← Back to all posts

Make user roles available in approval policies input data

In the same way that group membership is shown as part of approval policies inout data, we would like that the new custom roles are also part of this inout data.

Workaround
Use the IdP provided groups or enable login policies to automatically adds groups to users that have a certain role.
Problem
Our organisation uses a somewhat special approach towards authn/authz, where the IdP only provides authentication. Authorisation is managed via a system of temporary permissions. We are in the process of implementing this approach in Spacelift. The process is as follows: - We a predefine a set of Spacelift roles. - The basic role, is given to every user allowed to login by the IdP. This is a red only role. - For the remaining roles, users request them via a CLI tool, for a specific space, for a predefined amount of time. - This tool, invokes a service that using the Spacelift graphql API binds roles to spaces and users during x amount of time - Once that time passes, the binding is deleted. The issue comes when we need to verify approvals, as the roles are not available in the approval policy, so we have to resort to IdP group membership, which breaks a bit our patterns. We know that we could enable login policies, and make a mapping between roles and groups, so when a user with certain role logs in automatically gets a specific group, but this would force us to enable login policies only for that specific case, losing all the simplicity of the user management. This is why we would like to make the roles available as part of the input data of the approval policy.

Please authenticate to join the conversation.

Upvoters
Status

βœ… Completed

Board

πŸ’‘ Feature Requests

Tags

Access Control

Date

4 months ago

Subscribe to post

Get notified by email when there are changes.