Role Assignment
env0's RBAC is cascading, top to bottom, meaning that if a user has permission on an organization (via the role) he has that permission on every project or environment in that organization. (but not the other way around, project permissions apply for their particular projects only)
Custom Role Permissions
Deployment Permissions
| Permission | Description |
|---|---|
| Run Plans | Create an environment, redeploy & destroy - without apply (requires approval) |
| Run Applies | Create an environment, redeploy & destroy (without requiring approval), approve plans and update environment-level variables |
| Abort Deployments | Abort running deployments |
| Run Tasks | Run ad hoc commands on environments' workspaces |
| Create VCS Environment | Create an environment without use of a template. Used in conjunction with "Run Plans" or "Run Applies" |
Environment Permissions
| Permission | Description |
|---|---|
| Edit Environment Settings | Edit Continuous Deployment, Environment Triggers, Scheduling and Drift Detection |
| Edit VCS Settings | Edit IaC type, advanced settings and VCS details in VCS Environments |
| Archive Environment | Mark an environment as inactive (without destroying the underlying resources) |
| Lock/Unlock Environment | Lock environment, preventing changes to the underlying resources |
| Override Max TTL | Extend environments' TTL beyond the project/organization policy |
| Override project's max-environments policy | Allow creating more environments in a project than a project's policy allows |
| View Environment | See environment in Environment's list, view its settings, variables and logs |
| Assign roles on environment | Assign roles for environment(s) |
Project Permissions
| Permission | Description |
|---|---|
| View Project | See project in Projects list, view project settings, templates, variables and environments, within a specific project |
| Edit Project Settings | Edit Project Settings & Variables |
| Manage Project Templates | Manage which templates can be used to create environments, within a specific project |
| Create Project | Create new projects |
Organization Permissions
| Permission | Description |
|---|---|
| View Organization | View organization variables, templates and modules |
| Edit Organization Settings | Edit organization settings and variables |
| Create & Edit Templates | Create and edit templates in the organization |
| Create & Edit Modules | Create and edit modules in the organization's private module registry |
| Create & Edit Providers | Create and edit providers in the organization's private provider registry |
| Create Cross-Project Environment Triggers | Make an Environment's from one project, trigger an environment in another project |
| View Modules | View and download modules from the organization's private module registry |
| View Providers | View and download providers from the organization's private providers registry |
| Create & Edit Custom Roles | Create and edit custom roles in the organization |
| View Dashboard | View the organization's dashboard |
| View Audit Logs | View the logs for all the events in the organization |
| Manage Billing Information | Change pricing plan and billing data |
Remote Backend Permissions
| Permission | Description |
|---|---|
| Read State | Read the remote state |
| Write State | Edit the remote state |
| Force Unlock Workspace | Allowing to force unlock your workspace |
Updated about 2 months ago