Re: Feature Narrative: Fine-granular & custom platform roles for Cloud Foundry

Peter Burkholder

This is really a promising step. uses "service accounts",, which are implemented with:  Usually these are used in CI/CD systems for deployments.

The service accounts are way too over-powered using the Developer role, so this is a great step to scoping deployer accounts to, well, deployments in a CD system. However, I think the Operator account is too restrictive for any real human operator, and too expansive for a CI deployer account.

I'd like to see Operator renamed to Deployer and have some further rights removed, like viewing other spaces or or other users and roles, perhaps.

Or if there's a real need for the Operator role, then maybe add yet another role for Deployers (but that seems to be getting into IAM-level scope creep).


On Wed, Dec 2, 2020 at 11:27 AM Klevenz, Stephan <stephan.klevenz@...> wrote:

Hi CF,


Here is a feature narrative and it is called "Fine-granular & custom platform roles for Cloud Foundry".


This proposal is the result of direct feedback we have received from many CF users. It addresses the problem that every space developer can delete a service. And there may be important data attached to this service. Oops.

Comments, feedback, suggestions, and questions very welcome and appreciated!






Peter Burkholder | compliance & security
please use cloud-gov-compliance@... for matters

Join to automatically receive all group messages.