This feature is available for Enterprise Edition users only.
With Formance Cloud, you can manage access to your organization and stacks using Role-Based Access Control (RBAC). This allows you to control who can access your organization and stacks, and what they can do with them.

Roles

Organization

  • An organization’s ADMIN can manage the organization and its stacks. It overrides the stack role.
  • GUEST of an organization can read the organization.

Stack: manage one stack

  • ADMIN of a stack can manage the stack control plane and data plane.
  • GUEST of a stack can read the stack control plane and data plane.
Notice:
  • To access a stack the user must have a role set on the organization.
  • If a user has organization role ADMIN, he will have the stack role ADMIN even if it is not set.

Data planes: Roles to scopes translation

OrganizationStackScopes
ADMIN_Read & Write
GUESTADMINRead & Write
GUESTGUESTRead
GUESTNONE_
NONENONE_
NONEundefined_
  • Organization ADMIN: read & write on all services
  • Stack ADMIN: read & write on all services
  • Stack GUEST: read on all services
  • Else: no accesses

Basics

Inviting a user

When inviting a user to an organization, you can directly assign a role to the user. When the user accepts, he will be granted configured roles. 
fctl cloud organizations invitations send <email> \
    --stack-claims '[{"id":"vnrw", "role":"ADMIN"}]' \
    --org-claim ADMIN
You can get more information on the different planes on Architecture page.

Default roles: fallback when user assigned role is not satisfied

Default roles are assigned at the organization level. You can modify defaults with the following command: 
fctl cloud organization update <orgId> --name <name> --default-stack-role "ADMIN" --default-organization-role "GUEST"

Examples

  1. A user can be a member of an organization with the role ADMIN and have the role GUEST in a stack. GUEST would be ignored, he would be granted of the role ADMIN in the stack.
  2. Fallback roles are set to organization GUEST and stack GUEST
    1. A user with no roles and no stack role assigned. would have role GUEST and stack role GUEST assigned
    2. A user with a stack role NONE would have the role guest assigned
  3. Fallback roles are set to organization ADMIN and stack ADMIN
    1. A user with no roles and no stack role assigned would have role ADMIN and stack role ADMIN
    2. A user with a stack role NONE would have the role ADMIN assigned
    3. A user with a stack role GUEST would have the role ADMIN assigned
  4. Fallback roles are set to organization NONE and stack GUEST
    1. A user with no roles and no stack role assigned would have role stack role GUEST.
    2. A user with a stack role NONE would have the role GUEST assigned
    3. A user with a stack role ADMIN would have the role ADMIN assigned

Manage Permissions with FCTL

Access to an organization

Describe an organization

fctl cloud organizations describe <orgId>

Update an organization

fctl cloud organization update <orgId> --name <name> --default-stack-role "ADMIN" --default-organization-role "GUEST"

List organization user

fctl cloud organizations users list —organization <orgID>

Change organization user role

fctl cloud organizations users link <userId> —role GUEST —organization=<orgId>

Delete organization user

fctl cloud organizations users unlink <userId> —organization <orgId>

Access to a stack

fctl stacks users link <stackId> <userId> —role  GUEST --organization <organizationId>

Delete stack user

fctl stacks users unlink <stackID> <userId> --organization <organizationId>

List stack user role

fctl stacks users list <stackID> --organization <organizationId>