Access Policies (RBAC)

Manage policy-based authorization rules on who can do what inside the Kubiya platform
In order to manage permissions to resources in your organization, it’s possible to create, delete, and list policies in kubiya. Every policy is made up of:
  • subject - the user or role that the policy applies to
  • domain - the domain that the policy applies to
  • action - the action that the policy applies to
  • resource - the resource that the policy applies to
  • workflow - the workflow that the policy applies to
In addition, each policy has a descriptive name attached to it.
One must have permissions in order to be able to manage policies, e.g. organization admins can manage policies by default.
Let’s see a few examples via cli commands. In these examples, we rely on the following workflow:
version: 3
type: conversation
- id: sources
type: action
name: get_all_sources
store: news
parameters: { }
- id: source
type: input
value_type: enum
prompt: What news channel do you wanna read?
possible_values: ${sources}
- id: articles
type: action
store: news
name: get_articles
parameters: ${source}
- id: print message
type: message
prompt: workflow executed!
get_news_workflow contains two actions: one that displays the user an array of television news channels and asks the user to choose one (get_all_sources) and the second retrieves the channel's cover page articles (get_articles).
The following command creates a policy that allows a specific user to run a certain action within a specific workflow permanently:
kubiya policy create -n 'simple_action_policy' -w 'get_news_workflow' -a 'news.get_all_sources' -s '[email protected]'
To give demo user permissions to execute every action within the workflow get_news_workflow permanently we can run the following cli command:
kubiya policy create -n 'demo_run_entire_news_workflow' -w 'get_news_workflow' -a '*' -s '[email protected]'
Another example is the following policy that allows the demo user to run the action get_all_sources from news action-store within any workflow or from the cli for 5 minutes:
kubiya policy create -n 'demo_run_action_from_everywhere' -w '*' -a 'news.get_all_sources' -s '[email protected]' -t '5m'
An important feature Kubiya offers is to use identity provider groups as a policy subject. Currently, Kubiya supports Slack and Okta as identity providers. The following policy enables the R&D team to create a sandbox environment for 1 hour:
kubiya policy create -n 'allow_dev_new_dev_env' -w '*' -a 'devops.create_new_sandbox_env' -s 'rnd-team' -t '1h'