RBAC Granularity around Flag Configuration (Left hand side of flag)
long-term
Matt Schillerstrom (PM for Feature Flags)
Improvement around making the editConfig more granular so an enterprise can further split different permissions (i.e. Tag Management)
Log In
Canny AI
Merged in a post:
RBAC: Split "Create" and "Edit" Authorization Grants
N
Nectar Mole
Currently, "create" and "edit" permissions are bundled into a single authorization grant. This request is to de-couple them into separate authorization grants for greater granularity and control.
While this is generally applicable, we can try to narrow it down to a specific list of these authorization grants where we would intend to use this split. Please reach out to schedule some time if this is the case.
Canny AI
Merged in a post:
Separate role for Create and Edit permission for Feature Flags
O
Onyx Antelope
Based on the RBAC model defined, a User is given create access. Hence, when a feature flag is created, it gets created in all environments. As the create+edit permission is clubbed, the User is able to edit (add targets and variations) in the prod environment.
Our requirement is for a User to be able to create the feature flag in prod, but to be not able to do any form of edit to it.
This will require harness to treat create and edit as two separate functions and to be assignable when defining RBAC rules.
Canny AI
Merged in a post:
Need a feature which will allow users to have seperate roles for creating a flag and editing a flag
R
Ruby Octopus
Need a feature which will introduce new permissions that will allow users to have seperate roles for creating a flag and editing a flag. The solution should be able to create FF but they should not be able to make changes to the default FF flag values in Production environment.
F
Fawn Antelope
We need this too.. we want to restrict editing of existing pipelines but grant the permission of creating new ones.
F
Fawn Antelope
This is also essential in basic RBAC permissions for user roles. please separate Create and Edit.
Rohan Gupta
Merged in a post:
Pipeline create restrictions is not possible using roles and the OPA policy
G
Gold Bobolink
Currently we can't restrict users to create pipeline using roles and the OPA policy. Seems there is single Harness API endpoint for both create and edit pipeline operation. Please prioritise as we would like to give the separate permission(create and edit) for users
Harness support ticket #63515
Matt Schillerstrom (PM for Feature Flags)
long-term
S
Sole Chimpanzee
We need this as well for entities such as Project, Pipeline, Secrets, Templates, etc. Most of the time, I want to give a use to Edit any resources without creating new resources.
Right now, this requires that I first create the resource and then add it to a resource group to grant a user Edit permission to that specific resource. It is very time consuming and difficult/impossible to automate.
E
Electric Zebra
This is essential for us too.
As edit gives permission to change the default rule or add specific targeting, it doesn't matter people don't have the toggle permission. Anyone who has create/edit, can find a flag that is already enabled, make a change that alters it for all targets either by changing the default rule, or adding a specific target override.
Unfortunately it's impossible not to give this permission, as if a user doesn't have Create permission in ALL environments, they cannot create flags in ANY environment.
The ideal situation that we would like to support is that our Engineering team can create flags in all environments, but only edit flags in staging environments.