Skip to main content

Permissions

This reference documents all permissions available in Infrahub's authorization system. Permissions control what actions users can perform and what resources they can access within the platform.

info

For conceptual explanations and usage guidance, see the roles and permissions topic.

Global permissions

Global permissions control system-wide actions that affect the entire platform. Infrahub defines the following global permissions:

IdentifierActionDecisionDescription
global:edit_default_branch:allow_alledit_default_branchAllowAllows editing content in the default branch
global:manage_accounts:allow_allmanage_accountsAllowAllows creating, updating, and deleting user accounts
global:manage_permissions:allow_allmanage_permissionsAllowAllows configuring permissions and roles
global:manage_repositories:allow_allmanage_repositoriesAllowAllows creating and managing repositories
global:merge_branch:allow_allmerge_branchAllowAllows merging branches
global:merge_proposed_change:allow_allmerge_proposed_changeAllowAllows merging proposed changes
global:manage_schema:allow_allmanage_schemaAllowAllows modifying the schema definition
global:super_admin:allow_allsuper_adminAllowGrants complete administrative access

Global permission attributes

  • Identifier: A unique string that identifies the permission, automatically generated based on the Action and Decision values.
  • Action: The specific system operation that the permission controls.
  • Decision: Determines if the action is permitted:
    • Allow: Grants permission for the action.
    • Deny: Prohibits the action.
  • Description: A brief explanation of what the permission enables a user to do.

Object permissions

Object permissions control actions on specific types of objects and can be applied across different branch types. They provide fine-grained control over data operations within Infrahub.

IdentifierObject TypeActionDecisionDescription
object:*:*:create:allow_other* (all types)createallow_otherAllows creating any object, but only on non-default branches
object:*:*:view:allow_all* (all types)viewallow_allAllows viewing any object across both default and non-default branches
object:Builtin:Tag:update:denyBuiltinTagupdatedenyDenies updating objects of type BuiltinTag on all branches
object:*:Generic:view:allow_all*Genericviewallow_allAllows viewing all objects with 'Generic' in their type (LocationGeneric, DeviceGeneric...)

Object permission attributes

  • Identifier: A unique string that identifies the permission, computed based on the Object Type, Action, and Decision.
  • Object Type: The type of object the permission applies to (for example Tag, Device):
    • Can include namespace prefixes (for example Builtin:Tag)
    • Supports wildcards (*) to apply to multiple object types
    • Can use partial matching with wildcards (for example *Generic)
  • Action: The specific operation allowed on the object:
    • view: Permission to read or access the object
    • create: Permission to create new objects of this type
    • update: Permission to modify existing objects
    • delete: Permission to remove objects
    • any: Applies to all possible actions
  • Decision: Controls whether the action is allowed or denied, and on which branch types:
    • allow_default: Permits the action only on the default branch
    • allow_other: Permits the action only on non-default branches
    • allow_all: Permits the action on all branches
    • deny: Prohibits the action on all branches

Default permission setup

Infrahub comes with a default configuration that contains pre-configured users, groups, and roles to simplify access management from the start. These defaults ensure that key administrative and access capabilities are ready to use out of the box.

Default accounts

AccountDescription
AdminDefault administrative user that belongs to the Super Administrators group with complete system access

Default groups

Group NameDescriptionAssigned Role
Infrahub UsersStandard users with permissions to view and interact with resourcesGeneral Access
Super AdministratorsSystem administrators with unrestricted access to all featuresSuper Administrator

Default roles

General access

This role grants standard users the ability to view resources and make changes in non-default branches.

PermissionDescription
global:manage_repositories:allow_allManage repositories across all branches
global:manage_schema:allow_allConfigure and modify the system schema
global:merge_proposed_change:allow_allMerge proposed changes across all branches
object:*:*:view:allow_allView all objects across all branches and namespaces
object:*:*:any:allow_otherPerform any action on objects in non-default branches

Super administrator

This role provides complete administrative control over the entire Infrahub system.

PermissionDescription
global:super_admin:allow_allFull administrative access to all aspects of the system

Anonymous user

When Infrahub is configured to allow anonymous access, a special role called Anonymous User is created. This role defines the permissions granted to unauthenticated users. The default configuration includes:

PermissionDescription
object:*:*:any:denyExplicitly denies all actions on all objects (for clarity)
object:*:*:view:allow_allGrants read-only access to all objects across all branches

This role can be customized by changing the main.anonymous_access_role configuration setting or the INFRAHUB_ANONYMOUS_ACCESS_ROLE environment variable.

note

Regardless of permissions assigned to the anonymous role, unauthenticated users can never make changes to data within Infrahub.