Permission

A Permission defines access control rules that grant or deny specific actions to subjects on target objects.

Overview

A Permission has 4 parts:

Subject: The user or service requesting access
Object: The resources this permission affects (playbooks, connections, or configs)
Effect: Whether to allow or deny access (Default: allow)
Actions: The list of allowed actions

info

Deny rules always override Allow rules.

Example

permission.yaml
---
# yaml-language-server: $schema=../../config/schemas/permission.schema.json
apiVersion: mission-control.flanksource.com/v1
kind: Permission
metadata:
  name: deny-user-foo-playbook-run
spec:
  description: deny user foo from running
  subject:
    person: foo@bar.com
  actions:
    - playbook:*
  deny: true
  object:
    playbooks:
      - name: "*" # this is a wildcard selector that matches any playbook

Schema

Field	Description	Scheme
`actions*`	List of allowed actions	`[]string`
`deny`	Specifies if this is a deny rule. (Default: false)	`boolean`
`description`	Description of the permission	`string`
`object.components`	List of component resource selectors	ResourceSelector
`object.configs`	List of config resource selectors	ResourceSelector
`object.connections`	List of connection resource selectors	ResourceSelector
`object.playbooks`	List of playbook resource selectors	ResourceSelector
`subject.group`	Name of a permission group	`string`
`subject.notification`	`<namespace>/<name>` of the notification	`string`
`subject.person`	Email or ID of the person	`string`
`subject.playbook`	`<namespace>/<name>` of the playbook	`string`
`subject.team`	Name or ID of the team	`string`

Multi-Tenancy Fields

For agent and tag-based permissions, you can also use these fields:

Field	Description	Scheme
`agents`	List of agent names to restrict this permission to	`[]string`
`tags`	Key-value pairs of tags to restrict this permission to	`map[string]string`

Objects

Objects define the resources the permission targets. You can define Objects using Resource Selectors.

Object Type	Description
`playbooks`	Automation playbooks in the system
`configs`	Configuration items in the catalog
`connections`	Connection configurations for external systems
`components`	Topology components

A permission can target multiple object types. If you define multiple objects, Mission Control grants the permission only if the request matches all defined objects (AND condition).

Object Examples

Target All Playbooks

object:
  playbooks:
    - name: "*"

Target Playbooks in a Namespace

object:
  playbooks:
    - namespace: production

Target Configs with Labels

object:
  configs:
    - labels:
        environment: production

Target Specific Connection

object:
  connections:
    - name: aws-production

Multiple Object Types (AND condition)

This permission allows running playbooks only on configs in the specified namespace:

---
# yaml-language-server: $schema=../../config/schemas/permission.schema.json
apiVersion: mission-control.flanksource.com/v1
kind: Permission
metadata:
  name: allow-check-notification-playbook-run
spec:
  description: allow check notification to run playbook
  subject:
    notification: mc/check-alerts
  actions:
    - playbook:run
    - playbook:approve
  object:
    playbooks:
      - name: echo-config

Examples

Allow Team to Run All Playbooks

team-playbook-permission.yaml
apiVersion: mission-control.flanksource.com/v1
kind: Permission
metadata:
  name: sre-run-playbooks
spec:
  description: Allow SRE team to run any playbook
  subject:
    team: sre-team
  actions:
    - playbook:run
  object:
    playbooks:
      - name: "*"

Deny User from Deleting Configs

deny-delete-permission.yaml
apiVersion: mission-control.flanksource.com/v1
kind: Permission
metadata:
  name: deny-john-delete
spec:
  description: Deny John from deleting any configs
  deny: true
  subject:
    person: john@example.com
  actions:
    - delete
  object:
    configs:
      - name: "*"

Allow Notification to Use Connection

notification-connection-permission.yaml
apiVersion: mission-control.flanksource.com/v1
kind: Permission
metadata:
  name: alerts-slack-access
spec:
  description: Allow alerts notification to use Slack connection
  subject:
    notification: monitoring/critical-alerts
  actions:
    - read
  object:
    connections:
      - name: slack-alerts

Allow Playbook to Access AWS

playbook-aws-permission.yaml
apiVersion: mission-control.flanksource.com/v1
kind: Permission
metadata:
  name: cleanup-aws-access
spec:
  description: Allow cleanup playbook to use AWS connection
  subject:
    playbook: automation/cleanup-resources
  actions:
    - read
  object:
    connections:
      - name: aws-production

Restrict by Agent (Multi-Tenancy)

agent-restricted-permission.yaml
apiVersion: mission-control.flanksource.com/v1
kind: Permission
metadata:
  name: dev-team-dev-agent
spec:
  description: Allow dev team to access only dev agent resources
  subject:
    team: developers
  actions:
    - read
    - playbook:run
  agents:
    - dev-cluster-agent

Restrict by Tags (Multi-Tenancy)

tag-restricted-permission.yaml
apiVersion: mission-control.flanksource.com/v1
kind: Permission
metadata:
  name: prod-readonly
spec:
  description: Read-only access to production resources
  subject:
    team: viewers
  actions:
    - read
  tags:
    environment: production

Overview​

Example​

Schema​

Multi-Tenancy Fields​

Objects​

Object Examples​

Examples​