Styra DAS Roles
Styra DAS applies permissions through Role-based access control (RBAC). RBAC is a method of restricting access based on the roles assigned to individual users, SSO providers, and API tokens within Styra DAS.
Styra DAS allows roles to be assigned at the Workspace, System, and Stack levels.
The following sections provide descriptions of the pre-defined roles in Styra DAS. To view detailed information on permissions for each role see Styra DAS Granular Role Permissions
Workspace Roles
The following roles can be applied to a Workspace.
-
WorkspaceAdministrator grants full control of the Workspace, including managing all Workspace-level resources. Resources are users, tokens, and authorization permissions. Workspace role permissions are applied to all Systems, Stacks, and Libraries and their sub-resources, such as policies and Data Sources within the Workspace. Note that WorkspaceAdministrator users can change any of the configuration for external integrations, including activity export, decisions export, metrics export, Terraform cloud, and git. Credentials for these integrations are not retrievable with the UI or API; however, because these users can change this configuration, they can gain access to the credentials used for any of this functionality.
-
WorkspaceRelayClient grants permission to connect a Relay Client to a Styra DAS Relay Server.
-
WorkspaceRelaySetupAdmin grants read permissions of a WorkspaceViewer with additional modification permissions to manage Relay resources for the Workspace. This role is used by admins to setup or troubleshoot a Relay workflow for a Styra DAS Workspace.
-
WorkspaceSystemCreator grants the ability to create a new System. Upon creating one, the user is assigned the SystemOwner role for that new System.
-
WorkspaceTokenRefresher grants access to refresh existing tokens which do not belong to a System, such as Workspace, Stack, and Library tokens.
-
WorkspaceViewer grants read-only access to the Workspace, except for reading individual System install or uninstall instructions. These instructions can only be viewed by a WorkspaceAdministrator or SystemOwner.
System Roles
The following roles can be applied to a System.
-
SystemDatasources grants the rights required to manage System Data Sources. This role is used to read Data Source configurations and to update Data Source statuses and contents.
-
SystemEditor grants the right to read and modify most System resources, except cannot change the System's configuration itself, the internal tokens, or the System's authorization permissions. This role can read but not modify System metadata; add the SystemMetadataManager for edit access.
-
SystemInstall grants the read-only right to System installation commands and installation assets.
-
SystemManager grants almost all rights to a System, except cannot create new Systems, read System installation commands or assets, or alter a System's authorization permissions.
-
SystemMetadataManager grants permission to view and update a System's metadata.
-
SystemOPA grants rights required by OPA to read System configuration, policy bundles, and discovery configuration. This role can also update OPA statuses and upload decision logs.
-
SystemOwner grants almost all rights to a System. A SystemOwner can read but not modify System metadata; add the SystemMetadataManager role for edit access. Also, this role cannot create a new System. Note that because SystemOwner users can change the System's git configuration, they can gain access to any git credentials configured for Systems they own.
-
SystemPolicyEditor grants access to a System's policies. This role also provides read-only access to System specific resources, including authorization configuration, validation, Log Replay, Data Sources, suggestions, and evaluation.
-
SystemPolicyViewer grants read-only access to a System's policies. This role also provides read-only access to System specific resources, including authorization configuration, validation, Log Replay, Data Sources, suggestions, and evaluation.
-
SystemTokenRefresher grants access to refresh existing tokens that belong to a System.
-
SystemViewer grants read-only access to a System, except cannot read install or uninstall instructions. These instructions can be viewed by a WorkspaceAdministrator or SystemOwner.
Library Roles
The following roles can be applied to a Library.
-
LibraryEditor grants rights to edit policies and datasources within a Library. This right does not allow modifying the Library configuration.
-
LibraryOwner grants full rights to a Library. Note that because a LibraryOwner can change the Library's git configuration, they can gain access to any git credentials configured for Libraries they own.
-
LibraryViewer grants read-only rights to a Library.
Stack Roles
The following roles can be applied to a Stack.
-
StackEditor grants access to read and modify most resources belonging to a Stack, with some restrictions, except cannot modify the Stack's configuration or authorization permissions. It does allow reading top-level Workspace configuration (for example, Workspace-level Git settings).
-
StackOwner grants full control over a Stack, except cannot create a new Stack. Note that because a StackOwner can change the Stack's git configuration, they can gain access to any git credentials configured for Stacks they own.
-
StackConfigurationManager grants access to modify Stack settings, such as the Git configuration, as well as read-only access to other Stack resources.
-
StackPolicyEditor grants full control of a Stack's policies. This role also provides read-only access to certain Stack resources, including authorization configuration, Log Replay, Data Sources, and evaluation.
-
StackViewer grants read-only permissions for a Stack.
Managing User Permissions
You can manage user permissions by adding, editing, or deleting user permissions.
Adding User Permissions
The following instructions are used to add user permissions. Permissions can be added to a Workspace, System, or Stack.
- Login to the Styra DAS UI.
- Select the Workspace, System, or Stack where user permissions will be added.
- Click Access Control > Permissions.
- In the Permissions pane, click ( ⨁ ) Add Permissions and select Add user permissions… from the drop down list.
- In the Add user permissions dialog box, in Users (required) select the user who will be assigned to a role or roles. You can select one or more users.
- In Roles (required), select the role or roles to apply to the user.
- Click Add permissions.
User permissions are applied to the specified users.
Editing User Permissions
The following instructions are used to edit user permissions.
- Login to the Styra DAS UI.
- Select the Workspace, System, or Stack where user permissions will be edited.
- Click Access Control > Permissions > Users.
- In Users (required), select the user whose permissions will be edited.
- In Roles (required), add or delete roles to apply to the user.
- Click Update permissions.
User permissions are edited for the specified user.
Deleting User Permissions
The following instructions are used to delete all of a user's permissions.
- Login to the Styra DAS UI.
- Select the Workspace, System, or Stack where user permissions will be deleted.
- Click Access Control > Permissions > Users.
- In Users (required), select the user whose permissions will be deleted.
- Click the trash icon.
- A confirmation dialog box appears.
- Click Delete Permissions.
User permissions are deleted for the specified user.
Managing SSO Claim Permissions
You can manage SSO claim permissions by adding, editing, or deleting SSO claim permissions.
Adding SSO Claim Permissions
The following instructions are used to add SSO claim permissions.
- Login to the Styra DAS UI.
- Select the Workspace, System, or Stack where SSO claim permissions will be added.
- Click Access Control > Permissions.
- In the Permissions pane, click ( ⨁ ) Add Permissions and select Add SSO claim permissions… from the drop down list.
- In the Add SSO claim permissions dialog box, select the SSO provider (required) from the drop-down box which will be assigned to a role or roles.
- In Claim key/value pairs (required) enter pairs from the SSO provider claims.
- In Roles, select the role or roles to apply to the SSO provider.
- Click Add permissions.
SSO claim permissions are applied to the specified SSO.
Editing SSO Claim Permissions
The following instructions are used to edit SSO claim permissions.
- Login to the Styra DAS UI.
- Select the Workspace, System, or Stack where SSO claim permissions will be edited.
- Click Access Control > Permissions > SSO Claims.
- (Optional) In Claim key/value pairs (required) edit pairs from the SSO provider claims.
- In Roles, add or delete roles to apply to the SSO provider.
- Click Update permissions.
SSO claim permissions are edited.
Deleting SSO Claim Permissions
The following instructions are used to delete SSO claim permissions.
- Login to the Styra DAS UI.
- Select the Workspace, System, or Stack for the SSO claim permissions to be deleted.
- Click Access Control > Permissions > SSO Claims.
- Select the SSO claim whose permissions will be deleted.
- Click the trash icon.
- A confirmation dialog box appears.
- Click Delete Permissions.
SSO claim permissions are deleted.
Managing API Token Permissions
You can manage API token permissions by adding, editing, or deleting API token permissions.
Adding API Token Permissions
The following instructions are used to add API token permissions. Permissions can be added to a Workspace, System, or Stack.
- Login to the Styra DAS UI.
- Select the Workspace, System, or Stack where API token permissions will be added.
- Click Access Control > Permissions.
- In the Permissions pane, click ( ⨁ ) Add Permissions and select Add API token… from the drop down list.
- In API tokens (required) select the API token that will be assigned to a role or roles.
- In Roles (required), select the role or roles to apply to the API token.
- Click Add permissions.
API token permissions are applied to the specified API token.
Editing API Token Permissions
The following instructions are used to edit API tokens.
- Login to the Styra DAS UI.
- Select the Workspace, System, or Stack where user permissions will be edited.
- Click Access Control > Permissions > Users.
- Select the API token whose permissions will be edited.
- In Edit Permissions add or delete roles to apply to the API token.
- Click Update permissions.
API token permissions are edited for the specified API token.
Deleting API Token Permissions
The following instructions are used to delete API token permissions.
- Login to the Styra DAS UI.
- Select the Workspace, System, or Stack for the API token permissions to be deleted.
- Click Access Control > Permissions > API tokens.
- Select the API token whose permissions will be deleted.
- Click the trash icon.
- A confirmation dialog box appears.
- Click Delete Permissions.
API token permissions are deleted.