Subjects

Subjects define WHO or WHAT gets the permission. The subject field can contain only one of the following:

Individual User

Specify a human user by their email address or name (if the name is unique) to grant permission.

subject:
  person: jane.doe@example.com

subject:
  person: "Jane Doe"

Team

Specify a team by its name to grant permission to all its members.

subject:
  team: sre-team

Group

Specify a defined Permission Group to grant permission. Groups bundle different items (like specific playbooks, notifications) or lists of users/teams.

subject:
  group: system-administrators

System Services

Sometimes, a specific system service needs permission to act for a particular resource instance. Mission Control often uses this for automation or to allow one part of Mission Control to interact with another. The service gains permission only when it acts for the specified resource, identified by its <namespace>/<name>.

Notification Service

Specify a notification to grant permission to the notification service when it processes that notification. Example: A notification might need access to read a connection or trigger a playbook run.

subject:
  notification: monitoring/critical-alerts

Playbook Service

Specify a playbook to grant permission to the playbook runner service when it runs that playbook. Example: A playbook needs access to a specific resource it acts on.

subject:
  playbook: automation/cleanup-pods

Schema

Field	Description	Scheme
`group`	Name of a permission group	`string`
`notification`	`<namespace>/<name>` of the notification	`string`
`person`	Email or ID of the person	`string`
`playbook`	`<namespace>/<name>` of the playbook	`string`
`team`	Name or ID of the team	`string`

Examples

Grant User Access to Run Playbooks

user-playbook-permission.yaml
apiVersion: mission-control.flanksource.com/v1
kind: Permission
metadata:
  name: jane-playbook-access
spec:
  description: Allow Jane to run playbooks
  subject:
    person: jane.doe@example.com
  actions:
    - playbook:run
  object:
    playbooks:
      - name: "*"

Grant Team Read Access

team-read-permission.yaml
apiVersion: mission-control.flanksource.com/v1
kind: Permission
metadata:
  name: sre-read-access
spec:
  description: Allow SRE team to read all configs
  subject:
    team: sre-team
  actions:
    - read
  object:
    configs:
      - name: "*"

Grant Playbook Access to Connection

playbook-connection-permission.yaml
apiVersion: mission-control.flanksource.com/v1
kind: Permission
metadata:
  name: cleanup-playbook-aws-access
spec:
  description: Allow cleanup playbook to use AWS connection
  subject:
    playbook: automation/cleanup-pods
  actions:
    - read
  object:
    connections:
      - name: aws-production

Individual User​

Team​

Group​

System Services​

Notification Service​

Playbook Service​

Schema​

Examples​