IAM role templates¶
Bootstrap groups shipped with the identity service. Use these as starting points; clone or extend in the dashboard Access → Groups tab.
Note: Group names in the database (
admins,operators, …) are shown as Roles in the UI.
Built-in groups¶
| Group | Typical user | Policies (effective) |
|---|---|---|
| admins | Platform owner, break-glass | meshflows:* plus platform admin scopes |
| operators | Integration ops, run/retrigger | meshflows:workflow:run:*, meshflows:workflow:retrigger:* |
| viewers | Read-only (demo) | (none by default — assign per-workflow run scopes as needed) |
| developers | API explorer | meshflows:developer:portal |
Demo users (IDENTITY_SEED_DEMO_USERS=true): operator → operators, viewer → viewers.
Recommended custom roles¶
| Role idea | Policies | Use when |
|---|---|---|
| IAM admin | meshflows:iam:manage |
User/group administration without full meshflows:* |
| Workflow designer | meshflows:workflow:design |
Create/edit workflows, no production run |
| Scheduler admin | meshflows:workflow:schedule:*, meshflows:scheduler:templates:* |
Manage cron schedules and templates |
| Secrets reader | meshflows:runtime:secrets:read |
View runtime secrets metadata/values |
| Per-workflow operator | meshflows:workflow:run:<name>, optional retrigger/schedule |
Least privilege for one integration |
Policy categories (dashboard UI)¶
The Access UI groups policies with colour accents:
- Break-glass (red) —
meshflows:* - Platform (blue) — admin, IAM, design, settings, developer portal
- Workflow execution (green) — run/retrigger/schedule wildcards, schedule templates
- Runtime secrets (orange) — read/write secrets
Inherited policies (from groups) appear muted on the user detail panel; edit the group to change them.
See also¶
Access review CLI¶
Periodic review (CI or cron):
cd engine
python scripts/iam-access-review.py --report --fail-on critical \\
--identity-url http://identity:8080 \\
--username "$IDENTITY_ADMIN_USER" --password "$IDENTITY_ADMIN_PASSWORD" \\
--workflows "$(curl -s http://orchestrator:8080/workflows | jq -r '.workflows[].name' | paste -sd,)"
# Register missing per-workflow scopes in the catalog
python scripts/iam-access-review.py --sync-workflows \\
--identity-url http://identity:8080 \\
--orchestrator-url http://orchestrator:8080 \\
--username admin --password "$ADMIN_PASSWORD"
The dashboard Access tab also syncs workflow scopes on load and offers Access review on the Audit tab.