DocsEnterpriseAuth

Role-Based Access Control (RBAC)​Role-​Based ​Access ​Control (​R​B​A​C)

Available on: Enterprise EditionCloud

How to manage access and permissions to your instance.

Overview

Kestra Enterprise supports Role-Based Access Control (RBAC), allowing you to manage access to workflows and resources by assigning Roles to Users, Groups, and Service Accounts.

The image below shows the relationship between Users, Groups, Service Accounts, Roles, and Bindings (visible on the Access page in the UI).

bindings

Roles and Bindings

A Role is a collection of permissions that can be assigned to Users, Service Accounts, or Groups.
These permissions are defined by a combination of a Permission (e.g., FLOWS) and an Action ( e.g., CREATE).

More information

Permissions

A Permission is a resource that can be accessed by a User or Group. Supported Permissions:

  • FLOW
  • EXECUTION
  • TEMPLATE
  • NAMESPACE
  • KVSTORE
  • DASHBOARD
  • USER
  • GROUP
  • ROLE
  • BINDING
  • AUDITLOG
  • SECRET
  • BLUEPRINT
  • IMPERSONATE
  • SETTING
  • APP
  • APPEXECUTION
  • ME
  • APITOKEN
  • SERVICE_ACCOUNT
  • INVITATION
  • TENANT_ACCESS
  • GROUP_MEMBERSHIP

Actions

An Action is a specific operation that can be performed on a Permission. Supported Actions:

  • CREATE
  • READ
  • UPDATE
  • DELETE

Currently Supported Roles

Currently, Kestra only creates an Admin role by default. That role grants full access to all resources.

Apart from that, you can create additional Roles with custom permission combinations. You can create roles and select the permissions and actions in the IAM - Roles tab.

role-creation

Super Admin and Admin

Kestra provides two roles for managing your instance: super admin and admin.

  • Super Admin is a user type with elevated privileges for global control
  • Admin is a customizable role that grants full access to all resources (scoped to a tenant if multi-tenancy is enabled).
Summary

::

How many Roles can a User, a Service Account or Group have?
How to change the lockout behavior after too many failed login attempts.

Users

A User represents a person who can access Kestra, identified by an email address. Each user might have personal information attached to it, such as the first name or last name.

They can change their own password and adjust other settings such as theme, editor preferences, timezone, and default namespace.

To add users to your Kestra instance, you can do one of the following:

  • Invite users to your instance or tenant from the UI
  • Sync users from an external identity provider using SCIM
  • Create users directly using Terraform

Change password

If a user wants to change their password, they can do it on their profile. This page can be accessed through the profile in the bottom left corner of the UI.

Change password in the UI

Reset password (by a Super Admin)

Kestra provides a "forgot password" functionality that your users can leverage to reset their password. This functionality is available on the login page, where users can click on the "Forgot password?" link. On top of that, a Super Admin can reset a user's password from the User Edit page by going to Instance - Users.

Reset Password

Superadmin Change Password

Groups

Each Group is a collection of Owners, Users, or Service Accounts.

  • Each Owner can add users to a group without being a Kestra Admin.
  • Each User can be assigned to zero, one, or more Groups.
  • Each Service Account can also be assigned to zero, one, or more Groups.

Group Owner

Groups are a useful mechanism for providing the same roles to multiple Users or Service Accounts at once by binding a role to a Group. Users with the GROUP_MEMBERSHIP permission can add members to groups and change their membership type.

What happens if you delete a Group?

All Users and Service Accounts assigned to that Group will lose permissions that were binds to the groups. However, Users and Services Accounts will still exist.

RBAC FAQ

Why is Admin a Role rather than User type?
Why can't I edit an existing Binding?

Was this page helpful?