👮♂
Access Policies (RBAC)

Manage policy-based authorization rules on who can do what inside the Kubiya platform
In order to manage permissions to resources in your organization, it’s possible to create, delete, and list policies in kubiya. Every policy is made up of:
subject - the user or role that the policy applies to
domain - the domain that the policy applies to
action - the action that the policy applies to
resource - the resource that the policy applies to
workflow - the workflow that the policy applies to
In addition, each policy has a descriptive name attached to it.
One must have permissions in order to be able to manage policies, e.g. organization admins can manage policies by default.
Let’s see a few examples via cli commands. In these examples, we rely on the following workflow:
version: 3
type: conversation
steps:
  - id: sources
    type: action
    action:
      name: get_all_sources
      store: news
      parameters: { }
  - id: source
    type: input
    value_type: enum
    prompt: What news channel do you wanna read?
    possible_values: ${sources}
  - id: articles
    type: action
    action:
      store: news
      name: get_articles
      parameters: ${source}
  - id: print message
    type: message
    prompt: workflow executed!
get_news_workflow contains two actions: one that displays the user an array of television news channels and asks the user to choose one (get_all_sources) and the second retrieves the channel's cover page articles (get_articles).
The following command creates a policy that allows a specific user to run a certain action within a specific workflow permanently:
kubiya policy create -n 'simple_action_policy' -w 'get_news_workflow' -a 'news.get_all_sources' -s '[email protected]'
To give demo user permissions to execute every action within the workflow get_news_workflow permanently we can run the following cli command:
kubiya policy create -n 'demo_run_entire_news_workflow' -w 'get_news_workflow' -a '*' -s '[email protected]'
Another example is the following policy that allows the demo user to run the action get_all_sources from news action-store within any workflow or from the cli for 5 minutes:
kubiya policy create -n 'demo_run_action_from_everywhere' -w '*' -a 'news.get_all_sources' -s '[email protected]' -t '5m'
An important feature Kubiya offers is to use identity provider groups as a policy subject. Currently, Kubiya supports Slack and Okta as identity providers. The following policy enables the R&D team to create a sandbox environment for 1 hour:
kubiya policy create -n 'allow_dev_new_dev_env' -w '*' -a 'devops.create_new_sandbox_env' -s 'rnd-team' -t '1h'
Asynchronous Execution
Approval Flows
Last modified 8d ago