Skip to main content

Permissions

This page provides detailed documentation for all available global and object permissions within Infrahub.

info

For more detailed explanations on how to use these permissions within Infrahub, see the roles and permissions topic.

Global permissions

Below are the eight global permissions possible in Infrahub:

IdentifierActionDecision
global:edit_default_branch:allow_alledit_default_branchAllow
global:manage_accounts:allow_allmanage_accountsAllow
global:manage_permissions:allow_allmanage_permissionsAllow
global:manage_repositories:allow_allmanage_repositoriesAllow
global:merge_branch:allow_allmerge_branchAllow
global:merge_proposed_change:allow_allmerge_proposed_changeAllow
global:manage_schema:allow_allmanage_schemaAllow
global:super_admin:allow_allsuper_adminAllow

Attributes

  • Identifier: A unique string that identifies the permission, computed by the backend based on the Action and Decision.
  • Action: The action that the permission permits, such as edit_default_branch or manage_accounts.
  • Decision: Indicates if the action is permitted or prohibited:
    • Allow: Grants permission for the action.
    • Deny: Denies permission for the action.
  • Roles: These are the roles that make use of this permission.

Object permissions

Object permissions can be applied to different types of objects and across different branches.

IdentifierObject TypeActionDecisionDescription
object:*:*:create:allow_other* (all types)anyallow_otherAllows creating any object, but only on non-default branches.
object:*:*:view:allow_all* (all types)viewallow_allAllows viewing any object, anywhere, across both default and non-default branches.
object:Builtin:Tag:update:denyBuiltinTagupdatedenyDenies the ability to update any object of type BuiltinTag, across all branches.
object:*:Generic:view:allow_all*Genericviewallow_allAllows viewing all objects that contain 'Generic' in their type (example: LocationGeneric, DeviceGeneric) in all namespaces, across all branches.

Attributes

  • Identifier: A unique string that identifies the permission, computed by the backend based on the Action, Object Type, Branch Type, and Decision.
  • Object Type: The type of object the permission applies to (such as, tag, device). Wildcards (*) can be used to apply the permission to all object types.
  • Action: The specific action allowed on the object, such as create, update, delete, or view.
  • Decision: Controls whether the action is allowed or denied, and under which branch type it applies:
    • allow_default: Allows the action on the default branch.
    • allow_other: Allows the action on branches other than the default one.
    • allow_all: Allows the action on both the default and non-default branches.
    • deny: Denies the action regardless of branch.
  • Roles: The roles that use this permission.