Authorization
Listing Permissions
Permissions in Lens AppIQ work in a hierarchical model and are typically represented using a dot notation. Granting access to top-level permission implies access to all permissions below it.
lapps permission list [-t/--tree]
The command above lists all permissions available for use when defining roles.
Flags:
| Flag | Description |
|---|---|
| -t, --tree | (= false) Show permissions in tree format. |
Creating Roles
It is not possible to assign permissions to users directly. You first have to create a role, including the desired permissions, then assign this role with a context value to one or more users.
lapps role add <role-name> <context-type> [--description/-d description]
The command above creates a new role for the specified context type. Valid context types are:
- organization
- app
- team
- framework
Context Explanation
Suppose a user has the app.deploy permission for the team named myteam it means the user can only deploy applications to which myteam has access. In the same way, it is possible to assign the same app.deploy permission to a user with the context app for one application named myappname. This means the user can now deploy this specific application called myappname.
Global or Organization Context
The global or organization context is a special case. It gives users permission to perform all actions on Lens AppIQ.
In the previous scenario, if a user has the app.deploy permission with a global or organization context; it means that the user can deploy any application.
The --description parameter sets a description for the role. It is an optional parameter, and if it's not set, the role will only not have a description associated.
Flags:
| Flag | Description |
|---|---|
| -d, --description | (= "") Role description |
Updating Roles
lapps role update <role> [-d/--description <description>] [-c/--context <context type>] [-n/--name <role new name>]
The command above updates a role description.
| -c, --context | (= "") Updates the context type of a role |
| -d, --description | (= "") Updates a role description |
| -n, --name | (= "") Updates the name of a role |
Removing Roles
lapps role remove <role-name> [-y/--assume-yes]
The command above removes an existing role.
Flags:
| Flag | Description |
|---|---|
| -y, --assume-yes | (= false) Don't ask for confirmation. |
Listing Created Roles
The command below lists all existing roles.
lapps role list
Role Information
Through the command below, users can retrieve information about a specific role.
lapps role info <role-name>
Adding Role Permission
Permission Hierarchy
Permissions in Lens AppIQ work in a hierarchical model and are typically represented using a dot notation. Granting access to top-level permission implies access to all permissions below it.
When adding new permissions to an existing role, users should execute the following command:
lapps role permission add <role-name> <permission-name>
Removing Role Permission
lapps role permission remove <role-name> <permission-name>
Removes permissions from an existing role.
Assigning User to Role
The command below assigns an existing role to a user or token with some context value.
lapps role assign <role-name> <user-email>|<token-id> [<context-value>]
Removing Roles from Users
shipa role dissociate <role-name> <user-email>|<token-id> [<context-value>]
Dissociates an existing role from a user or token for some context value.
Listing Roles
lapps role default list
Lists all roles set as default on any event.
Adding Default Roles
It is possible to have default roles applied to a user when some event happens on Lens AppIQ; events such as user create and team create.
- To list all possible events, use the role default list command.
- To include a new role in an event, use the role default add command.
- To remove a role from an event, use the role default remove command.
Once these roles are created, they can be added as defaults on the appropriate event.
lapps role default add [--user-create <role name>]... [--team-create <role name>]
Adds a new default role on a specific event.
Flags:
| Flag | Description |
|---|---|
| --team-create | (= []) role added to the user when a new team is created |
| --user-create | (= []) role added to the user when a user is created |
Removing Default Roles
lapps role default remove [--user-create <role name>]... [--team-create <role name>]
Removes a default role from a specific event.
Flags:
| Flag | Description |
|---|---|
| --team-create | (= []) role added to the user when a new team is created |
| --user-create | (= []) role added to the user when a user is created |
Creating Additional Super Admins - Lens AppIQ Self-Managed
For self-managed e.g on-prem installations, as a good practice, having more than one installation level admin user is prudent. In case of the unavailability of one admin, there is a secondary, etc admin to manage.
From an admin account, grant the AllowAll role to another account.
lapps role assign AllowAll [email protected]
Updated 3 months ago