Inside Cycloid permissions are handled by roles which are an aggregation of policies. Those roles can then be assigned to a user at the organization level as a 'default role', or at a team level to provide extra permissions to a set of users within a team.
By default, 2 roles exist:
- The organization admin one: provides a full access over an organization.
- The organization member one: provides a read-only access over an organization.
Define the scope for individual actions. Those actions can be of various type: creating a project, deleting a credential, reading roles, etc.
These policies can also be narrowed down to specific entities. So that, if you were to have multiple projects, you could create a role containing policies only for a specific subset of project. Thus allowing you to have a thinner control on who can do what.
All the policies and entities are listed and accessible when creating a new role, as shown in the next section.
If no entity is given, then the policy will be applied to all entities within the organization
Roles represents a logical aggregation sets of policies & entities. New policies cannot be created, as they are based on the possible action within the product, but roles can.
Roles will be available at both organization & team level. Which means that if you create a "Role A", that can for example manage any project and environments, it will be possible to apply it either to a team, to increase the permissions of those team members, or at the organization level to make it their default role when logging in - assuming they are not part of some teams.
Permissions are handled in an 'incremental way', there is no forbidding rules.
Either you have a permission to do an action or you do not. If you were given in a role the possibility to read project A, and in another one project B, you will endup with the permissions to read project A and B.
A special role exists, the 'admin' one, which once given provide access to any actions on any resources within the current organization.
The organization role is defined upon invitation of other members, it can be
later on edit/updated by members who have access on it. To manage those members
please click on the
Members button on the left panel.
It is also possible to invite multiple members with the same role:
Teams are simply a gathering of people to which the same role(s) is applied.
This is meant to extend default permission of an organization member, and create logical group of people: because they work together, because there is some hierarchy, because of a temporary task to do, etc.
To create or manage teams, click on the
Teams button of the panel:
If you want to create a new team click on the
Create a new team button, or if
you want to manage an existing one, click on it:
In this silly example the 'Owl bot' account, which is admin of the organization, also gained the 'Organization Member' & 'Organization Owl' roles.