Skip to main content

Groups

Permission Groups let you group subjects (people, teams, or system services) under one name for simpler permission setup. The subjects included in the group then inherit the permissions applied to it.

Permission Groups are particularly useful when:

  • You need to manage permissions for many users with similar roles
  • You want to grant the same permissions to multiple system services
  • You need to update permissions for a set of users all at once

Example

permission-group.yaml
---
# yaml-language-server: $schema=../../config/schemas/permissiongroup.schema.json
apiVersion: mission-control.flanksource.com/v1
kind: PermissionGroup
metadata:
  name: config-notifications
spec:
  name: config-notifications
  notifications:
    - name: check-alerts
      namespace: mc
    - name: homelab-config-health-alerts
      namespace: mc
---
# yaml-language-server: $schema=../../config/schemas/permission.schema.json
apiVersion: mission-control.flanksource.com/v1
kind: Permission
metadata:
  name: allow-config-notifications-to-run-playbook
spec:
  description: allow config notifications to run playbook
  subject:
    group: config-notifications
  actions:
    - playbook:run
    - playbook:approve
  object:
    playbooks:
      - name: echo-config
    configs:
      - name: '*'
---
# yaml-language-server: $schema=../../config/schemas/permission.schema.json
apiVersion: mission-control.flanksource.com/v1
kind: Permission
metadata:
  name: allow-config-notifications-to-read-configs
spec:
  description: allow config notifications to read configs
  subject:
    group: config-notifications
  actions:
    - read
  object:
    configs:
      - name: '*'

Schema

FieldDescriptionScheme
name*

Set a unique name for the permission group

string

notifications

List of notification <namespace>/<name>

[]string

people

List of people identifiers (email or id) to associate with the group

[]string

playbooks

List of playbook <namespace>/<name>

[]string

teams

List of team names to associate with the group

[]string

Using Permission Groups

Once a Permission Group is created, you can reference it in the subject field of a Permission:

subject:
  group: system-administrators

All members of the group will inherit the permissions defined in the Permission resource.