Creating accounts, groups, roles, and permissions

In Infrahub, managing access and control starts with creating accounts, assigning them to groups, and managing their roles and permissions. This guide outlines how to create new accounts, accounts groups, and assign roles and permissions.

For more information on roles and permissions, see the Roles and Permissions topic.

Creating a new account

Via the Web Interface

1. Login to Infrahub's web interface as an administrator.
2. Click on Admin in the left side menu.
3. Navigate to the Role Management section.
4. In the Accounts tab, click on Create Account.
5. Fill in the account's details (name, email, and password).
6. Optionally, assign the account to a group.
7. Click Create to create the account.

Via the GraphQL Interface

In the GraphQL sandbox, execute the following mutation to create a new account, replacing the appropriate values as needed:

mutation AddAccount {
  CoreAccountCreate(
    data: {
      name: {value: "<ACCOUNT-NAME>"},
      password: {value: "<ACCOUNT-PASSWORD>"}
      # Optional - Assign the account to an existing group
      member_of_groups: [{hfid: "Infrahub Users"}]
    }
  ) {
    ok
    object {
      hfid
    }
  }
}

Creating a new account group

Via the Web Interface

1. Login to Infrahub's web interface as an administrator.
2. Click on Admin in the left side menu.
3. Navigate to the Role Management section.
4. In the Groups tab, click on Create Account Group.
5. Enter a name for the group.
6. Optionally, assign roles to the group.
7. Click Create to create the group.

Via the GraphQL Interface

In the GraphQL sandbox, execute the following mutation to create a new group:

mutation AddGroup {
  CoreAccountGroupCreate(
    data: {
      name: {value: "<GROUP-NAME>"},
      # Optional - Assign existing roles
      roles: [{hfid: "General Access"}]
    }
  ) {
    ok
    object {
      hfid
    }
  }
}

Creating and assigning roles

Via the Web Interface

1. Login to Infrahub's web interface as an administrator.
2. Click on Admin in the left side menu.
3. Navigate to the Role Management section.
4. In the Roles tab, click on Create Account Role.
5. Provide a name for the role.
6. Select the permissions you wish to assign to the role.
7. Optionally, assign the role to an existing group.
8. Click Create to create the role.

Via the GraphQL Interface

In the GraphQL sandbox, execute the following mutation to create a new role:

mutation AddRole {
  CoreAccountRoleCreate(
    data: {
      name: {value: "<ROLE-NAME>"},
      # Optional - Assign the role to an existing group
      groups: [{hfid: "Infrahub Users"}]
    }
  ) {
    ok
    object {
      hfid
    }
  }
}

Managing permissions

Permissions can be managed through roles assigned to users or groups. Infrahub supports Global and Object-specific permissions, allowing fine-grained control over what users can do within the system. For a complete list of available global and object permissions, see the Roles and Permissions documentation.

Creating and global permissions

Via the Web Interface

1. Login to Infrahub's web interface as an administrator.
2. Click on Admin in the left side menu.
3. Navigate to the Role Management section.
4. In the Global Permissions tab, click on Create Global Permission.
5. Select the action you which to use.
6. Select the decision for this action.
7. Optionally, assign the permission to an existing role.
8. Click Create to create the permission.

Via the GraphQL Interface

In the GraphQL sandbox, execute the following mutation to create a new global permission:

mutation AddGlobalPermissions {
  CoreGlobalPermissionCreate(
    data: {
      action: {value: "manage_accounts"},
      # 6 is the enum value for "allow"
      decision: {value: 6}
    }
  ) {
    ok
    object {
      identifier {
        value
      }
    }
  }
}

Creating and objects permissions

Via the Web Interface

1. Login to Infrahub's web interface as an administrator.
2. Click on Admin in the left side menu.
3. Navigate to the Role Management section.
4. In the Objects Permissions tab, click on Create Object Permission..
5. Provide the namespace and name of the object(s) you want to interact with.
6. Select the action and decision you wish to use for this permission.
7. Optionally, assign the permission to an existing role.
8. Click Create to create the permission.

Via the GraphQL Interface

In the GraphQL sandbox, execute the following mutation to create a new global permission:

mutation AddObjectPermissions {
  CoreObjectPermissionCreate(
    data: {
      namespace: {value: "Builtin"},
      name: {value: "Tag"},
      action: {value: "view"},
      # 4 is the enum value for "allow_other"
      decision: {value: 4 }
    }
  ) {
    ok
    object {
      identifier {
        value
      }
    }
  }
}