Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.formance.com/llms.txt

Use this file to discover all available pages before exploring further.

This feature is part of Formance Enterprise Edition.
With Formance Cloud, you can manage access to your organization and stacks using Role-Based Access Control (RBAC). This allows you to control who can access your organization and stacks, and what they can do with them.

Roles

Organization

  • An organization’s ADMIN can manage the organization and its stacks. It overrides the stack role.
  • GUEST of an organization can read the organization.

Stack: manage one stack

  • ADMIN of a stack can manage the stack control plane and data plane.
  • GUEST of a stack can read the stack control plane and data plane.
Notice:
  • To access a stack the user must have a role set on the organization.
  • If a user has organization role ADMIN, he will have the stack role ADMIN even if it is not set.

Data planes: Roles to scopes translation

OrganizationStackScopes
ADMIN_Read & Write
GUESTADMINRead & Write
GUESTGUESTRead
GUESTNONE_
NONENONE_
NONEundefined_
  • Organization ADMIN: read & write on all services
  • Stack ADMIN: read & write on all services
  • Stack GUEST: read on all services
  • Else: no accesses

Basics

Inviting a user

When inviting a user to an organization, you can directly assign a role to the user. When the user accepts, he will be granted configured roles. 
fctl cloud organizations invitations send <email> \
    --stack-claims '[{"id":"vnrw", "role":"ADMIN"}]' \
    --org-claim ADMIN
You can get more information on the different planes on Architecture page.

Default roles: fallback when user assigned role is not satisfied

Default roles are assigned at the organization level. You can modify defaults with the following command: 
fctl cloud organization update <orgId> --name <name> --default-stack-role "ADMIN" --default-organization-role "GUEST"

Examples

  1. A user can be a member of an organization with the role ADMIN and have the role GUEST in a stack. GUEST would be ignored, he would be granted of the role ADMIN in the stack.
  2. Fallback roles are set to organization GUEST and stack GUEST
    1. A user with no roles and no stack role assigned. would have role GUEST and stack role GUEST assigned
    2. A user with a stack role NONE would have the role guest assigned
  3. Fallback roles are set to organization ADMIN and stack ADMIN
    1. A user with no roles and no stack role assigned would have role ADMIN and stack role ADMIN
    2. A user with a stack role NONE would have the role ADMIN assigned
    3. A user with a stack role GUEST would have the role ADMIN assigned
  4. Fallback roles are set to organization NONE and stack GUEST
    1. A user with no roles and no stack role assigned would have role stack role GUEST.
    2. A user with a stack role NONE would have the role GUEST assigned
    3. A user with a stack role ADMIN would have the role ADMIN assigned

Manage Permissions with FCTL

Access to an organization

Describe an organization

fctl cloud organizations describe <orgId>

Update an organization

fctl cloud organization update <orgId> --name <name> --default-stack-role "ADMIN" --default-organization-role "GUEST"

List organization user

fctl cloud organizations users list —organization <orgID>

Change organization user role

fctl cloud organizations users link <userId> —role GUEST —organization=<orgId>

Delete organization user

fctl cloud organizations users unlink <userId> —organization <orgId>

Access to a stack

fctl stacks users link <stackId> <userId> —role  GUEST --organization <organizationId>

Delete stack user

fctl stacks users unlink <stackID> <userId> --organization <organizationId>

List stack user role

fctl stacks users list <stackID> --organization <organizationId>