Adding Users (RBAC)¶
What is RBAC?¶
RBAC stands for role-based access control. In Fugue, RBAC determines authentication, or answering the question who are you?; and authorization, or what are you allowed to do?. The RBAC feature allows customers to:
- create users who interact with Fugue
- author policy governing access to Fugue
- manage the administration and implementation of users and policy
A Fugue policy is a fully customizable file that contains rules defining principals (the user, group, or role), actions (operations that principals can perform), and subjects (targets of actions). RBAC allows you to write policy to reflect your organization’s roles and responsibilities. You can quickly, easily, and repeatably define who in your organization can perform actions within an account using Fugue. Combined with Fugue’s multi-account feature, RBAC ensures that only authorized users can operate Fugue within multiple cloud provider accounts.
How It Works¶
When Fugue is installed your account includes a
root user with
access to all actions and all subjects by default. The root user allows
you to set policy for other users. To implement a new policy, a user
writes a policy file in Ludwig, and attaches it to the Fugue Conductor
using the Fugue CLI. Once attached, the policy restricts who can take
what actions against which account. It also works at the
process level, restricting who can take what actions against
which process in an account. The policy can be detached, removed, or
updated and attached again.
Access for non-root users is implicitly denied; in other words, a user cannot take an action unless it is explicitly written in a rule inside an attached policy. Rules are the core component of policies. A rule is composed of a principal, action, and subject bound together, and a collection of individual rules form a policy.