Enterprise
Role Base Access Control
This feature is available for Enterprise Edition users only.
With Formance Cloud, you can manage access to your organization and stacks using Role-Based Access Control (RBAC). This allows you to control who can access your organization and stacks, and what they can do with them.
Roles
Organization
- An organization’s
ADMIN
can manage the organization and its stacks. It overrides the stack role. GUEST
of an organization can read the organization.
Stack: manage one stack
ADMIN
of a stack can manage the stack control plane and data plane.GUEST
of a stack can read the stack control plane and data plane.
Notice:
- To access a stack the user must have a role set on the organization.
- If a user has organization role
ADMIN
, he will have the stack roleADMIN
even if it is not set.
Data planes: Roles to scopes translation
Organization | Stack | Scopes |
---|---|---|
ADMIN | _ | Read & Write |
GUEST | ADMIN | Read & Write |
GUEST | GUEST | Read |
GUEST | NONE | _ |
NONE | NONE | _ |
NONE | undefined | _ |
- Organization ADMIN: read & write on all services
- Stack ADMIN: read & write on all services
- Stack GUEST: read on all services
- Else: no accesses
Basics
Inviting a user
When inviting a user to an organization, you can directly assign a role to the user. When the user accepts, he will be granted configured roles.
You can get more information on the different planes on Architecture page.
Default roles: fallback when user assigned role is not satisfied
Default roles are assigned at the organization level. You can modify defaults with the following command:
Examples
- A user can be a member of an organization with the role
ADMIN
and have the roleGUEST
in a stack. GUEST would be ignored, he would be granted of the roleADMIN
in the stack. - Fallback roles are set to organization
GUEST
and stackGUEST
- A user with no roles and no stack role assigned. would have role
GUEST
and stack roleGUEST
assigned - A user with a stack role
NONE
would have the role guest assigned
- A user with no roles and no stack role assigned. would have role
- Fallback roles are set to organization
ADMIN
and stackADMIN
- A user with no roles and no stack role assigned would have role
ADMIN
and stack roleADMIN
- A user with a stack role
NONE
would have the role ADMIN assigned - A user with a stack role
GUEST
would have the role ADMIN assigned
- A user with no roles and no stack role assigned would have role
- Fallback roles are set to organization
NONE
and stackGUEST
- A user with no roles and no stack role assigned would have role stack role
GUEST
. - A user with a stack role
NONE
would have the roleGUEST
assigned - A user with a stack role
ADMIN
would have the roleADMIN
assigned
- A user with no roles and no stack role assigned would have role stack role