Access Control Lists (ACLs) are used to limit access to specific resources within a hub based on role.
ACL Resources
ACLs can be applied to the following resource types on Cycle:
ACL Permissions
There are three ACL permissions that can be toggled on and off per role listed on the ACL.
view: the role can view the resourcemodify: the role can change the resource itself, but excludes the ability to delete the resource or modify the ACL of the resourcemanage: the role can delete the resource and the role can update the ACL for the given resource
When a role is set on an ACL, but no permissions are enabled, the role is essentially unable to interact with that resource in any capacity.
It is possible to combine any 3 permissions, such as modify and manage, but not view (though this will make it impossible to view in the Portal).
Combining Capabilities and ACLs
Capabilities dictate what a role CAN do within a hub, while the ACL limits what the role can do on a resource.
For example, say we wanted to grant "view" permissions to an environment for a role. That role MUST have the environments-view capability, otherwise it would not be able to view the environment with the ACL, even with that role specifically set to view. The role is not "capable" of viewing environments, so the ACL doesn't matter.
Layering Cluster ACLs with Cluster Resources
Some resources, such as environments, fall under a cluster. When an environment or other cluster resource does not have its own ACL set, it will be subject to the ACL of the cluster instead.
Resource | View | Modify | Manage | Description |
|---|---|---|---|---|
Environment | <FontAwesomeIcon icon={faCheck} /> | Can view environment, but make no changes to it | ||
Environment | <FontAwesomeIcon icon={faCheck} /> | <FontAwesomeIcon icon={faCheck} /> | Can view/make changes to environment, but cannot delete it or modify its ACL | |
Environment | <FontAwesomeIcon icon={faCheck} /> | <FontAwesomeIcon icon={faCheck} /> | <FontAwesomeIcon icon={faCheck} /> | Can view/make changes to an environment, and can delete it and modify its ACL |
Environment | Falls back to cluster ACL | |||
Cluster | <FontAwesomeIcon icon={faCheck} /> | Can view cluster and any environments in cluster that don't have a more specific ACL | ||
Cluster | <FontAwesomeIcon icon={faCheck} /> | <FontAwesomeIcon icon={faCheck} /> | Can view/make changes to cluster and any environments in the cluster that dont have a more specific ACL, delete any environments in the cluster, modify the ACLs of environments in the cluster, but cannot delete the cluster or modify the cluster ACL. | |
Cluster | <FontAwesomeIcon icon={faCheck} /> | <FontAwesomeIcon icon={faCheck} /> | <FontAwesomeIcon icon={faCheck} /> | Can view/make change to cluster and any environments in the cluster that don't have a more specific ACL, and can delete the cluster and modify the cluster's ACL |
Cluster | Cannot view, modify, delete, or manage the ACL of the cluster or any resources in the cluster. |