Manage roles
Roles are an RBAC component that contain a set of permissions. Roles define what actions, such as viewing, creating, editing, or deleting, can be taken on Harness resources. When you assign a role to a user, user group, or service account, the permissions defined in the role are granted to the target user, group, or service account.
Harness includes some built-in roles, and you can create custom roles, which are useful for limited and fine-grained access control.
Roles are scope-specific, and you can create them at any scope. For example, a role created at the project scope is only available in that project.
Roles and resource groups work together
Roles are applied together with resource groups to create a complete set of permissions and access. For example:
- You can assign the Organization Admin role with a resource group that is limited to specific projects or specific organizations.
- You can assign the Pipeline Executor role with a resource group that only allows access to specific pipelines, rather than all pipelines in the project.
RBAC is additive. The total expanse of a user/service account's permissions and access is the sum of all the roles and resource groups from all user groups they belong to, as well as any roles and resource groups assigned directly to them as an individual user/service account.
It is important to follow the principle of least privilege (PoLP). This is a security principle that means users are granted the absolute minimum access/permissions necessary to complete their tasks and nothing more.
While Harness includes some built-in roles and resource groups, to ensure the least privilege, consider:
- Being selective in the way you apply roles and resource groups.
- Creating your own roles and resource groups as needed for refined access control.
Built-in roles
Harness includes several built-in roles. To examine the permissions assigned to these roles, view them in Harness:
-
In Harness, go to the scope where the role exists.
- To view a role at the account scope, select Account Settings, and then select Access Control.
- To view a role at the organization scope, go to Account Settings, select Organizations, select the relevant organization, and then select Access Control.
- To view a role at the project scope, go to Projects, select the relevant project, and then select Access Control.
-
Select Roles in the header.
-
Select the role you want to view. For details about specific permissions, go to the Permissions reference.
Built-in roles can be hidden. This functionality is behind the feature flags PL_HIDE_PROJECT_LEVEL_MANAGED_ROLE
, PL_HIDE_ORGANIZATION_LEVEL_MANAGED_ROLE
, and PL_HIDE_ACCOUNT_LEVEL_MANAGED_ROLE
. Contact Harness Support to enable the features.
Platform roles
These roles are not specific to any modules. They are for administration and oversight of an entire Harness account, organization, or project. They also provide access to cross-module components, such as dashboards and pipelines.
Role | Scope |
---|---|
Account Admin | Account |
Account Viewer | Account |
Dashboard Admin | Account |
Dashboard Viewer | Account |
Billing Admin | Account |
Organization Admin | Organization |
Organization Viewer | Organization |
Project Admin | Project |
Project Viewer | Project |
Pipeline Executor | Project |
Module-specific roles
Harness creates these roles for you depending on the modules you use. These roles exist at all scopes.
- Feature Flag Manage Role
- CET Admin
- Chaos Admin
- CCM Admin
- CCM Viewer
- Security Testing SecOps Role
- Security Testing Developer Role
- GitOps Admin Role
- Code Admin (for Harness Code Repository)
Manage roles in Harness
To manage roles in Harness, you need a role, such as Account Admin, that has permission to view, create/edit, and delete roles.