Role binding YAML

Reading time: 0 minute(s) (0 words)

Organization admins can manage users in their organization, and Project owners can manage user permissions in their projects through sloctl using the RoleBinding object.

Key points

• A single role binding object can hold the relation between exactly one role and one user.
• To specify an organization role, leave the project field empty.
• You can apply a new project and role binding at the same time in one YAML file.
• You can edit the following role binding settings:
  • User ID or user group ID
  • Project name identifier
  • Role name

Changing role overwrites the previous role permissions

When changing a user's role, the new role's permissions overwrite the previous role. For example, when you change the role from project-editor to project-viewer, the user or users from the group will lose their editor permissions.

• A user group can have more than one organization role assigned with different role binding objects.
  This expands group's permissions.
• An individual user can have only one organization role and one project role within the same project.
• The role name and project name identifier¹ in a role binding must point to the existing role and project.
  ¹Project name identifier is required for project-level roles only.

Nobl9

Enterprise

Groups are available for Nobl9 Enterprise Edition customers who have configured the SCIM synchronization with their Identity Provider (IdP), for example, Azure AD or Okta.

YAML samples

To configure a RoleBinding, apply a YAML definition with sloctl.

• Organization role for an individual user:

  Sample organization role binding for a user

  - apiVersion: n9/v1alpha
    kind: RoleBinding
    metadata:
      name: organization-binding-user-admin
    spec:
      user: XXXXXXXXXXXXXXXXXXXX
      roleRef: organization-admin

• Organization role for a user group:

  Sample organization role binding for a user group

  - apiVersion: n9/v1alpha
    kind: RoleBinding
    metadata:
      name: group-binding-admin
    spec:
      groupRef: group-XXXXXXXXXXXX
      roleRef: organization-admin

• Project role for an individual user:

  Sample project role binding for a user

  - apiVersion: n9/v1alpha
    kind: RoleBinding
    metadata:
      name: default-project-binding
    spec:
      user: XXXXXXXXXXXXXXXXXXXX
      roleRef: project-viewer
      projectRef: default

• Project role for a user group:

  Sample project role binding for a user group

  - apiVersion: n9/v1alpha
    kind: RoleBinding
    metadata:
      name: default-group-project-binding
    spec:
      groupRef: group-XXXXXXXXXXXX
      roleRef: project-viewer
      projectRef: default

Field	Type	Description
metadata.name mandatory	string	Constraints: • The name must follow conventions defined in DNS RFC 1123. • If you create RoleBinding manually with sloctl, you can put any valid string for the name. • The name must be unique in an organization (for the Organization roles) or a project (for the Project roles). • RoleBinding created with sloctl is edited in Nobl9 UI. If you create project-owner-adam with sloctl, this object will be available on the Settings > Access Controls tab list in the UI. Then, you can edit the project-owner-adam object on the Users list. • If you configure a role in the UI first, it will generate a UUID for the name, and you need to get the RoleBinding through sloctl.
spec.projectRef mandatory For project role bindings	string	Your required project name identifier. Skip this field when creating an organization role binding.
spec.roleRef mandatory	string	The role name you are assigning.
spec.user mandatory	string	A user ID found under Settings > Users. Use either user or groupRef in your role binding.
spec.groupRef mandatory	string	A user group name found under Settings > Groups. Use either groupRef or user in your role binding.

To create a new project and a role binding at the same time, specify the required resources in a YAML definition as follows:

Sample project YAML with a project role binding for a user

- apiVersion: n9/v1alpha
  kind: Project
  metadata:
    name: orders-and-shipping-project
  spec:
    description: "This project contains services and SLOs to monitor customer orders and order shipping"
---
- apiVersion: n9/v1alpha
  kind: RoleBinding
  metadata:
    name: orders-and-shipping-project-editor
  spec:
    user: XXXXXXXXXXXXXXXXXXXX
    roleRef: project-viewer
    projectRef: orders-and-shipping-project

You can handle role bindings in sloctl as follows:

• Use rolebindings as the sloctl object
• Apply a YAML definition with sloctl apply
• Delete a role binding with sloctl delete
• Get role bindings available in your organization with sloctl get
• Get help for your required command with sloctl %your command% rolebindings --help

For more information, refer to sloctl user guide.

Role name reference

The following role names are available in Nobl9:

Nobl9 Web	YAML name
Organization admin	organization-admin
Organization blank	organization-blank
Organization integrations user	organization-integrations-user
Organization responder	organization-responder
Organization user	organization-user
Organization viewer	organization-viewer
Project editor	project-editor
Project integrations user	project-integrations-user
Project owner	project-owner
Project responder	project-responder
Project viewer	project-viewer

Find detailed permission lists for organization and project level roles.

Validation errors

This section describes common errors related to a role binding returned by sloctl.

Error: Applying RoleBinding 'role-binding-name' failed because the object referenced in the field RoleRef 'non-existing-role-name' could not be found in the given context (expected 'Organization' role type).

Reason: A role does not exist in an organization (projectRef is not defined, and the system expects to find an organization-level role type)

Error: Applying RoleBinding 'role-binding-name' failed because the object referenced in the field RoleRef 'non-existing-role' could not be found in the given context (expected existing 'Project' role type).

Reason: A project role does not exist (projectRef is defined)

Error: Another RoleBinding ('role-binding-name') already exists for user XXXXXXXXXXXXXXXXXXXX.

Reason: A RoleBinding with the same configuration (user ID, role, and project) already exists

Error: Validation failed: Project project-name not found

Reason: A project does not exist

Error: The user does not have permission to delete the 'role-binding-name' in project project-name.

Reason: A user have no permissions to apply or delete role bindings in a project

Example command: sloctl delete rolebinding role-binding-name -p project-name

Error: The user does not have permissions to apply role-binding-name in the organization organization-name.

Reason: A user have no permissions to apply or delete role bindings in an organization

Example command: sloctl apply -f ./role-binding-name.yaml

Error: Project 'project-name' was not found.

Reason: Deleting a role binding in a non-existing project

Example command: sloctl delete rolebinding role-binding-name -p project-name

Error: deleting organizational role bindings is not allowed

Reason: Deleting an organization-level role binding

Example command: sloctl delete rolebinding organization-name

Example command: sloctl delete rolebinding --A

Useful links

For a more in-depth look, consult additional resources:

Handling role binding with the Nobl9 Terraform providerNobl9 Terraform documentationOrganization role referenceNobl9 RBACProject role referenceNobl9 RBACkind: RoleBindingYAML guidesloctl applysloctl user guidesloctl getsloctl user guidesloctl deletesloctl user guideRBAC groupsNobl9 RBAC