1. Cf-Dev
  2. Messages

Re: Feature Narrative: Fine-granular & custom platform roles for Cloud Foundry

Peter Burkholder
 

This is really a promising step. cloud.gov uses "service accounts", https://cloud.gov/docs/services/cloud-gov-service-account/, which are implemented with: https://github.com/cloudfoundry-community/uaa-credentials-broker.  Usually these are used in CI/CD systems for deployments.

The service accounts are way too over-powered using the Developer role, so this is a great step to scoping deployer accounts to, well, deployments in a CD system. However, I think the Operator account is too restrictive for any real human operator, and too expansive for a CI deployer account.

I'd like to see Operator renamed to Deployer and have some further rights removed, like viewing other spaces or or other users and roles, perhaps.

Or if there's a real need for the Operator role, then maybe add yet another role for Deployers (but that seems to be getting into IAM-level scope creep).

--Peter


On Wed, Dec 2, 2020 at 11:27 AM Klevenz, Stephan <stephan.klevenz@...> wrote:

Hi CF,

 

Here is a feature narrative and it is called "Fine-granular & custom platform roles for Cloud Foundry".

 

https://docs.google.com/document/d/1isfsSWvF8xDU0G69k4MqB3o5c2vB0P3Vbi79W0yvqFQ/edit?usp=sharing

 

This proposal is the result of direct feedback we have received from many CF users. It addresses the problem that every space developer can delete a service. And there may be important data attached to this service. Oops.

Comments, feedback, suggestions, and questions very welcome and appreciated!

 

Regards,

Stephan

 

 



--
Peter Burkholder |  cloud.gov compliance & security
please use cloud-gov-compliance@... for cloud.gov matters
Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.