ACL Policy Files by Example

Our Customer Success Management team often gets requests for templates or examples of ACL policies that meet very common needs.  Determining required elements can be hard.  The syntax is finicky enough that it can be easy to make mistakes that are hard to see.  Consequently, we have some useful snippets that would help most new users accomplish 90% of what they’ll likely need.

If this is your first time making an ACL policy, first read our article on creating ACL policies in Rundeck Enterprise.

Access to a Project (System Context)

Read Access

In most cases, the first thing you need to do in a policy is provide access to 1 or more projects.  This first snippet is providing read access to “ProjectY” for any users who belong to “LDAP_Group_X.” In effect, this doesn’t do very much by itself but is necessary to give someone project access, regardless of what they will be doing inside the project.

---
descriptionSystem-level read access to specific project
context:
  applicationrundeck
for:
  project:
  - equals:
      nameProjectY
    allowread
by:
  groupLDAP_Group_X
---

Access to Key Storage (System Context)

Read Access

This is an element that is easily overlooked but is almost always necessary for a user who is going to run any jobs.  Since those jobs will probably need to access nodes and accessing nodes almost always takes advantage of private keys or passwords stored in Rundeck’s key storage.  Which means you need this permission in some policy somewhere.

---
descriptionSystem-level read-only access to key storage
context:
  applicationrundeck
for:
  storage:
  - allowread
by:
  groupLDAP_Group_X
---

Access to Nodes (Project Context)

Read access

This element is required, along with both the system context sections above, for anyone who will be browsing nodes or running jobs.  The first section here provides generic access to nodes while the second section provides access to all individual nodes.

---
descriptionAllow [readaccess for (Allnodes generically
context:
  projectProjectY
for:
  resource:
  - equals:
      kindnode
    allowread
by:
  groupLDAP_Group_X
---
description: Allow [read, run] for all project nodes
context:
  project: ProjectY
for:
  node:
  - allow: [read,run]
by:
  group: LDAP_Group_X 
---

Access to Jobs (Project Context)

Read and run

This is probably the most common case.  This snippet provides access for users in “LDAP_Group_X” to be able to view or run any jobs in “ProjectY.”  Note that we aren’t providing the ability to create or edit jobs here so you could think of this as a “Job Runner” profile.

---
descriptionProject-level access view or run all jobs
context:
  projectProjectY
for:
  job:
  - allow: [read,run]
by:
  groupLDAP_Group_X
---

Access to Jobs (Project Context)

Create, edit, run and delete access

This is also a common request.  Obviously, someone needs to be able to create, edit and delete the jobs your team will be using.

---
descriptionProject-level Access to Create and Delete Jobs
context:
  projectProjectY
for:
  resource:
  - equals:
      kindjob
    allow'*'
by:
  groupLDAP_Group_X
---
descriptionAllow [readviewupdateruncreatefor job
context:
  projectProjectY
for:
  job:
  - allow: [read,view,update,run,create]
by:
  groupLDAP_Group_X
---

Access to Jobs in a Specific Group (Project Context)

Read and run access

This snippet provides access for user in LDAP_Group_X to run jobs in a specific “job group” (jobGroupC, in this case) within ProjectC.

---
descriptionProject-level access to a specific job group
context:
  projectProjectY
for:
  job:
  - equals:
      groupJobGroupC
    allow: [read,run]
by:
  groupLDAP_Group_X
---

Access to Nodes by Nodename (Project Context)

Read and run

This snippet provides access to nodes in a particular project based on the names matching a specific pattern.

---
description[readrun] on nodes where name starts Training3
context:
  projectProjectY
for:
  node:
  - match:
      nodenameTraining3.*
    allow: [read,run]
by:
  groupLDAP_Group_X 
---

Access to Nodes by Tag (Project Context)

Read and run

This snippet provides access to nodes in a particular project based on the tags on those nodes.

---
descriptionAllow [readrunfor nodes tagged with "tag-a"
context:
  projectProjectY
for:
  node:
  - contains:
      tagstag-a
    allow: [read,run]
by:
  groupLDAP_Group_X
---