Skip to main content

RoleBinding - YAML

Organization Admins can manage users in their organization and Project Owners can manage users in their projects through the sloctl tool using a RoleBinding.

Assumptions and Validations

  • A single RoleBinding object allows the definition of the relation between exactly one user and exactly one role.

  • For organization roles (e.g., organization-admin, organization-viewer, organization-user), the projectRef field defined on the spec level must be empty. Otherwise, an error is returned.

  • For project roles (project-owner, project-editor, project-viewer, project-integrations-user), the projectRef field defined on the spec level cannot be empty. projectRef must point to an existing project, or sloctl will return an error.

  • Only one project role can be defined for a given project for any given user (for example, it is impossible to be a project-owner and a project-editor of the same project).

  • The system does not verify whether the user ID in the user field is valid or not. Any non-empty string is acceptable.

  • Organization roles cannot be removed by any user. If a user tries to delete an organization-level role, an error is returned.

  • If a RoleBinding instance already exists for some user in a given context (project or organization), it is impossible to update the existing role binding for another user. In such an instance, an error is returned.

  • If another RoleBinding for the user that is identified by Spec.UserID already exists in the given context (project or role), an error is returned.

  • The roleRef and user fields are required. The projectRef field is optional, but if this field is not empty and points to a nonexisting project, an error is returned. The value in the roleRef field must be an existing role name.

Applying Organization Role Bindings

You can configure an organization-level RoleBinding for a given user in sloctl as shown here:

apiVersion: n9/v1alpha
kind: RoleBinding
metadata:
name: organization-admin-adam
spec:
roleRef: organization-admin # Existing organization role (since projectRef is empty)
user: 00u3ywkof3cTkMLOH4x7 # User ID from Okta, available in the UI in Settings > Users
note

The user ID for the user field can be retrieved from Settings > Account and Settings > Users in the UI:

Applying Project Role Bindings

You can configure a project-level RoleBinding for a given user in sloctl as shown here:

apiVersion: n9/v1alpha
kind: RoleBinding
metadata:
name: project-owner-adam # Must be a unique string, see notes below
spec:
projectRef: default # Must refer to an existing Project
roleRef: project-owner # Must be an existing Project role
user: 00u3ywkof3cTkMLOH4x7 # Okta User ID

Specifications for metadata[ ].name:

  • The name must follow conventions defined in DNS RFC 1123. Refer to YAML Guide for further details.
  • If you create RoleBinding manually with sloctl, you can put any valid string for the name.
  • The name must be unique in an Organization (for the Organization roles) or a Project (for the Project roles).
  • RoleBinding created with sloctl is edited in Nobl9 UI. If you create project-owner-adam with sloctl, this object will be available on the Settings > Users tab list in the UI. Then, you can edit the project-owner-adam object on the Users list.
  • If you configure a role in the UI first, it will generate a UUID for the name, and you need to get the RoleBinding through sloctl.

Validation Errors

The following are common errors related to role binding that users may experience in sloctl:

  • If a role does not exist in an organization context (if projectRef is not defined, and the system expects to find an organization-level role type), as in this example:

    apiVersion: n9/v1alpha
    kind: RoleBinding
    metadata:
    name: organization-admin-adam
    spec:
    roleRef: not-existing-project-ref
    user: 00u3ywkof3cTkMLOH4x7

    sloctl returns the following error message:

    Error: Applying RoleBinding 'organization-admin-adam' failed because the object referenced in the field RoleRef 'not-existing-project-ref' could not be found in the given context (expected 'Organization' role type).

  • If a role does not exist in a project context (if projectRef is defined, and the system expects to find a project role type), as in this example:

    apiVersion: n9/v1alpha
    kind: RoleBinding
    metadata:
    name: organization-admin-adam
    spec:
    projectRef: default
    roleRef: organization-admin
    user: 00u3ywkof3cTkMLOH4x7

    sloctl returns the following error message:

    Error: Applying RoleBinding 'organization-admin-adam' failed because the object referenced in the field RoleRef 'organization-admin' could not be found in the given context (expected existing 'Project' role type).

  • If a RoleBinding already exists for another user, as in this example:

    ---
    apiVersion: n9/v1alpha
    kind: RoleBinding
    metadata:
    name: organization-admin-adam
    spec:
    roleRef: organization-admin
    user: 00u3ywkof3cTkMLOH4x7
    ---
    apiVersion: n9/v1alpha
    kind: RoleBinding
    metadata:
    name: organization-admin-adam
    spec:
    roleRef: organization-admin
    user: 00u3ywkof3cTkMLOH4x8

    sloctl returns the following error message:

    `Error: Validation failed because RoleBinding ('organization-admin-adam') already exists for another user in the given context.`

  • If a RoleBinding already exists for a given user in a given context, as in this case:

    ---
    apiVersion: n9/v1alpha
    kind: RoleBinding
    metadata:
    name: project-owner-anna
    spec:
    projectRef: default
    roleRef: project-owner
    user: 00u3ywkof3cTkMLOH4x7
    ---
    apiVersion: n9/v1alpha
    kind: RoleBinding
    metadata:
    name: project-owner-anna-2
    spec:
    projectRef: default
    roleRef: project-owner
    user: 00u3ywkof3cTkMLOH4x7

    sloctl returns the following error message:

    Error: Validation failed because another RoleBinding ('project-owner-anna-2') already exists for user 00u3ywkof3cTkMLOH4x7 in the given context.

  • If a user does not have permission to apply or delete role bindings in a project—for example, using a command like this:

    Sloctl delete rolebinding project-editor-anna -p existing-project-ref

    sloctl returns the following error message:

    Error: The user does not have permission to delete the role-binding-project in project existing-project-ref.

  • If a user does not have permission to apply or delete role bindings in an organization—for example, with a command like the following:

    Sloctl apply -f ./samples/roles/sample-role-binding.yaml

    sloctl returns the following error message:

    Error: The user does not have permissions to apply role-binding-organization in the organization some-organization-name.

  • If a user tries to delete a role binding from a project that does not exist, as shown here:

    Sloctl delete rolebinding project-editor-anna -p not-existing-project-ref

    sloctl returns the following error message:

    Error: Project 'not-existing-project-ref' was not found.

  • If a user tries to delete an organization-level role binding:

    Sloctl delete rolebinding organization-user-anna

    sloctl returns the following error message:

    Error: deleting organizational role bindings is not allowed