Separate role for Create and Edit permission for Feature Flags | Feature Flags | harness

Separate role for Create and Edit permission for Feature Flags

in progress

Magenta Ptarmigan

Based on the RBAC model defined, a User is given create access. Hence, when a feature flag is created, it gets created in all environments. As the create+edit permission is clubbed, the User is able to edit (add targets and variations) in the prod environment.
Our requirement is for a User to be able to create the feature flag in prod, but to be not able to do any form of edit to it.
This will require harness to treat create and edit as two separate functions and to be assignable when defining RBAC rules.

Created by prashant.kumar

December 4, 2023

This post was marked as

in progress

Violet Beetle

This is essential for us too. 
As edit gives permission to change the default rule or add specific targeting, it doesn't matter people don't have the toggle permission. Anyone who has create/edit, can find a flag that is already enabled, make a change that alters it for all targets either by changing the default rule, or adding a specific target override. 
Unfortunately it's impossible not to give this permission, as if a user doesn't have Create permission in ALL environments, they cannot create flags in ANY environment. 
The ideal situation that we would like to support is that our Engineering team can create flags in all environments, but only edit flags in staging environments.

Matt Schillerstrom (PM for Feature Flags)

marked this post as

under review