-
Notifications
You must be signed in to change notification settings - Fork 0
Role Based Access Control
Kasun Ranasinghe edited this page Sep 8, 2025
·
1 revision
This guide covers the comprehensive Role-Based Access Control system in Flux Gate, including roles, permissions, authorization workflows, and security best practices.
Flux Gate implements a sophisticated RBAC system that provides:
- Fine-grained permissions for feature flag operations
- Team-scoped access control for multi-tenant isolation
- Predefined roles for common use cases
- Custom role creation for specific organizational needs
- Hierarchical permission model for scalable access management
- Audit logging for compliance and security monitoring
Platform Level
├── System Admin (Global)
│ └── Full platform access
├── Team Admin (Team-scoped)
│ └── Full team management access
├── Approver (Team-scoped)
│ └── Can approve deployment requests
├── Requester (Team-scoped)
│ └── Can request deployments
└── Viewer (Team-scoped)
└── Read-only access
Permissions are organized by:
- Resource Type (Features, Environments, Pipelines, Users)
- Operation (Create, Read, Update, Delete, Execute)
- Scope (Global, Team, Resource-specific)
- Scope: Global (all teams)
-
Key Permissions:
- Create and manage users
- Create and manage teams
- Access all team resources
- Manage system configuration
- Generate and manage JWT secrets
- View audit logs
- Scope: Team-specific
-
Key Permissions:
- Manage team settings and members
- Create and manage team environments
- Create and manage team pipelines
- Assign team-scoped roles
- View team audit logs
- Scope: Team-specific
-
Key Permissions:
- Approve deployment requests (
DEPLOYED) - Reject deployment requests (
DEPLOYMENT_REJECTED) - Approve rollback requests (
ROLLBACKED) - Reject rollback requests (
ROLLBACK_REJECTED) - View deployment history
- Approve deployment requests (
- Scope: Team-specific
-
Key Permissions:
- Request deployments (
DEPLOYMENT_REQUESTED) - Request rollbacks (
ROLLBACK_REQUESTED) - Create and modify feature flags
- Manage feature stage configurations
- View team resources
- Request deployments (
- Scope: Team-specific
-
Key Permissions:
- Read-only access to team features
- View deployment status
- View audit logs (read-only)
- No modification permissions
The RBAC system controls feature stage operations based on user roles:
graph TD
A[User Requests Deployment] --> B{Has Requester Role?}
B -->|No| C[Access Denied]
B -->|Yes| D[Request Created]
D --> E[Approver Reviews]
E --> F{Has Approver Role?}
F -->|No| G[Cannot Approve]
F -->|Yes| H[Can Approve/Reject]
| Operation | Required Role | Description |
|---|---|---|
DEPLOYMENT_REQUESTED |
Requester | Request feature deployment |
ROLLBACK_REQUESTED |
Requester | Request feature rollback |
DEPLOYED |
Approver | Approve deployment |
DEPLOYMENT_REJECTED |
Approver | Reject deployment |
ROLLBACKED |
Approver | Approve rollback |
ROLLBACK_REJECTED |
Approver | Reject rollback |