Managing project users
Access to projects is controlled by assigning specific roles to users. The available roles are: admin, developer, viewer and backoffice.
Permission: | admin | developer | viewer | backoffice |
---|---|---|---|---|
View project |
✅ |
✅ |
✅ |
✅ |
Admin project |
✅ |
❌ |
❌ |
❌ |
View services |
✅ |
✅ |
✅ |
❌ |
Deploy services |
✅ |
✅ |
❌ |
❌ |
Update services |
✅ |
✅ |
❌ |
❌ |
Delete services |
✅ |
❌ |
❌ |
❌ |
View routes |
✅ |
✅ |
✅ |
❌ |
Manage routes |
✅ |
✅ |
❌ |
❌ |
View secrets |
✅ |
✅ |
✅ |
❌ |
Manage secrets |
✅ |
✅ |
❌ |
❌ |
Backoffice functions |
✅ |
❌ |
❌ |
✅ |
Backoffice functions include the ability to:
-
View entity event logs and values directly
-
Invoke methods on services, even if not exposed to the internet or protected by ACLs
-
Manage projections
Organization membership is managed separately, see Managing organization users. |
Listing role bindings
To list the role bindings in a project, use the following command:
akka roles list-bindings
Example output:
ROLE BINDING ID ROLE PRINCIPAL MFA
f3e1ad17-d7be-4432-9ab6-edd475c3aa44 admin John Smith <[email protected]> true
311e3752-30f9-43f4-99ef-6cbb4c5f14f3 developer Jane Citizen <[email protected]> true
The Akka CLI can keep a project as context, so you do not need to pass the
|
Granting a role
You can grant a project role to a user in two ways:
1. Invite a user to the project by e-mail
Invite a user to join the project and assign them a role by using the following command:
akka roles invitations invite-user <email address> --role <role>
The user will receive an email inviting them to join the project. Upon acceptance, the role binding will be created.
2. Add a role directly
If the user is already a member of the project, or the project is part of an organization and the user belongs to that organization, you can assign roles directly without sending an invitation.
-
By e-mail:
akka roles add-binding --email <email address> --role <role>
-
By username:
akka roles add-binding --username <username> --role <role>
Deleting a project role bindings
To delete a role binding, first list the role bindings to obtain the role binding ID.
akka roles list-bindings
Example output:
ROLE BINDING ID ROLE PRINCIPAL MFA
f3e1ad17-d7be-4432-9ab6-edd475c3aa44 admin John Smith <[email protected]> true
311e3752-30f9-43f4-99ef-6cbb4c5f14f3 developer Jane Citizen <[email protected]> true
Pass the role binding ID to the following command:
akka roles delete-binding <role binding id>
Managing invitations
To view outstanding invitations, use the following command:
akka roles invitations list
Example output:
EMAIL ROLE
[email protected] admin
Invitations will automatically expire after 7 days. You can manually delete an invitation with the following command:
akka roles invitations delete <email address>
To resend an invitation, first delete the expired invitation and then issue a new one.