Access Control Lists

Access Control Lists (ACLs) are used to limit access to specific resources within a hub based on role.

ACL Resources

ACLs can be applied to the following resource types on Cycle:

• Environments
• Image Sources
• Stacks
• Pipelines
• Clusters
• DNS Zone
• Networks (SDN)

ACL Permissions

There are three ACL permissions that can be toggled on and off per role listed on the ACL.

• view: the role can view the resource
• modify: the role can change the resource itself, but excludes the ability to delete the resource or modify the ACL of the resource
• manage: the role can delete the resource and the role can update the ACL for the given resource

When a role is set on an ACL, but no permissions are enabled, the role is essentially unable to interact with that resource in any capacity.

It is possible to combine any 3 permissions, such as modify and manage, but not view (though this will make it impossible to view in the Portal).

Combining Capabilities and ACLs

Capabilities dictate what a role CAN do within a hub, while the ACL limits what the role can do on a resource.

For example, say we wanted to grant "view" permissions to an environment for a role. That role MUST have the environments-view capability, otherwise it would not be able to view the environment with the ACL, even with that role specifically set to view. The role is not "capable" of viewing environments, so the ACL doesn't matter.

Layering Cluster ACLs with Cluster Resources

Some resources, such as environments, fall under a cluster. When an environment or other cluster resource does not have its own ACL set, it will be subject to the ACL of the cluster instead.