Permissions
Permissions are used to control user actions. Rather than provide a fixed set of roles we use a broader set of permissions that can be applied in any combination to establish the security you need.
Codenvy also provides a mechanisms and layers which allow to define “who” is allowed to do “what”. Any user and administrator can control resources managed by Codenvy and allow certain actions or behaviors for other users or groups. For example as owner of a workspace, you can grant other users permission to see and/or use your workspace.
Permissions can be applied to: - Workspace - Organization - Stack - Recipe - System
Permissions can be assigned to: - Users - Group of users (see teams)
Workspace Permissions
The user who creates a workspace is the workspace owner and has all permissions by default. Workspace owners can invite other users into the workspace and control their permissions for the workspace.
The following permissions are applicable to workspaces:
| Permission | Description |
|---|---|
| read | Allows reading a workspace’s configuration. |
| use | Allows using a workspace and interacting with it. |
| run | Allows starting and stopping a workspace. |
| configure | Allows defining and changing a workspace configuration. |
| setPermissions | Allows updating workspace permissions for other users. |
| delete | Allows deleting the workspace. |
Organization Permissions
An organization is a named set of users. Organizations are the underlying layer for teams in Codenvy.
The following permissions are applicable to organizations:
| Permission | Description |
|---|---|
| update | Allows editing of organization settings and information. |
| delete | Allows deleting an organization. |
| manageSuborganizations | Allows creating and managing sub-organizations. |
| manageResources | Allows redistribution of an organization’s resources and defining resource limits. |
| manageWorkspaces | Allows creating and managing all the organization’s workspaces. |
| setPermissions | Allows adding and removing users as well as updating their permissions. |
System Permissions
System permissions control aspects that affect the whole Codenvy installation.
The following permissions are applicable to organizations:
| Permission | Description |
|---|---|
| manageSystem | Allows control of the system, workspaces and organizations. |
| setPermissions | Allows updating of permissions for users on the system. |
| manageUsers | Allows creating and managing users. |
Super Priviliged Mode
The permission “manageSystem” can be extended to provide a super privileged mode that allows advanced actions to be performed on any resources managed by the system. A user with “manageSystem” permission is able read and stop any workspaces. To perform other actions on workspaces and organizations, the user will need to assign himself the permissions needed.
By default, this mode is disabled.
It is possible to activate this option by configuring the CODENVY_SYSTEM_SUPER_PRIVILEGED_MODE in the codenvy.env file.
Stack Permissions
A stack is a runtime configuration for a workspace, see stack definition.
The following permissions are applicable to a stack:
| Permission | Description |
|---|---|
| search | Allows searching of the stacks. |
| read | Allows reading of the stack’s configuration. |
| update | Allows updating of the stack’s configuration. |
| delete | Allows deleting of the stack. |
| setPermissions | Allows managing permissions for the stack. |
Recipe Permissions
A recipe defines part of the runtime of a workspace, see recipe definition.
The following permissions are applicable to a recipe:
| Permission | Description |
|---|---|
| search | Allows searching of the recipes. |
| read | Allows reading of the recipe’s configuration. |
| update | Allows updating of the recipe’s configuration. |
| delete | Allows deleting of the recipe. |
| setPermissions | Allows managing permissions for the recipe. |
Permissions API
All permissions can be managed by using the provided REST API. The APIs are documented using Swagger, as explained here.
The permissions API list can be accessed by: {host}/swagger/#!/permissions.
List Permissions
List the permissions which can be applied to a specific resources: GET /permissions : {host}/swagger/#!/permissions/getSupportedDomains
Applicable domain values are the following:
| Domain |
|---|
| system |
| organization |
| workspace |
| stack |
| recipe |
Note: domain is optional, in this case the API will return all possible permissions for all domains.
List Permissions for Specific User
List the permissions which are applied to a specific user: GET /permissions/{domain} : {host}/swagger/#!/permissions/getCurrentUsersPermissions
Applicable domain values are the following:
| Domain |
|---|
| system |
| organization |
| workspace |
| stack |
| recipe |
instance parameter corresponds to the ID of the resource you want to get the applied permissions.
List Permissions for All Users
List the permissions which are applied to a specific user (you must have sufficient permissions to allow you to see this information): GET /permissions/{domain}/all : {host}/swagger/#!/permissions/getUsersPermissions
Applicable domain values are the following:
| Domain |
|---|
| system |
| organization |
| workspace |
| stack |
| recipe |
instance parameter corresponds to the ID of the resource you want to get the applied permissions for all users.
Assign Permissions
Assign permissions to a resource: POST /permissions : {host}/swagger/#!/permissions/storePermissions
Applicable domain values are the following:
| Domain |
|---|
| system |
| organization |
| workspace |
| stack |
| recipe |
instance parameter corresponds to the ID of the resource you want to get the applied permissions for all users.
userId parameter corresponds to the ID of the user who want to grant certain permissions.
Sample body to grant user userID permissions to a workspace workspaceID:
{
"actions": [
"read",
"use",
"run",
"configure",
"setPermissions"
],
"userId": "userID",
"domainId": "workspace",
"instanceId": "workspaceID"
}