Role-Based Access Control (RBAC)

Available on: Enterprise EditionCloud

How to manage access and permissions to your instance.

Overview

Kestra Enterprise supports Role-Based Access Control (RBAC), allowing you to manage access to workflows and resources by assigning Roles to Users, Groups, and Service Accounts.

The image below shows the relationship between Users, Groups, Service Accounts, Roles, and Bindings (visible on the Access page in the UI).

bindings

A Role is a collection of permissions that can be assigned to Users, Service Accounts, or Groups.
These permissions are defined by a combination of a Permission (e.g., FLOWS) and an Action ( e.g., CREATE).

More information

Permissions

A Permission is a resource that can be accessed by a User or Group. Supported Permissions:

FLOW
EXECUTION
TEMPLATE
NAMESPACE
KVSTORE
DASHBOARD
USER
GROUP
ROLE
BINDING
AUDITLOG
SECRET
BLUEPRINT
IMPERSONATE
SETTING
APP
APPEXECUTION
ME
APITOKEN
SERVICE_ACCOUNT
INVITATION
TENANT_ACCESS
GROUP_MEMBERSHIP

The ME and APITOKEN are removed in Kestra 0.24

Actions

An Action is a specific operation that can be performed on a Permission. Supported Actions:

CREATE
READ
UPDATE
DELETE

Currently Supported Roles

Currently, Kestra only creates an Admin role by default. That role grants full access to all resources.

Apart from that, you can create additional Roles with custom permission combinations. You can create roles and select the permissions and actions in the IAM - Roles tab.

role-creation

Super Admin and Admin

Kestra provides two roles for managing your instance: super admin and admin.

Super Admin is a user type with elevated privileges for global control
Admin is a customizable role that grants full access to all resources (scoped to a tenant if multi-tenancy is enabled).

Summary