Adding Users (RBAC)

What is RBAC?

RBAC stands for role-based access control. In Fugue, RBAC determines authentication, or answering the question who are you?; and authorization, or what are you allowed to do?. The RBAC feature allows customers to:

  • create users who interact with Fugue
  • author policy governing access to Fugue
  • manage the administration and implementation of users and policy

A Fugue policy is a fully customizable file that contains rules defining principals (the user, group, or role), actions (operations that principals can perform), and subjects (targets of actions). RBAC allows you to write policy to reflect your organization’s roles and responsibilities. You can quickly, easily, and repeatably define who in your organization can perform actions within an account using Fugue. Combined with Fugue’s multi-account feature, RBAC ensures that only authorized users can operate Fugue within multiple cloud provider accounts.

How It Works

When Fugue is installed your account includes a root user with access to all actions and all subjects by default. The root user allows you to set policy for other users. To implement a new policy, a user writes a policy file in Ludwig, and attaches it to the Fugue Conductor using the Fugue CLI. Once attached, the policy restricts who can take what actions against which account. The policy can be detached, removed, or updated and attached again.

Access for non-root users is implicitly denied; in other words, a user cannot take an action unless it is explicitly written in a rule inside an attached policy. Rules are the core component of policies. A rule is composed of a principal, action, and subject bound together, and a collection of individual rules form a policy.

RBAC in Basic vs. Team Conductors

RBAC support is limited in the Basic Conductor. The Basic Conductor supports authentication for a single user (root), but it does not support authorization, nor does it support multiple users.

The Team Conductor offers full RBAC support, including authentication and authorization, for up to five users. More users may be added for $150 per month each; contact support@fugue.co for more information.