github.com/argoproj/argo-cd@v1.8.7/docs/operator-manual/rbac.md (about) 1 # RBAC Configuration 2 3 The RBAC feature enables restriction of access to Argo CD resources. Argo CD does not have its own 4 user management system and has only one built-in user `admin`. The `admin` user is a superuser and 5 it has unrestricted access to the system. RBAC requires [SSO configuration](user-management/index.md) or [one or more local users setup](user-management/index.md). 6 Once SSO or local users are configured, additional RBAC roles can be defined, and SSO groups or local users can man be mapped to roles. 7 8 ## Basic Built-in Roles 9 10 Argo CD has two pre-defined roles but RBAC configuration allows defining roles and groups (see below). 11 12 * `role:readonly` - read-only access to all resources 13 * `role:admin` - unrestricted access to all resources 14 15 These default built-in role definitions can be seen in [builtin-policy.csv](https://github.com/argoproj/argo-cd/blob/master/assets/builtin-policy.csv) 16 17 ### RBAC Permission Structure 18 19 Breaking down the permissions definition differs slightly between applications and every other resource type in Argo CD. 20 21 * All resources *except* applications permissions (see next bullet): 22 23 `p, <role/user/group>, <resource>, <action>, <object>` 24 25 * Applications (which belong to an AppProject): 26 27 `p, <role/user/group>, <resource>, <action>, <appproject>/<object>` 28 29 ### RBAC Resources and Actions 30 31 Resources: `clusters`, `projects`, `applications`, `repositories`, `certificates`, `accounts`, `gpgkeys` 32 33 Actions: `get`, `create`, `update`, `delete`, `sync`, `override`, `action` 34 35 ## Tying It All Together 36 37 Additional roles and groups can be configured in `argocd-rbac-cm` ConfigMap. The example below 38 configures a custom role, named `org-admin`. The role is assigned to any user which belongs to 39 `your-github-org:your-team` group. All other users get the default policy of `role:readonly`, 40 which cannot modify Argo CD settings. 41 42 *ArgoCD ConfigMap `argocd-rbac-cm` Example:* 43 44 ```yaml 45 apiVersion: v1 46 kind: ConfigMap 47 metadata: 48 name: argocd-rbac-cm 49 namespace: argocd 50 data: 51 policy.default: role:readonly 52 policy.csv: | 53 p, role:org-admin, applications, *, */*, allow 54 p, role:org-admin, clusters, get, *, allow 55 p, role:org-admin, repositories, get, *, allow 56 p, role:org-admin, repositories, create, *, allow 57 p, role:org-admin, repositories, update, *, allow 58 p, role:org-admin, repositories, delete, *, allow 59 60 g, your-github-org:your-team, role:org-admin 61 ``` 62 ---- 63 64 Another `policy.csv` example might look as follows: 65 66 ```csv 67 p, role:staging-db-admins, applications, create, staging-db-admins/*, allow 68 p, role:staging-db-admins, applications, delete, staging-db-admins/*, allow 69 p, role:staging-db-admins, applications, get, staging-db-admins/*, allow 70 p, role:staging-db-admins, applications, override, staging-db-admins/*, allow 71 p, role:staging-db-admins, applications, sync, staging-db-admins/*, allow 72 p, role:staging-db-admins, applications, update, staging-db-admins/*, allow 73 p, role:staging-db-admins, projects, get, staging-db-admins, allow 74 g, db-admins, role:staging-db-admins 75 ``` 76 77 This example defines a *role* called `staging-db-admins` with *seven permissions* that allow that role to perform the *actions* (`create`/`delete`/`get`/`override`/`sync`/`update` applications, and `get` appprojects) against `*` (all) objects in the `staging-db-admins` Argo CD AppProject. 78 79 ## Anonymous Access 80 81 The anonymous access to Argo CD can be enabled using `users.anonymous.enabled` field in `argocd-cm` (see [argocd-cm.yaml](argocd-cm.yaml)). 82 The anonymous users get default role permissions specified by `policy.default` in `argocd-rbac-cm.yaml`. For read-only access you'll want `policy.default: role:readonly` as above