Set up RBAC
Role-based access control (RBAC) lets you restrict access to specific functionality based on a user's role. In HCP Waypoint, RBAC allows platform engineers to manage templates and add-ons, and allows developers to use them to create applications and install add-ons.
HCP roles and permissions
HCP Waypoint maps permissions to the admin, contributor, and viewer HCP roles. The permissions related to templates and add-ons in HCP Waypoint map to the three HCP roles as follows:
| Permission | Admin | Contributor | Viewer |
|---|---|---|---|
| Create template | ✅ | ❌ | ❌ |
| Create application from template | ✅ | ✅ | ❌ |
| View list of applications | ✅ | ✅ | ✅ |
| Create add-on definition | ✅ | ❌ | ❌ |
| Install add-on to application | ✅ | ✅ | ❌ |
| View list of add-ons | ✅ | ✅ | ✅ |
Based on the permission associated with each roles, we recommend you assign platform engineers the admin role and application developers the contributor role.
In general, developers can use templates and add-ons but not create, edit, or delete the underlying definitions while platform engineers can modify the underlying definitions.
Assign roles to users
Open HCP and log in with an account that has the admin role.
Navigate to the Organizations page and click on the organization where you would like to manage users.
Click on the Access control (IAM) option from the left navigation to open the Users page.
The Users page lists all of the users with access to this organization, their email address, role, and method of authentication.
Click on the Invite user button.
Enter the email address of the user and click the + Add button.
Select the role that you want to assign the user. Refer to the chart of HCP role to Waypoint permission mappings above. Then, click the Invite button to complete the process.
Note
Setting the role at the organization level will apply associated permissions to any other active HCP services in the organization. To limit the amount of permissions a user is granted, you can assign a project level role. Refer to the Set up your user role section for instructions.
HCP Waypoint will redirect you back to the Users page and display a message that lets you know that you can review pending invites on the Pending invites page.
Click on the Pending invites option from the left navigation and note that the invitation to the user contains the assigned role.
Edit user roles
Navigate back to the Users page and click on the user whose role you want to update.
Select the new role that you want to assign to the user. Note that the Role summary section on the right updates to let you know what permissions will be added or removed by assigning the new role. Click the Save button to complete the process.
Set up your user role
To follow along with these tutorials, your user needs to have the admin role assigned to it at either the organization or project level. You will now update your user with a project-scoped admin role.
Navigate to the Organizations page in HCP, click on your organization's name, then click on Projects from the left navigation, and click on your project's name from the list. From the project page, click on the Access control (IAM) option, then click the three dots button to the right of your user in the list, and click on the Edit user button.
On the user page, assign the Project Admin role from the dropdown. Click the Save button.
Next steps
In this tutorial, you learned about RBAC in HCP Waypoint and how to assign user roles in HCP.
Continue on to the next tutorial to learn how to create a Waypoint template.