Version: v2.0

Role Base Access Control

With Formance Cloud, you can manage access to your organization and stacks using Role-Based Access Control (RBAC). This allows you to control who can access your organization and stacks, and what they can do with them.

Roles

Organization

An organization's ADMIN can manage the organization and its stacks. It overrides the stack role.
GUEST of an organization can read the organization.

Stack: manage one stack

ADMIN of a stack can manage the stack control plane and data plane.
GUEST of a stack can read the stack control plane and data plane.

Notice:

To access a stack the user must have a role set on the organization.
If a user has organization role ADMIN, he will have the stack role ADMIN even if it is not set.

Data planes: Roles to scopes translation

Organization	Stack	Scopes
ADMIN	_	Read & Write
GUEST	ADMIN	Read & Write
GUEST	GUEST	Read
GUEST	NONE	_
NONE	NONE	_
NONE	undefined	_

Organization ADMIN: read & write on all services
Stack ADMIN: read & write on all services
Stack GUEST: read on all services
Else: no accesses

Basics

Inviting a user

When inviting a user to an organization, you can directly assign a role to the user. When the user accepts, he will be granted configured roles.

fctl cloud organizations invitations send <email> \
    --stack-claims '[{"id":"vnrw", "role":"ADMIN"}]' \
    --org-claim ADMIN 

You can get more information on the different planes on Architecture page.

Default roles: fallback when user assigned role is not satisfied

Default roles are assigned at the organization level. You can modify defaults with the following command:

fctl cloud organization update <orgId> --name <name> --default-stack-role "ADMIN" --default-organization-role "GUEST"

Examples

A user can be a member of an organization with the role ADMIN and have the role GUEST in a stack. GUEST would be ignored, he would be granted of the role ADMIN in the stack.
Fallback roles are set to organization GUEST and stack GUEST
1. A user with no roles and no stack role assigned. would have role GUEST and stack role GUEST assigned
2. A user with a stack role NONE would have the role guest assigned
Fallback roles are set to organization ADMIN and stack ADMIN
1. A user with no roles and no stack role assigned would have role ADMIN and stack role ADMIN
2. A user with a stack role NONE would have the role ADMIN assigned
3. A user with a stack role GUEST would have the role ADMIN assigned
Fallback roles are set to organization NONE and stack GUEST
1. A user with no roles and no stack role assigned would have role stack role GUEST.
2. A user with a stack role NONE would have the role GUEST assigned
3. A user with a stack role ADMIN would have the role ADMIN assigned

Manage Permissions with FCTL

Access to an organization

Describe an organization

fctl cloud organizations describe <orgId>

Update an organization

fctl cloud organization update <orgId> --name <name> --default-stack-role "ADMIN" --default-organization-role "GUEST"

List organization user

fctl cloud organizations users list —organization <orgID>

Change organization user role

fctl cloud organizations users link <userId> —role GUEST —organization=<orgId>

Delete organization user

fctl cloud organizations users unlink <userId> —organization <orgId>

Access to a stack

fctl stacks users link <stackId> <userId> —role  GUEST --organization <organizationId>

Delete stack user

fctl stacks users unlink <stackID> <userId> --organization <organizationId>

List stack user role

fctl stacks users list <stackID> --organization <organizationId>

Roles​

Organization​

Stack: manage one stack​

Data planes: Roles to scopes translation​

Basics​

Inviting a user​

Default roles: fallback when user assigned role is not satisfied​

Examples​

Manage Permissions with FCTL​

Access to an organization​

Describe an organization​

Update an organization​

List organization user​

Change organization user role​

Delete organization user​

Access to a stack​

Delete stack user​

List stack user role​