Catalog RBAC
This RBAC guide is applicable only to IDP 2.0 customers, as the RBAC Harness platform hierarchy is available exclusively in IDP 2.0.
- To learn how to upgrade, refer to the IDP 2.0 Upgrade Guide.
- If you're using IDP 1.0 and want to implement access control, please refer to the Access Control Guide for IDP 1.0.
With the release of Granular RBAC in IDP 2.0, you can now control access to your Catalog entities—i.e., you can restrict who can create and view these entities. Catalog entities can be created at all available scopes: Account, Org, or Project. To learn more about entities, permissions, and scopes, visit the IDP 2.0 Data Model.
If you're using Harness IDP 2.0, please ensure you have reviewed the IDP 2.0 Overview guide and are familiar with the key steps for upgrading to IDP 2.0. To enable IDP 2.0, you must raise a support ticket to activate the IDP_2_0 feature flag for your account.
RBAC Workflow in Harness IDP
Before configuring RBAC for your Catalog entities, ensure you’ve reviewed the documentation on Scopes, Permissions, and different RBAC Components.
Here’s the workflow for configuring RBAC in Harness IDP:
- Go to your administrative settings and select the scope (Account, Org, or Project) at which you want to configure RBAC.
- Create roles with the desired permissions. Example: If you are configuring RBAC for Catalog entity creation, ensure the role has the Create/Edit (Catalog) permission enabled.
- Create resource groups to apply RBAC to a specific set of resources for the principal. Example: To configure RBAC for Catalog entities, ensure the Catalog resource is added to the resource group.
- Create user groups and add users.
- Assign roles and resource groups to users or user groups.
- If you haven’t already, configure authentication.
Permissions for Catalog Entities
All core Catalog entities (Component, API, Resource) fall under the "Catalog" resource category for RBAC. The following permissions can be configured when creating a custom role:
| Permission | Description |
|---|---|
| Create/Edit | Allows users to create Catalog entities and modify their configuration. |
| View | Allows users to view Catalog entities but not create, modify, or delete them. |
| Delete | Allows users to delete Catalog entities. |
These permissions can be configured when creating a custom role. Select the desired permissions based on the level of access you want to grant. To learn more, see Manage Roles.
Catalog RBAC Example
Configure RBAC for Account-Level Catalog Entity Creation
This example shows how to configure RBAC to allow full control over Catalog entity creation and modification at the Account scope (including all child resources).
In this example, we use:
- A custom role: IDP Catalog Create
- (Optional) A custom resource group: All Catalog Create Resources
- (Optional) A custom user group: Catalog Create Users
The All Catalog Create Resources group exists at the Account scope and provides Create/Edit access to all Catalog entities across the account, including all organizations and projects. The IDP Catalog Create role includes the Create/Edit permission for Catalog resources.
You can access Administrative Settings from your Harness UI directly using the sidenavbar.
Step 1: Create the IDP Catalog Creator Role
- Interactive guide
- Step-by-step
- In Harness, go to Account Settings → Roles under the Access Control section.
- Click New Role to create a new role.
- Name the role IDP Catalog Create. (Optional: Add a description and tags.)
- Click Save.
- Under Permissions → Developer Portal, select:
- Catalog → Create/Edit
- Click Apply Changes.
Learn more about roles: Manage roles | Permissions reference
(Optional) Step 2: Create a custom Resource Group
- Interactive guide
- Step-by-step
- In Harness, go to Account Settings → Resource Groups under Access Control.
- Click New Resource Group.
- Name the group All Catalog Create Resources. (Optional: Select a color, description, and tags.)
- Click Save.
- For Resource Scope, choose All (including all Organizations and Projects). This grants access to the selected resources across the account, including all orgs and projects. More on Resource Scopes
- For Resources, select Specified, and then add Catalog from the table.
- Click Save.
Learn more: Manage resource groups
(Optional) Step 3: Create the "Catalog Create Users" User Group
- Interactive guide
- Step-by-step
- In Harness, go to Account Settings → User Groups under Access Control.
- Click New User Group.
- Name the group Catalog Create Users. (Optional: Add a description and tags.)
- Under Add Users, select the users to include in this group.
- Click Save.
Learn more: Manage user groups | Manage users
Step 4: Assign the Role and Resource Group to the User Group
- Interactive guide
- Step-by-step
- In Harness, go to Account Settings → User Groups.
- Find the Catalog Create Users group and click Manage Roles.
- Under Role Bindings, click Add.
- For Role, select IDP Catalog Create.
- For Resource Group, select All Catalog Create Resources.
- Click Apply.
Learn more: Role binding
This setup configures RBAC so that users in the Catalog Create Users group have Create/Edit access to Catalog entities at the Account scope, as well as within all Organizations and Projects under the account.