Re: Feature Narrative: Fine-granular & custom platform roles for Cloud Foundry
toggle quoted message Show quoted text
This is really a promising step. cloud.gov uses "service accounts", https://cloud.gov/docs/services/cloud-gov-service-account/, which are implemented with: https://github.com/cloudfoundry-community/uaa-credentials-broker. Usually these are used in CI/CD systems for deployments.
The service accounts are way too over-powered using the Developer role, so this is a great step to scoping deployer accounts to, well, deployments in a CD system. However, I think the Operator account is too restrictive for any real human operator, and too expansive for a CI deployer account.
I'd like to see Operator renamed to Deployer and have some further rights removed, like viewing other spaces or or other users and roles, perhaps.
Or if there's a real need for the Operator role, then maybe add yet another role for Deployers (but that seems to be getting into IAM-level scope creep).
On Wed, Dec 2, 2020 at 11:27 AM Klevenz, Stephan <stephan.klevenz@...> wrote:
Peter Burkholder | cloud.gov compliance & security
please use cloud-gov-compliance@... for cloud.gov matters