Mastering Access Control in the Choreo Console

Published in

vlgunarathne

5 min readSep 17, 2024

Effective access control is crucial for organizations to manage resources securely and efficiently. The Choreo Console offers robust features that allow administrators to define permissions, assign roles, and manage user groups seamlessly, across different projects. This article provides a comprehensive guide on how to control access within the Choreo Console to ensure that the right people have the appropriate levels of access.

Understanding the Basics

Before diving into the implementation, it’s essential to understand the key components of access control in the Choreo Console:

Roles:
These define a set of permissions that determine what actions a user can perform. Roles can range from administrators with full access to read-only users who can only view certain resources.
Groups:
Groups are collections of users who share similar access requirements. By assigning roles to groups, you can efficiently manage permissions for multiple users simultaneously.
Mapping Levels:
This defines the scope at which permissions are applied to a user group. Mapping can occur at the organization level, affecting all projects within the organization, or at the project level, affecting only specific projects.

Best Practices for Access Control

1. Define Clear Roles and Permissions:
Start by identifying the different roles required within your organization. Common roles might include Developer, Tester, Project Manager, and Administrator. Clearly define what each role can and cannot do.

2. Use Groups for Efficient Management:
Instead of assigning roles to individual users, create groups that represent teams or departments. Assign roles to these groups to simplify permission management.

3. Leverage Mapping Levels Appropriately:

Organization Level: Use this when you want certain roles to have access across all projects. For example, an IT administrator who needs to manage resources organization-wide.
Project Level: Assign roles at the project level for team members who only need access to specific projects.

The following diagram depicts a role-group assignment at a specific resource level. In the diagram, an admin user has assigned the Developer role to all members of the Engineering group within the Engineering Project. This grants users in the Engineering group the ability to perform all actions allowed by the Developer role within the Engineering Project.

https://wso2.com/choreo/docs/administer/control-access-in-the-choreo-console

Step-by-Step Guide to Setting Up Access Control

Step 1: Create Roles

Navigate to the Roles section in the Choreo Console.
Click on Create Role.
Define the role name and select the permissions associated with it.
Save the role.

Step 2: Create Groups

Go to the Groups section.
Click on Create Group.
Enter a group name and description.
Add users to the group.
Save the group.

Step 3: Assign Roles at the Appropriate Level

For organization-level roles:
— Navigate to the Organization Settings.
— Assign groups to roles at this level.
For project-level roles:
— Open the specific project.
— Go to Project Settings.
— Assign groups to roles within the project.

Step 4: Review and Audit Permissions

Regularly review the roles and permissions assigned to ensure they are up-to-date.
Use the auditing features in the Choreo Console to track changes and access patterns.

Sample Scenario

Imagine you have a software development company with the following teams:

Development Team: Needs access to code repositories, deployment pipelines, and testing environments.
QA Team: Requires access to testing environments and bug tracking systems.
Project Managers: Should have oversight of project progress but limited access to code changes.

Now you want specific subsets of these teams to only work on designated projects. Let’s say there is an ‘Engineering Project’ and you need a set of developers, QA and a project manager to work on this particular project. So an organization admin should be able to provide this sub set of users access to the said project and not the others.

Implementation:

Create Roles/Use existing roles:
*Choreo already have a set of default roles defined out of the box.

Developer Role with permissions to modify code and deploy applications.
QA Role with permissions to run tests and report bugs.
Manager Role with permissions to view project status and reports.

Create Groups:

‘Engineering Project Developers’ Group with all the users who are developers.
‘Engineering Project QA’ Group with all the users who are QA.
‘Engineering Project Managers’ Group with all the users who are managers.

Assign Groups to Projects:

For each project, assign the respective groups at the project level to ensure they only have access to relevant resources.
In this situation, you need to navigate inside the ‘Engineering Project’ and assign the roles to the newly created groups inside the project.

This ensures that you have granted developer access to users in the ‘Engineering Project Developer’ group in the scope of the ‘Engineering Project’.

Now that you have setup the access control, you can continue to add users to the relevant groups.

Conclusion

By effectively utilizing roles, groups, and mapping levels in the Choreo Console, organizations can maintain robust access control mechanisms. This not only enhances security but also streamlines collaboration by ensuring team members have the tools and information they need to perform their duties.

Tips for Effective Access Management:

Regular Updates: As team members join or leave, or as roles change, ensure the access permissions are updated promptly.
Principle of Least Privilege: Assign the minimum level of access required for a user to perform their job functions.
Training: Educate your team about the importance of access control and how to use the Choreo Console responsibly.

By following these guidelines, you can harness the full potential of the Choreo Console while keeping your projects secure and well-organized.