Re: Feature Narrative: Fine-granular & custom platform roles for Cloud Foundry


Duncan Mcintyre <mcintyredu@...>
 

I’m all for anything which gives finer grained control. At present customers like RBS wrap the cf api with their own tooling in order to limit who can do what – which is obviously not optimal.

 

Shame we never implemented the ability to define custom roles in the database rather than have them hard-coded.

 

D

 

Duncan McIntyre
Advisory Solutions Engineer

mcintyredu@...
Mobile: +44 7917 580 118


VMware

VMware

 

 

From: cf-dev@... <cf-dev@...>
Date: Wednesday, December 2, 2020 at 5:29 PM
To: cf-dev@... <cf-dev@...>
Subject: Re: [cf-dev] Feature Narrative: Fine-granular & custom platform roles for Cloud Foundry

This is really a promising step. cloud.gov uses "service accounts", https://cloud.gov/docs/services/cloud-gov-service-account/, which are implemented with: https://github.com/cloudfoundry-community/uaa-credentials-broker.  Usually these are used in CI/CD systems for deployments.

The service accounts are way too over-powered using the Developer role, so this is a great step to scoping deployer accounts to, well, deployments in a CD system. However, I think the Operator account is too restrictive for any real human operator, and too expansive for a CI deployer account.

I'd like to see Operator renamed to Deployer and have some further rights removed, like viewing other spaces or or other users and roles, perhaps.

 

Or if there's a real need for the Operator role, then maybe add yet another role for Deployers (but that seems to be getting into IAM-level scope creep).

 

--Peter

 

On Wed, Dec 2, 2020 at 11:27 AM Klevenz, Stephan <stephan.klevenz@...> wrote:

Hi CF,

 

Here is a feature narrative and it is called "Fine-granular & custom platform roles for Cloud Foundry".

 

https://docs.google.com/document/d/1isfsSWvF8xDU0G69k4MqB3o5c2vB0P3Vbi79W0yvqFQ/edit?usp=sharing

 

This proposal is the result of direct feedback we have received from many CF users. It addresses the problem that every space developer can delete a service. And there may be important data attached to this service. Oops.

Comments, feedback, suggestions, and questions very welcome and appreciated!

 

Regards,

Stephan

 

 



--

Peter Burkholder |  cloud.gov compliance & security

please use cloud-gov-compliance@... for cloud.gov matters

 

Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.