Service Accounts Available to Lower Scopes
pending feedback
S
Skilled Peacock
A user at account level is able to be granted privileges at a lower scope but this isn't the case with Service Accounts. It would be great to allow say an Account level Service Account to be granted RBAC at Orgs or Projects without needing a complex Resource Group configuration. Right now we only need a service account to be able to access a single shared secret at account level which means it must be vended there but the rest of the privileges are scoped further down. being able to add these roles at the actual acope would be much better than limiting via resource group
Log In
Prateek Mittal
pending feedback
Prateek Mittal
Hi Andrew,
Harness now allows a feature to create Service Accounts at the account level and use them at the project level without needing to create additional service accounts for each project.
Can you please let me know if this solves your use case.
Thanks,
Prateek
S
Skilled Peacock
Prateek Mittal functionally this covers our use case and we can use it to grant the permissions required but there's nowhere in the UI to view the assigned roles (from what I can see) which is different to those assigned to users or user groups as these have a UI element to show the privileges at the lower scope. Is a UI update planned?
Prateek Mittal
Skilled Peacock: The current feature is only available with the API.
S
Skilled Peacock
Prateek Mittal without being able to see the overall permissions in the UI I don't think we could make use of it even though it technically solves the use case. Knowing at a glance what permissions and to which scope and account has access is a key part of security management. Having to pull this through API and process the data is too onerous
Prateek Mittal
under review
Canny AI
Merged in a post:
Enhancement Request: Allow project level service accounts reference connectors at higher levels
O
Olive Giraffe
We have configured our repository (Artifactory) connector at the account level, so that it can be shared among all orgs and projects. We are also encouraging developers to create service accounts (for example to be used in pipeline triggers) at the project level, so to follow the principle of lowest privilege. The problem is, if service account is created at project level, there is no way to grant access to Artifactory connector at the account level. That forces connector duplication.
This request is to fix it. Create a method to allow service accounts be granted permissions to the objects at the "higher" level.
Canny AI
Merged in a post:
Service Account Cascade Like Users
S
Skilled Peacock
Currently you can give a user privileges at each scope as they are provisioned at the account level but can be "re-provisioned" at the org or project scope. This isn't the case for Service Accounts so if you have a need for a service account managing an org or project also needing any account level permissions you must create all of the access at account level and use resource groups to target the relevant org/project. It would be much better to treat service accounts the same as users so they can be re-permissioned at the scopes you would like the service account to access.
Our use case example is we share a github connector at account level but want org admin and project admin service accounts. These latter accounts can't be used as they cannot create triggers because the shared github connector/secret permissions are not available to the account and therefore it can't create the trigger in the github repo. This means we now have a much more complex service account setup just for one shared connector/secret
Another option could be to allow service accounts at a lower scope be granted higher scope permissions but I think this would be more confusing than a cascading account option
Canny AI
Merged in a post:
Org-Level Connector Visibility within Projects
R
Ready Lungfish
It would be extremely helpful to have org-level connectors visible in a "read-only" way within projects within that org. Currently, if we give developers access to work within a project, we have to give them access to read objects within the org as well (the most prevalent being connectors). It would be extremely beneficial if these objects were shown in a read-only fashion within their org's projects to make it more clear what objects are actually available within a project for its pipelines.
Canny AI
Merged in a post:
Account-Level Permissions to Project-Level Service Accounts
I
Intellectual Finch
User would like to see a feature where service accounts on the project-level are provided permissions to account-level resources such as templates. This would be for a use-case where there are hundreds of templates being used by multiple projects and would need access to these templates.
Prateek Mittal
Hi Jeffrey,
We have a design for the above problem and would like to discuss this with you. Please let me know your availability.
Thanks,
Prateek
Prateek Mittal
pending feedback
Prateek Mittal
Hi Andrew,
Thanks for providing this feedback. If I am understanding correctly you want us to inherit the account level service account to other scopes (projects) as well.
We are currently analyzing the request and working on designing this, will you be okay to discuss this over a call where I can walk through the design and discuss more.
Thanks,
Prateek
S
Skilled Peacock
Prateek Mittal Happy to discuss on a call and show you the problem we're working around. Please email me on my Harness account or go through Max Printz to get hold of me
Load More
→