HomePlatformPricing
Edit

Permission Sets

Configure Permission Sets in DuploCloud for granular access control

Permission Sets with DuploCloud provide a comprehensive access-control mechanism, allowing administrators to assign fine-grained permissions to users. This allows administrators to provide individual users access to specific resources.

Key Features of DuploCloud Access Control

  • API-Level Permissions: Administrators can define permissions at the API level. For example, [email protected] can be denied access to read secrets in the prod01 Tenant while still having full Kubernetes permissions.

  • Granular Access Control: Permissions can be granted or denied at different levels:

    • API Level: Allows or denies access to specific APIs.

    • Resource Type Level: Restricts access to resource types such as S3, SQS, etc.

  • Regular Expression Support: Policies can utilize regex patterns for ApiNames, HttpMethods, and resource types to define flexible access rules.

  • Tenant-Based Access: Policies can be scoped to one, multiple, or all Tenants.

  • User-Based Assignment: Permissions can be directly assigned to users.

Permission Set Concepts

Permission Set

A Permission Set defines access rules through a combination of allow and deny policies:

  • Policy Precedence: Each Permission Set has a numeric priority value. The lower the number, the higher the precedence (e.g., a Permission Set with priority value 5 overrides one with priority value 10. If multiple Permission Sets are assigned to a user, the policies in the set with the lowest number will override those in others. We recommend starting with a higher priority value (e.g., 50) so you can add higher-priority Permission Sets later if needed.

  • Tenant-Specific Application: Each Permission Set applies to a defined set of Tenants.

  • User Mapping: Each DuploCloud user is associated with one or more PermissionSets.

Policy Structure

Each policy within a Permission Set defines access rules based on the following parameters:

  • ResourceTypeRegex: Specifies the resource type the policy applies to (e.g., aws/s3, k8s/job).

  • ApiNameRegex: Matches specific API names to control access (e.g., GetSecretData).

  • HttpMethodRegex: Defines which HTTP methods are allowed or denied (e.g., GET, PUT, POST, DELETE).

Matching Logic

DuploCloud evaluates all Permission Sets assigned to the user and uses the following logic:

  • Tenant Filtering: Permission Sets not applicable to the current Tenant are ignored.

  • Priority Evaluation: All applicable Permission Sets are sorted by their priority. Lower priority numbers are evaluated first.

  • Policy Match: The first matching policy (deny or allow) found in the sorted list determines the result.

  • Default Deny: If no matching policy is found, access is denied by default with a 400 error.

System-Wide Permission Set

A System-Wide Permission Set applies globally across all DuploCloud users. It is typically used in the following scenarios:

  • Allow-All Permission: Set a system-wide allow-all permission for backward compatibility.

  • Explicit Deny Rules: Introduce specific deny rules for individual resources as necessary, overriding the global allow settings.

Configuring Permission Sets in DuploCloud

Configure Permission Sets and apply access restrictions in DuploCloud to manage user access. The example below uses a deny policy to restrict users from accessing Kubernetes Jobs in the DuploPortal.

  1. In the DuploCloud Portal, navigate to Administrator Permissions.

  2. Click Add Permission Set. The Add Permission Set pane displays.

    Add Permission Set pane

  3. Complete the following fields:

Name

Enter a meaningful name for the Permission Set (e.g., deny-k8s-job).

Scope

From the Scope list box, select the appropriate scope for the Permission Set (e.g., User).

Priority

Enter a numerical value greater than 0. Lower values give this Permission Set higher precedence when multiple are assigned to the same user.

Applicable Tenants

Select the applicable Tenants or choose All Tenants.

Allow or Deny Policy

Click Add Allow Policy or Add Deny Policy, and configure the following fields:

Resource Type RegEx

Enter the resource type the policy will apply to. For example, k8s/job to target Kubernetes Jobs.

API Name RegEx

Enter a regular expression that matches the API name for the resource. For example, .*k8s/job.* will match any API calls related to Kubernetes Jobs.

Method

Choose the HTTP method for which the policy applies: GET, POST, PUT, DELETE, or ALL.

  1. Click Save to create the Permission Set.

Assigning Users to a Permission Set

After creating a Permission Set, assign specific users to it:

  1. In the DuploCloud Portal, navigate to Administrator Permissions.

  2. Select the Permission Set from the NAME column. The Permission Set details page displays.

    Adding users to the permission set

  3. Click on the User tab.

  4. Add the list of users to whom the Permission Set should apply. In the example, userA and userB are explicitly denied access to Kubernetes Jobs across the selected Tenants.

  5. Click Save.

Testing Permission Set Configuration

To test if a Permission Set is correctly applied, follow these steps:

  1. Have the specific users attempt to access a resource the Permission Set applies to (e.g., userA or userB attempt to access the Kubernetes Jobs section in the DuploCloud portal).

  2. Verify that they receive an error message, such as: Access Denied: You do not have permission to access Kubernetes Jobs. If the error appears, it confirms that the policy has been successfully applied, blocking unauthorized access to the resource.

An error message denying user access to a K8s Job

PreviousKubernetes AccessNextEncryption

Last updated

Was this helpful?