Authorization
ScaleOps implements a comprehensive role-based access control (RBAC) system that enables granular permission management across the platform. After configuring your authentication provider, you can establish authorization policies by assigning specific roles to users and groups.
Role-Based Access Control
ScaleOps provides three distinct role types with escalating levels of permissions:
- Admin - Full platform access including user management, policy creation, alert configuration, workload automation, and comprehensive content viewing capabilities
- Operator - Workload automation and policy management permissions with full content viewing access
- Viewer - Read-only access to all platform content and analytics
User and Group Permission Management
The authorization system enables role assignment based on user identity or group membership, providing flexible access control for enterprise environments.
Default User Configuration
Configure default user roles by specifying usernames for each role type:
authProvider:
# ... provider configuration
defaultAdminUsers:
- <USERNAME_1>
- <USERNAME_2>
defaultOperatorUsers:
- <USERNAME_3>
- <USERNAME_4>
defaultViewerUsers:
- <USERNAME_5>
- <USERNAME_6>Default Group Configuration
Establish default group-based permissions by defining group assignments for each role:
authProvider:
# ... provider configuration
defaultAdminGroups:
- <GROUP_1>
- <GROUP_2>
defaultOperatorGroups:
- <GROUP_3>
- <GROUP_4>
defaultViewerGroups:
- <GROUP_5>
- <GROUP_6>Static RBAC Rules via Helm Chart Available in v1.29.5+
You can define immutable RBAC rules directly in your Helm chart values. These rules are deployed as a Kubernetes ConfigMap and cannot be edited or deleted through the ScaleOps UI or API, making them ideal for GitOps-managed environments.
To configure static rules, uncomment and populate the authorization.rules section under authProvider in your Helm values:
authProvider:
authorization:
enabled: true
rules:
# Admin rule — full access to all clusters and namespaces
- groupName: scaleops-admins@company.com
role: Admin
# Operator rule — restricted to specific clusters
- groupName: devops-team
role: Operator
targetClusters:
- production
- staging
# Viewer rule — restricted to specific namespaces by name
- groupName: viewers
role: Viewer
targetNamespaces:
- namespaceNames:
- kube-system
- monitoring
labelSelector: {}
# Viewer rule — restricted to namespaces matching a label selector
- groupName: platform-viewers
role: Viewer
targetNamespaces:
- namespaceNames: []
labelSelector:
matchLabels:
env: production
team: platformEach rule supports the following fields:
| Field | Description |
|---|---|
groupName | The user email or group name |
role | One of Admin, Operator, or Viewer |
targetClusters | (Optional) List of cluster names to restrict access |
targetTags | (Optional) List of cluster tags to restrict access |
targetNamespaces | (Optional) List of namespace filters (by name or label selector) |
isUserRule | (Optional) Set to true for user rules, false for group rules |
Static rules appear in the Users & Groups permission table with editing disabled. They are merged with any rules created through the UI, with static rules taking precedence when there is a conflict.
Control access to clusters and namespaces
Configure user and group access to specific cluster and namespaces. These are controlled by the Allowed Clusters and Allowed Namespaces columns.
- Allowed Clusters: use the dropdown selection to configure what clusters the user or group can access.
- Allowed Namespaces: use the dropdown to select what namespaces the user or group can access. Namespace selection can be done in 2 methods:
- By Name: Select the namespaces to allow access by name
- By Label: Use label selectors to dynamically define namespace access based on namespace labels
