Muhammad Atif Ali
419eba5fb6
Closes #13434 Supersedes #14182 --------- Co-authored-by: Ethan <39577870+ethanndickson@users.noreply.github.com> Co-authored-by: Ethan Dickson <ethan@coder.com> Co-authored-by: Ben Potter <ben@coder.com> Co-authored-by: Stephen Kirby <58410745+stirby@users.noreply.github.com> Co-authored-by: Stephen Kirby <me@skirby.dev> Co-authored-by: EdwardAngert <17991901+EdwardAngert@users.noreply.github.com> Co-authored-by: Edward Angert <EdwardAngert@users.noreply.github.com>
2.4 KiB
Groups and Roles
Groups and roles can be manually assigned in Coder. For production deployments, these can also be managed and synced by the identity provider.
Groups
Groups are logical segmentations of users in Coder and can be used to control which templates developers can use. For example:
- Users within the
devopsgroup can access theAWS-VMtemplate - Users within the
data-sciencegroup can access theJupyter-Kubernetestemplate
Roles
Roles determine which actions users can take within the platform.
| Auditor | User Admin | Template Admin | Owner | |
|---|---|---|---|---|
| Add and remove Users | ✅ | ✅ | ||
| Manage groups (enterprise) (premium) | ✅ | ✅ | ||
| Change User roles | ✅ | |||
| Manage ALL Templates | ✅ | ✅ | ||
| View ALL Workspaces | ✅ | ✅ | ||
| Update and delete ALL Workspaces | ✅ | |||
| Run external provisioners | ✅ | ✅ | ||
| Execute and use ALL Workspaces | ✅ | |||
| View all user operation Audit Logs | ✅ | ✅ |
A user may have one or more roles. All users have an implicit Member role that may use personal workspaces.
Security notes
A malicious Template Admin could write a template that executes commands on the
host (or coder server container), which potentially escalates their privileges
or shuts down the Coder server. To avoid this, run
external provisioners.
In low-trust environments, we do not recommend giving users direct access to edit templates. Instead, use CI/CD pipelines to update templates with proper security scans and code reviews in place.