Role-Based Access Control (RBAC)
Public Preview
User Management v2 required
Role-based access control requires User Management v2. If you are using single sign-on, see also Microsoft Entra ID Authentication Integration (User Management v2).
Agile Data Engine supports role-based access control (RBAC) for authorizing user access to separate features and user interfaces (External API is an exception to this) when User Management v2 is in use.
Roles are predefined and granted on a per-user basis. When applicable, roles are scoped at the tenant, installation, or environment level.
Role format:
{tenant}-{installation}-{environment}:ade-{application}-{role}
Where:
tenant (required): The tenant where the role is applied.
installation (optional): The installation name where the role is applied. Used for core roles.
runtime (optional): The runtime environment name where the role is applied. Used for core roles.
application (required): The application or scope where the role is used.
role (required): The role to be applied.
The role format consists of two parts: the first part defines the scope, and the second part specifies the application role.
Role assignments for users are managed in the Admin UI.
ADE Core (tenant-specific applications)
ADE Core access
Access to ADE Core services such as the Designer, Deployment Management and Workflow Orchestration requires an ADE Core role assignment.
The ade-login role can be used to grant access to ADE Core services:
Role | Permissions | Scope | Additional information |
---|---|---|---|
ade-login |
| {tenant}-{installation} | This role grants general developer access to ADE Core services. |
Note that deployment roles include ADE Core access, i.e. ade-login role assignment is not required if deployment roles are assigned to the user.
Deployment actions
Public Preview
By default, all users with access to ADE Core can promote, demote and deploy. The deployment authorization feature must be enabled for your tenant before deployment roles can be used to control deployment permissions. Please create a support request in the support portal.
Assign roles before enabling deployment authorization
Once the feature is enabled, promotions, demotions, and deployments to any environment are not possible without the appropriate roles. If you plan to enable the feature in an existing tenant, ensure that all necessary roles are assigned in advance to users who need to perform these operations. This requirement also applies to environments configured for automatic promotion or deployment.
Deployment roles allow you to specify, per environment, which users can promote or demote, and which users are authorized to initiate deployments.
Role | Permissions | Scope | Additional information |
---|---|---|---|
ade-deployment-admin |
| {tenant}-{installation}-{environment} | Note that deployment roles are scoped at the runtime environment level. |
ade-deployment-promoter |
| {tenant}-{installation}-{environment} | |
ade-deployment-deployer |
| {tenant}-{installation}-{environment} |
Admin UI
Admin UI access is granted with the ade-adminui-tenantAdmin role. Access should only be given to platform administrators.
Role | Permissions | Scope | Additional information |
---|---|---|---|
ade-adminui-tenantAdmin |
| {tenant} | - |
See Admin UI for more details.
Insights
To access Insights, you must be assigned one of the Insights roles:
Role | Permissions | Scope | Additional information |
---|---|---|---|
ade-insights-tenantAdmin |
| {tenant} | - |
ade-insights-viewer |
| {tenant} | - |
See Insights Access and Roles for more details.