Roles and Permissions
Roles and Permissions in the Earthmover platform are under active development. Expect this section to evolve rapidly.
The Earthmover platform uses a role-based access control (RBAC) system to determine which users have access to which resources and actions. This page describes the general concepts used in the platform. For a hands-on guide to setting roles and permissions, see managing users and access controls
Organizations
All principals and roles are scoped to an organization (org). There are no cross-organization entities or roles. If a user needs to access data in multiple organizations, they must be explicitly added to each.
Principals
Identities in the Earthmover Platform are called principals. Principals can be one of two types:
- Users - Actual human users. Each user is associated with an email address.
- API Keys - API keys are intended for non-human "service accounts", suitable for use in automated data processing jobs, dashboards, or other machine-to-machine connections.
Roles
Every principal can have one or more roles within an organization.
- Member - An organization member can log in to the platform but can't actually do anything. This role is currently a placeholder.
- Repo Reader - A repo reader has read only access to repos. They can view and list repos from the web and CLI and access repo data via Python. Cannot create or delete repos, or configure repo settings.
- Repo Writer - A repo writer can perform all Repo Reader actions, and can also write to repos, create repos, delete repos, and modify repo configuration.
- Admin - An organization admin can perform all Repo Write actions, and can also manage the organization (add and remove users and API keys, configure buckets, start and stop flux services, etc.)
Repo-scoped roles are coming soon!