--- project: name: Default roles description: | This project contains some default roles for different identities and usecases. Provided roles: * User: A role which allows basic access to the UI. * Developer * Operator * Admin * Webhook * Schedule * Git Sync * Sync Config version: '1' project_id_project: name: Default roles role_plain_list_project_id: - name: User description: | A user role which allows basic access to the UI. role_permission_plain_list_role_id: - table_type: ORGANIZATION operation: READ - table_type: WORKSPACE operation: READ - table_type: PROJECT project_id_project: name: Default project operation: READ - table_type: EXECUTION operation: READ - table_type: GIT_CONFIG operation: READ - table_type: SCHEDULE operation: READ - table_type: SYNC_CONFIG operation: READ - table_type: USER operation: READ - table_type: WEBHOOK operation: READ - table_type: WORKSPACE operation: READ - name: Developer description: | A role for developers. It allows creating of executions, flows and other resources needed to effectively develop an automation. It does not allow creating of connectors or other resources which grant access to cloudomation. role_permission_plain_list_role_id: - table_type: CONNECTOR - table_type: FILE - table_type: FLOW # - table_type: GIT_CONFIG # - table_type: IDENTITY # - table_type: OAUTH - table_type: ORGANIZATION operation: READ - table_type: PLUGIN operation: READ - table_type: PROJECT operation: READ # - table_type: RESOURCE - table_type: ROLE operation: READ - table_type: SCHEDULE operation: READ - table_type: SCHEDULER - table_type: SCHEMA - table_type: SEARCH - table_type: SETTING # - table_type: SYNC_CONFIG # - table_type: USER # - table_type: VAULT_CONFIG # - table_type: WEBHOOK - table_type: WORKSPACE operation: READ - table_type: WRAPPER - table_type: RESOURCE_WRAPPER - table_type: EXECUTION - table_type: MESSAGE # - table_type: PROCESS - name: Operator description: | A role for operators. It grants permission to create resources and identities which grant access to cloudomation, like sync configs, webhooks and git configs. role_permission_plain_list_role_id: - table_type: CONNECTOR operation: READ - table_type: FILE operation: READ - table_type: FLOW operation: READ - table_type: GIT_CONFIG operation: UPDATE # - table_type: IDENTITY # - table_type: OAUTH - table_type: ORGANIZATION operation: READ - table_type: PLUGIN operation: READ - table_type: PROJECT operation: READ # - table_type: RESOURCE - table_type: ROLE operation: READ - table_type: SCHEDULE - table_type: SCHEDULER operation: READ - table_type: SCHEMA operation: READ - table_type: SEARCH - table_type: SETTING operation: READ - table_type: SYNC_CONFIG operation: UPDATE # - table_type: USER # - table_type: VAULT_CONFIG # - table_type: WEBHOOK - table_type: WORKSPACE operation: READ - table_type: WRAPPER - table_type: RESOURCE_WRAPPER - table_type: EXECUTION - table_type: MESSAGE # - table_type: PROCESS - name: Admin description: | A role for admins. Allows access to everything, it is recommended to assign this role sparingly and instead use roles with narrower sets of permissions where possible. role_permission_plain_list_role_id: - {} - name: Webhook description: | A role which every webhook needs. This role is intended to be mapped to a webhook with the flag `propagate=False`. Executions created by that webhook will thus not have this role. Any roles intended for created executions should be given to the webhook with `propagate=True`. Permissions are not restricted on a specific project. role_permission_plain_list_role_id: - table_type: WEBHOOK operation: READ - table_type: FLOW operation: READ - table_type: EXECUTION - name: Schedule description: | A role which every schedule needs. This role is intended to be mapped to a schedule with the flag `propagate=False`. Executions created by that schedule will thus not have this role. Any roles intended for created executions should be given to the schedule with `propagate=True`. Permissions are not restricted on a specific project. role_permission_plain_list_role_id: - table_type: SCHEDULE operation: UPDATE - table_type: FLOW operation: READ - table_type: SCHEDULER operation: READ - table_type: EXECUTION - table_type: SETTING operation: READ - table_type: SETTING operation: UPDATE - name: Git Sync description: | Since it is possible to synchronize nearly everything via import files, this role allows to create nearly everything. Only a few resources are not allowed like Users and Executions. When assigning this role to an identity make sure to set `propagate=False`, otherwise all identities created by that identity will have nearly unrestricted access to your system. role_permission_plain_list_role_id: - table_type: CONNECTOR - table_type: FILE - table_type: FLOW - table_type: GIT_CONFIG # - table_type: IDENTITY - table_type: OAUTH # - table_type: ORGANIZATION - table_type: PLUGIN - table_type: PROJECT # - table_type: RESOURCE - table_type: ROLE - table_type: SCHEDULE - table_type: SCHEDULER - table_type: SCHEMA - table_type: SEARCH - table_type: SETTING - table_type: SYNC_CONFIG # - table_type: USER - table_type: VAULT_CONFIG - table_type: WEBHOOK # - table_type: WORKSPACE - table_type: WRAPPER - table_type: RESOURCE_WRAPPER # - table_type: EXECUTION - table_type: MESSAGE # - table_type: PROCESS - name: Sync Config description: | A role which every sync config needs. This role is intended to be mapped to a sync config with the flag `propagate=False`. Executions created by that sync config will thus not have this role. Any roles intended for created executions should be given to the sync config with `propagate=True`. Permissions are not restricted on a specific project. role_permission_plain_list_role_id: - table_type: SYNC_CONFIG - table_type: EXECUTION