1 Oct 2024 · Semaphore News

    Custom Roles Are Here

    5 min read
    Contents

    Following on the Role Based Access Control (RBAC) improvements announced in April, we’re rolling out a new feature for Scaleup plans: Custom Roles.

    Now, in addition to the default roles, you can create your own with tailored permissions for organizations and projects — giving you the control to decide exactly what actions users can take.

    What problem do custom roles solve?

    Semaphore uses a RBAC model to control what resources and actions users can take. This feature included three default roles for organizations and projects.

    While these default roles are enough for many, they cannot fit everyone’s needs. Let’s say you wish to give the finance team access to the Billing page to view spending. Before custom roles, the only way to allow access was using the Admin role, which gave unfettered access to almost everything inside the organization. This is far from ideal from a security perspective.

    With the addition of custom roles, you can now create roles to fit the user’s needs. For example, you can create a Finance role that can only view the Billing page and nothing else.

    Other use cases for custom roles we envision are:

    • prevent members from viewing or changing secrets
    • allow the compliance team view-only access to the audit logs, members, and group lists
    • provide view-only access to a third party for demo purposes
    • allow the operation team to safely manage infrastructure and self-hosted agents
    • prevent contributors from starting or attaching SSH sessions on CI/CD jobs

    So, what are custom roles?

    Custom roles is a new Scaleup plan feature that allows you to create an unlimited number of new roles. You can then assign the roles to users or groups to precisely manage what resources they can access and actions they can take.

    Same as with default roles, there are two kinds of custom roles:

    • Organization roles: Grant actions on the organization such as viewing the dashboards or the audit logs, managing secrets or notifications, and configuring self-hosted agents or pre-flight checks. You’ll find view and manage permissions for most resources on Semaphore.
    • Project roles: Grant actions on projects such as view or manage artifacts, perform job debugging, view secrets, or run tasks, to name a few.

    Custom roles improve your security posture in many ways:

    • Flexibility: you can tailor permissions to your specific needs.
    • Security: you can follow the principle of least privilege and lock down user access.
    • Scalability: you can create or modify roles to adapt as your organization grows.
    • Compliance: custom roles let you meet regulatory requirements.

    How to create custom roles

    Initially, only the organization Owners can create custom roles. You can, however, create a role that can view or manage custom roles.

    Organization roles

    Organization roles determine what actions user can take in the organization.

    To create an organization-level custom role:

    1. Open the Organization Settings menu
    2. Select Roles
    3. On the Organization Roles section, press New Role

    1. Give a name a description to the new role
    2. Enable the permissions for this role. Use the search box to narrow down options

    1. Optionally, you can grant a project role for all projects in the organization. For example, the role might have view-only access to every project.

    1. Press Save changes

    The default roles cannot be modified, but you can see their permissions by pressing the eye button.

    Once the role is created, go to People in the organization settings menu, press Change Role, and select the new role. You can only assign one role to an individual or group.

    Project roles

    Project roles determine what actions users can take within a single project.

    To create a project role:

    1. Open the Organization Settings menu
    2. Select Roles
    3. On the Project Roles section, press New Role

    1. Give a name a description to the new role
    2. Enable the permissions allowed to the role. Use the search box to narrow down options

    1. Press Save changes

    You can grant project roles by going to the project and selecting the People tab. Press Change Role, and select the new role. You can only assign one role to an individual or group.

    ma

    FAQ

    When will the feature be available?

    The feature will be generally available on September 30th, 2024.

    Help! I can’t find custom roles

    There might be a few reasons why you can’t find the New Role button in the roles setting page:

    • You might not be the Owner of the organization
    • Your organization might not be subscribed to the Scaleup plan

    If none of these conditions apply, please get in touch with support@semaphoreci.com so we can help you resolve the issue.

    How can I view the available permissions?

    Open the organization menu and select Settings. Go to the Roles section and press the eye or pencil button next to the role.

    You will see the list of all available permissions. The actions enabled for the role are the ones checked.

    Why I can’t change default roles?

    Default roles permissions cannot be changed. This may change in the future, but for now, default role settings are read-only.

    How does this impact the GitHub permission integration?

    The GitHub permission integration is not affected in any way. Users may still gain project-level permissions via their roles in related repositories.

    For more information, check the GitHub permissions page.

    Conclusion

    Custom roles give you a new layer of security governance. It is now possible to lock down user permissions very tightly to comply with regulatory requirements. We hope this feature makes user management easier and more secure.

    Thank you for reading and happy building!

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    Avatar
    Writen by:
    I picked up most of my skills during the years I worked at IBM. Was a DBA, developer, and cloud engineer for a time. After that, I went into freelancing, where I found the passion for writing. Now, I'm a full-time writer at Semaphore.