Role Base Access Control
With Formance Cloud, you can manage access to your organization and stacks using Role-Based Access Control (RBAC). This allows you to control who can access your organization and stacks, and what they can do with them.
Roles
Organization
- An organization's
ADMINcan manage the organization and its stacks. It overrides the stack role. GUESTof an organization can read the organization.
Stack: manage one stack
ADMINof a stack can manage the stack control plane and data plane.GUESTof a stack can read the stack control plane and data plane.
Notice:
- To access a stack the user must have a role set on the organization.
- If a user has organization role
ADMIN, he will have the stack roleADMINeven if it is not set.
Data planes: Roles to scopes translation
| Organization | Stack | Scopes |
|---|---|---|
| ADMIN | _ | Read & Write |
| GUEST | ADMIN | Read & Write |
| GUEST | GUEST | Read |
| GUEST | NONE | _ |
| NONE | NONE | _ |
| NONE | undefined | _ |
- Organization ADMIN: read & write on all services
- Stack ADMIN: read & write on all services
- Stack GUEST: read on all services
- Else: no accesses
Basics
Inviting a user
When inviting a user to an organization, you can directly assign a role to the user. When the user accepts, he will be granted configured roles.
fctl cloud organizations invitations send <email> \
--stack-claims '[{"id":"vnrw", "role":"ADMIN"}]' \
--org-claim ADMIN
You can get more information on the different planes on Architecture page.
Default roles: fallback when user assigned role is not satisfied
Default roles are assigned at the organization level. You can modify defaults with the following command:
fctl cloud organization update <orgId> --name <name> --default-stack-role "ADMIN" --default-organization-role "GUEST"
Examples
- A user can be a member of an organization with the role
ADMINand have the roleGUESTin a stack. GUEST would be ignored, he would be granted of the roleADMINin the stack. - Fallback roles are set to organization
GUESTand stackGUEST- A user with no roles and no stack role assigned. would have role
GUESTand stack roleGUESTassigned - A user with a stack role
NONEwould have the role guest assigned
- A user with no roles and no stack role assigned. would have role
- Fallback roles are set to organization
ADMINand stackADMIN- A user with no roles and no stack role assigned would have role
ADMINand stack roleADMIN - A user with a stack role
NONEwould have the role ADMIN assigned - A user with a stack role
GUESTwould have the role ADMIN assigned
- A user with no roles and no stack role assigned would have role
- Fallback roles are set to organization
NONEand stackGUEST- A user with no roles and no stack role assigned would have role stack role
GUEST. - A user with a stack role
NONEwould have the roleGUESTassigned - A user with a stack role
ADMINwould have the roleADMINassigned
- A user with no roles and no stack role assigned would have role stack role
Manage Permissions with FCTL
Access to an organization
Describe an organization
fctl cloud organizations describe <orgId>
Update an organization
fctl cloud organization update <orgId> --name <name> --default-stack-role "ADMIN" --default-organization-role "GUEST"
List organization user
fctl cloud organizations users list —organization <orgID>
Change organization user role
fctl cloud organizations users link <userId> —role GUEST —organization=<orgId>
Delete organization user
fctl cloud organizations users unlink <userId> —organization <orgId>
Access to a stack
fctl stacks users link <stackId> <userId> —role GUEST --organization <organizationId>
Delete stack user
fctl stacks users unlink <stackID> <userId> --organization <organizationId>
List stack user role
fctl stacks users list <stackID> --organization <organizationId>