Skip to content

IAM role templates

Bootstrap groups shipped with the identity service. Use these as starting points; clone or extend in the dashboard Access → Groups tab.

Note: Group names in the database (admins, operators, …) are shown as Roles in the UI.

Built-in groups

Group Typical user Policies (effective)
admins Platform owner, break-glass meshflows:* plus platform admin scopes
operators Integration ops, run/retrigger meshflows:workflow:run:*, meshflows:workflow:retrigger:*
viewers Read-only (demo) (none by default — assign per-workflow run scopes as needed)
developers API explorer meshflows:developer:portal

Demo users (IDENTITY_SEED_DEMO_USERS=true): operatoroperators, viewerviewers.

Role idea Policies Use when
IAM admin meshflows:iam:manage User/group administration without full meshflows:*
Workflow designer meshflows:workflow:design Create/edit workflows, no production run
Scheduler admin meshflows:workflow:schedule:*, meshflows:scheduler:templates:* Manage cron schedules and templates
Secrets reader meshflows:runtime:secrets:read View runtime secrets metadata/values
Per-workflow operator meshflows:workflow:run:<name>, optional retrigger/schedule Least privilege for one integration

Policy categories (dashboard UI)

The Access UI groups policies with colour accents:

  • Break-glass (red) — meshflows:*
  • Platform (blue) — admin, IAM, design, settings, developer portal
  • Workflow execution (green) — run/retrigger/schedule wildcards, schedule templates
  • Runtime secrets (orange) — read/write secrets

Inherited policies (from groups) appear muted on the user detail panel; edit the group to change them.

See also

Access review CLI

Periodic review (CI or cron):

cd engine
python scripts/iam-access-review.py --report --fail-on critical \\
  --identity-url http://identity:8080 \\
  --username "$IDENTITY_ADMIN_USER" --password "$IDENTITY_ADMIN_PASSWORD" \\
  --workflows "$(curl -s http://orchestrator:8080/workflows | jq -r '.workflows[].name' | paste -sd,)"

# Register missing per-workflow scopes in the catalog
python scripts/iam-access-review.py --sync-workflows \\
  --identity-url http://identity:8080 \\
  --orchestrator-url http://orchestrator:8080 \\
  --username admin --password "$ADMIN_PASSWORD"

The dashboard Access tab also syncs workflow scopes on load and offers Access review on the Audit tab.