OpenTofu Foundations - A FREE Weekly Workshop to Build your IaC Skills - LIMITED AVAILABILITY Authorization
This documentation provides an overview of the roles within Massdriver and the corresponding permissions for each role regarding GraphQL operations.
Roles
Organization Viewer
All organization members are granted the organization viewer role, allowing them to:
| permission | description |
|---|---|
| acceptGroupInvitation | can accept org group invite |
| applicationBundleTemplates | ? |
| artifactDefinition | can view artifact type |
| artifactDefinitions | ? |
| artifact | can view metadata of artifact |
| artifacts | can view list of artifacts |
| cloudDnsZones | can view dns zones |
| cloud | ? |
| compareEnvironments | can compare project environments ?(shouldn't this be in project-viewer?) |
| containerRepositories | ? we don't have this feature, remove? |
| containerRepository | ^ |
| createApplicationBundle | can create an application bundle from template |
| defaultableEnvironmentConnectionGroups | ? |
| dnsZones | ? diff than cloudDnsZones? |
| environment | ? |
| filterArtifactsByType | can filter artifacts by artifact type |
| group | can view group details |
| groups | can view list of groups |
| importableResources | ? import feature gone? |
| instanceTypes | ? |
| manifest | ? should be in project-viewer? |
| metricTimeSeries | ? |
| organization | can view organization details |
| package | ? should be in project-viewer? |
| project | can view authorized project |
| projects | can list authorized projects |
| serviceAccounts | can view list of service accounts |
Organization Admin
In addition to the organization viewer permissions, organization admin can perform:
| permission | description |
|---|---|
| addServiceAccountToGroup | can add service account to a group |
| artifactDefinition | ? diff than org-viewer? |
| auditLogs | can access audit logs |
| billingSubscription | can access billing |
| bundle | ? |
| connectDnsZone | can connect a cloud DNS zone |
| createArtifact | can create an artifact |
| createDnsZone | can create a cloud DNS zone |
| createGroupInvitation | can invite user to organization |
| createGroup | can create a group |
| createManifest | can create a bundle manifest |
| createSubscriptionManagementSession | ? |
| deactivateServiceAccount | can deactivate a service account |
| deleteArtifact | can delete an artifact |
| deleteBundle | can delete a bundle |
| deleteGroupInvitation | can delete a invitation to the organization |
| deleteGroupMembership | can remove a user from a group |
| deleteGroup | can delete a group |
| deleteOrganizationMember | can remote a user from the organization |
| deleteServiceAccount | can delete a service account |
| disconnectDnsZone | can disconnect a cloud DNS zone from Massdriver |
| grantGroupAccess | can add user to a group |
| publishArtifactDefinition | can publish a artifact definition |
| publishBundle | can publish a bundle |
| reactivateServiceAccount | can reactivate a service account |
| removeServiceAccountFromGroup | can remove a service account from a group |
| updateGroup | can edit group name and description |
Project Viewer
Project viewer roles allow views on specific project-related GraphQL operations:
| permission | description |
|---|---|
| compareDeployments | can compare bundle deployment history |
| deployPreviewEnvironment | can deploy a preview environment using Mass CLI |
| deployment | can view deployment details |
| deployments | can view deployment history |
| environment | can view environment |
| getPackageByNamingConvention | can view package name |
| importResources | ? should be removed? |
| importableResources | ? should be removed? |
| instanceTypes | can view available bundle instance types |
| manifest | can view manifest details |
| metricTimeSeries | ? |
| package | can view package details |
| watchMetric | can view monitoring details |
Project Admin
In addition to the project viewer permissions, a project admin can:
| permission | description |
|---|---|
| assignRemoteReference | can assign a remote reference |
| configurePackage | can change package configuration |
| createEnvironmentConnection | ? |
| createEnvironment | can create an environment |
| createImportableManifest | ? delete? |
| createManifest | can create a manifest |
| createProject | can create a project |
| createServiceAccount | can create a service account |
| createWatchedMetricPackageAlarm | can create a new watched metric package alarm |
| decommissionPackage | can decommission a package |
| decommissionPreviewEnvironment | can decommission a preview environment ?(should be doable by project viewer if they can deploy?) |
| deleteEnvironmentConnection | ? |
| deleteEnvironment | can delete environment |
| deleteManifest | can delete manifest |
| deleteProject | can delete project |
| deleteWatchedMetricPackageAlarm | can delete watched metric package alarm |
| deployPackage | can deploy a package |
| disconnectImportedResources | ? delete? |
| downloadArtifact | can download an artifact |
| linkManifests | can create bundle connection |
| setDefaultSecretForPreviewEnvironments | can set default secret for preview environments |
| setManifestPosition | can set manifest position on the graph |
| setPackageSecret | can set a package secret |
| unsetDefaultSecretForPreviewEnvironments | can unset default secret for preview environments |
| unsetPackageSecret | can unset a package secret |
| unlinkManifests | can delete bundle connection |
| unsetRemoteReference | can unassign a remote reference |
| unwatchMetric | can unwatch a bundle metric |
| updateArtifact | can update artifact name/description |
| updateEnvironment | can update environment name/description |
| updateManifest | can update manifest name/description |
| updateProject | can update project name/description |
| watchMetricAndCreatePackageAlarm | can watch a bundle metric and create a package alarm |
| createWatchedMetricPackageAlarm | can create a watched metric package alarm |
Authorization Rule Details
All resources in Massdriver roll up to either an organizational or project boundary. Specific permissions on GraphQL operations are contingent on the boundary and role of the user in relation to that boundary.