ACL Policy Files by Example
Our Customer Success Management team often gets requests for templates or examples of ACL policies that meet very common needs. Determining required elements can be hard. The syntax is finicky enough that it can be easy to make mistakes that are hard to see. Consequently, we have some useful snippets that would help most new users accomplish 90% of what they’ll likely need.
If this is your first time making an ACL policy, first read our article on creating ACL policies in Rundeck Enterprise.
Access to a Project (System Context)
Read Access
In most cases, the first thing you need to do in a policy is provide access to 1 or more projects. This first snippet is providing read access to “ProjectY” for any users who belong to “LDAP_Group_X.” In effect, this doesn’t do very much by itself but is necessary to give someone project access, regardless of what they will be doing inside the project.
---
description: System-level read access to specific project
context:
application: rundeck
for:
project:
- equals:
name: ProjectY
allow: read
by:
group: LDAP_Group_X
---
Access to Key Storage (System Context)
Read Access
This is an element that is easily overlooked but is almost always necessary for a user who is going to run any jobs. Since those jobs will probably need to access nodes and accessing nodes almost always takes advantage of private keys or passwords stored in Rundeck’s key storage. Which means you need this permission in some policy somewhere.
---
description: System-level read-only access to key storage
context:
application: rundeck
for:
storage:
- allow: read
by:
group: LDAP_Group_X
---
Access to Nodes (Project Context)
Read access
This element is required, along with both the system context sections above, for anyone who will be browsing nodes or running jobs. The first section here provides generic access to nodes while the second section provides access to all individual nodes.
---
description: Allow [read] access for (All) nodes generically
context:
project: ProjectY
for:
resource:
- equals:
kind: node
allow: read
by:
group: LDAP_Group_X
---
description: Allow [read, run] for all project nodes
context:
project: ProjectY
for:
node:
- allow: [read,run]
by:
group: LDAP_Group_X
---
Access to Jobs (Project Context)
Read and run
This is probably the most common case. This snippet provides access for users in “LDAP_Group_X” to be able to view or run any jobs in “ProjectY.” Note that we aren’t providing the ability to create or edit jobs here so you could think of this as a “Job Runner” profile.
---
description: Project-level access view or run all jobs
context:
project: ProjectY
for:
job:
- allow: [read,run]
by:
group: LDAP_Group_X
---
Access to Jobs (Project Context)
Create, edit, run and delete access
This is also a common request. Obviously, someone needs to be able to create, edit and delete the jobs your team will be using.
---
description: Project-level Access to Create and Delete Jobs
context:
project: ProjectY
for:
resource:
- equals:
kind: job
allow: '*'
by:
group: LDAP_Group_X
---
description: Allow [read, view, update, run, create] for job
context:
project: ProjectY
for:
job:
- allow: [read,view,update,run,create]
by:
group: LDAP_Group_X
---
Access to Jobs in a Specific Group (Project Context)
Read and run access
This snippet provides access for user in LDAP_Group_X to run jobs in a specific “job group” (jobGroupC, in this case) within ProjectC.
---
description: Project-level access to a specific job group
context:
project: ProjectY
for:
job:
- equals:
group: JobGroupC
allow: [read,run]
by:
group: LDAP_Group_X
---
Access to Nodes by Nodename (Project Context)
Read and run
This snippet provides access to nodes in a particular project based on the names matching a specific pattern.
---
description: [read, run] on nodes where name starts Training3
context:
project: ProjectY
for:
node:
- match:
nodename: Training3.*
allow: [read,run]
by:
group: LDAP_Group_X
---
Access to Nodes by Tag (Project Context)
Read and run
This snippet provides access to nodes in a particular project based on the tags on those nodes.
---
description: Allow [read, run] for nodes tagged with "tag-a"
context:
project: ProjectY
for:
node:
- contains:
tags: tag-a
allow: [read,run]
by:
group: LDAP_Group_X
---