Skip to main content
Version: 1.2.x

Configuring Permissions

Before you get started, make sure you:
✓ Familiarize yourself with TSB concepts
✓ Install the TSB demo environment
✓ Deploy the Istio Bookinfo sample app
✓ Create a Tenant
✓ Create a Workspace
✓ Create Config Groups

In this scenario, you will use the different AccessBindings to configure two access policies:

  • A policy that grants a team full access to a Workspace. The members of the team will be able to create and fully manage the resources in that Workspace, but won’t be able to modify the Workspace object itself. This is achieved by using the Creator role.
  • A policy that grants a specific user write permissions to a Group. The user will be able to modify the settings for that group and its contained configuration objects but won’t be able to create new resources or delete the existing ones. This is achieved by using the Writer role.

Using the UI

  • Under Tenant on the left panel, select Workspaces.
  • Click the desired Workspace to access its details page.
  • Click the Policy tab.
  • To see the list of teams, select the By Teams option.
  • The list of existing teams will appear.
  • Scroll to the desired one and click the Edit icon on the right.
  • Select the Creator role.
  • Click the Save Changes button at the bottom right.

To grant write permissions to a user to a specific config group, repeat the same process for the Group:

  • Navigate to the Group’s Policy tab.
  • Use the By Users view to find the desired User.
  • Click the Edit icon and select the Writer role.
  • Click the Save Changes button at the bottom right

Using tctl

Create the following access-policy.yaml file with the WorkspaceAccessBinding and the TrafficAccessBinding objects:

apiVersion: rbac.tsb.tetrate.io/v2
kind: WorkspaceAccessBindings
metadata:
organization: tetrate
tenant: tetrate
workspace: bookinfo-ws
spec:
allow:
- role: rbac/creator
subjects:
# Change the name of the team to the desired one
- team: organizations/tetrate/teams/application-team
---
apiVersion: rbac.tsb.tetrate.io/v2
kind: TrafficAccessBindings
metadata:
organization: tetrate
tenant: tetrate
workspace: bookinfo-ws
group: bookinfo-traffic
spec:
allow:
- role: rbac/writer
subjects:
# Change the name of the user to the desired one
- user: organizations/tetrate/users/group-user

Apply with tctl:

tctl apply -f access-policy.yaml