Rundeck Acl policy - letting any user access the project

[Nihar]

Hello,

i am trying to create acl policy where any users configured in our rundeck can access project X. we have hundreds of users so adding each user to that acl policy is not a real solution. 

i'd like any user to access  project X without adding that user to that project's acl policy, is there any way? 

thanks,

Nihar

[Nihar]

or is there any way i can add multiple projects to one single acl policy?

for instance, project X,Y under project X's ACL policy? 

[Moses Lei]

Are the totality of your users not in a group? Like "user" or "IT" or anything? Just target the group instead of individual users. 

Moses Lei

--
You received this message because you are subscribed to the Google Groups "rundeck-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rundeck-discu...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Nihar]

They are all spread across 30 different groups, we create new group as we onboard new team.

other solution was if i could add that project X to existing 30 different groups' policies, but not sure how to go about that. 

[Moses Lei]

Are you using AD? What are you using for your "user" role in the LDAP mapping?

Or if you're using flat files, then just add the "user" group to every username. Easy.

Moses

--

Moses Lei

Principal, Village Chime LLC

mobile: +1 703 901 5969 | skype: moseslei | yahoo: moseslei

[Nihar]

We are using AD

i don't even know if my use case even possible. any feed back you can provide may be on adding multiple projects to one single acl policy? 

currently this is what my ACL policy looks like with my username in it. This ACL policy doesn't grant user permissions to edit the jobs under project X, i have to enter myself to get access to this project. 

description: Project level access control. Applies to resources within a specific project.

context:

  project: 'X' # projects

for:

  resource:

    - allow: [read] # allow read/create resources 

  adhoc:

    - allow: [] # allow running/killing adhoc jobs

  job:

    - allow: [read,run,kill] # allow create/read/write/delete/run/kill of all jobs

  node:

    - allow: [read,run] # allow read/run for nodes

by:

  username: [nihar]

---

description: Application level access control, applies to creating/deleting projects, admin of user profiles, viewing projects and reading system information.

context:

  application: 'rundeck'

for:

  resource:

    - equals:

        kind: project

      allow: [read] # allow create of projects

    - equals:

        kind: system

      allow: [read] # allow read of system info

    - equals:

        kind: user

      allow: [] # allow modify user profiles

  project:

    - match:

        name: 'X'

      allow: [read] # allow view/admin of all projects

by:

  username: [nihar]

[Moses Lei]

You're not going to get any scale on managing permissions until you start using groups. Talk to your AD administrators and see if they can create a "rundeck users" group that all your users are in. Same with teams, they should have their own group that you can assign permissions to. Then in your aclpolicy assign permissions to the group. What you want should be doable, just read the documentation and talk to your AD people and see what you can come up with.

Moses

--

Moses Lei

Principal, Village Chime LLC

mobile: +1 703 901 5969 | skype: moseslei | yahoo: moseslei

[Greg Schueler]

If you are trying to match multiple projects, the "context: project" value , as well as any "match:" value are treated as regular expressions, so you can use ".*" to match all.

reference:

* http://rundeck.org/docs/man5/aclpolicy.html#context

* http://rundeck.org/docs/man5/aclpolicy.html#type-rules

-- 
Greg Schueler

[Nihar]

that grants access to all projects if i do ".*"