Get Started with RBAC
This RBAC guide is applicable only to IDP 2.0 customers, as the RBAC and project/org hierarchy is available exclusively in IDP 2.0.
- To learn how to upgrade, refer to the IDP 2.0 Upgrade Guide.
- If you're using IDP 1.0 and want to implement access control, please refer to the Access Control Guide for IDP 1.0.
RBAC in IDP 2.0
Harness IDP 2.0 introduces granular RBAC across various IDP resources such as Catalog and Workflows. This means you now have precise control over who can view or edit your IDP resources. RBAC enables administrators to define what actions users can perform on specific resources, with scope-aware permissions aligned with Harness Projects, Organizations, and Accounts.
Harness IDP leverages the platform hierarchy and applies the same access control model as Platform RBAC. To learn more, visit the RBAC in Harness documentation.
Prerequisites
If you're using Harness IDP 2.0, please ensure you have reviewed the IDP 2.0 Overview guide and are familiar with the key steps for upgrading to IDP 2.0. To enable IDP 2.0, you must raise a support ticket to activate the IDP_2_0 feature flag for your account.
Before configuring RBAC in Harness IDP:
- You must be an Admin at the Account, Organization, or Project scope.
- For newly created accounts, contact Harness Support to provision the first admin.
If you're not an admin, you may still configure certain RBAC settings if you have the required granular permissions:
| Feature | Required Permissions |
|---|---|
| Users | View, Manage, Invite |
| User Groups | View, Manage |
| Resource Groups | View, Create/Edit, Delete |
| Roles | View, Create/Edit, Delete |
Also, ensure you understand the following concepts:
- Scopes, Roles & Permissions
- Key Concepts of Harness Platform Hierarchy
- Harness IDP RBAC Components
- Catalog RBAC & Workflow RBAC Principles
RBAC Configuration Workflow
To configure RBAC in Harness IDP, follow these steps:
- Go to Account, Organization, or Project Settings where you want to apply RBAC.
- Create roles with desired permissions.
- (Optional) Create resource groups to control access over certain resources to control access over specific resources.
- Create user groups and add users.
- Assign roles and resource groups to users or user groups.
- (Optional) Configure authentication, if not already done.
Permissions & Resource Scopes
IDP 2.0 resources can be created at any scope—Account, Organization, or Project—and access is determined by the RBAC permissions configured at each level. You can use predefined roles or create custom roles, and organize permissions using resource groups. These follow the same model as the broader Harness RBAC framework.
| Resource | Permissions | Account Scope | Org Scope | Project Scope | Notes |
|---|---|---|---|---|---|
| Catalog | View, Create/Edit, Delete | ✅ | ✅ | ✅ | Core entities like Component, API, Resource can be managed at all scopes. |
| Workflows | View, Create/Edit, Delete, Execute | ✅ | ✅ | ✅ | Workflows can be created and executed at all scopes. |
| Scorecards | View, Create/Edit, Delete | ✅ | ❌ | ❌ | Currently supported only at Account scope. |
| Layouts | View, Create/Edit | ✅ | Partial | Partial | Workflow Groups are supported at the Project and Org scopes. Other Layout functions are currently only supported at the Account scope. |
| Plugins | View, Create/Edit, Toggle, Delete | ✅ | ❌ | ❌ | Only supported at the Account scope. |
Configure RBAC for Account-Level Catalog Entity Creation
This example shows how to configure RBAC to allow full control over Catalog entity creation and modification at the Account scope (including all child resources).
In this example, we use:
- A custom role: IDP Catalog Create
- (Optional) A custom resource group: All Catalog Create Resources
- (Optional) A custom user group: Catalog Create Users
The All Catalog Create Resources group exists at the Account scope and provides Create/Edit access to all Catalog entities across the account, including all organizations and projects. The IDP Catalog Create role includes the Create/Edit permission for Catalog resources.
You can access Administrative Settings from your Harness UI directly using the sidenavbar.
Step 1: Create the IDP Catalog Creator Role
- Interactive guide
- Step-by-step
- In Harness, go to Account Settings → Roles under the Access Control section.
- Click New Role to create a new role.
- Name the role IDP Catalog Create. (Optional: Add a description and tags.)
- Click Save.
- Under Permissions → Developer Portal, select:
- Catalog → Create/Edit
- Click Apply Changes.
Learn more about roles: Manage roles | Permissions reference
(Optional) Step 2: Create a custom Resource Group
- Interactive guide
- Step-by-step
- In Harness, go to Account Settings → Resource Groups under Access Control.
- Click New Resource Group.
- Name the group All Catalog Create Resources. (Optional: Select a color, description, and tags.)
- Click Save.
- For Resource Scope, choose All (including all Organizations and Projects). This grants access to the selected resources across the account, including all orgs and projects. More on Resource Scopes
- For Resources, select Specified, and then add Catalog from the table.
- Click Save.
Learn more: Manage resource groups
(Optional) Step 3: Create the "Catalog Create Users" User Group
- Interactive guide
- Step-by-step
- In Harness, go to Account Settings → User Groups under Access Control.
- Click New User Group.
- Name the group Catalog Create Users. (Optional: Add a description and tags.)
- Under Add Users, select the users to include in this group.
- Click Save.
Learn more: Manage user groups | Manage users
Step 4: Assign the Role and Resource Group to the User Group
- Interactive guide
- Step-by-step
- In Harness, go to Account Settings → User Groups.
- Find the Catalog Create Users group and click Manage Roles.
- Under Role Bindings, click Add.
- For Role, select IDP Catalog Create.
- For Resource Group, select All Catalog Create Resources.
- Click Apply.
Learn more: Role binding
This setup configures RBAC so that users in the Catalog Create Users group have Create/Edit access to Catalog entities at the Account scope, as well as within all Organizations and Projects under the account.