The Application Manager component provides granular access rights, allowing users to perform various actions depending on their assigned roles and the configured scopes.

These access rights are also used by to the runtime-manager microservice.

In order for users to view resources within the Application Manager, they must have, in addition to the appropriate role_apps_manage_<scope> role, at least read access on each resource.

Available access scopes

  1. manage-applications

    • Scopes:
      • read
        • Roles:
          • ROLE_APPS_MANAGE_READ
          • ROLE_APPS_MANAGE_IMPORT
          • ROLE_APPS_MANAGE_EDIT
          • ROLE_APPS_MANAGE_ADMIN
      • edit
        • Roles:
          • ROLE_APPS_MANAGE_EDIT
          • ROLE_APPS_MANAGE_ADMIN
      • import
        • Roles:
          • ROLE_APPS_MANAGE_IMPORT
          • ROLE_APPS_MANAGE_EDIT
          • ROLE_APPS_MANAGE_ADMIN
      • admin
        • Roles:
          • ROLE_APPS_MANAGE_ADMIN

  2. manage-app-dependencies

    • Scopes:
      • read
        • Roles:
          • ROLE_APP_DEPENDENCIES_MANAGE_READ
          • ROLE_APP_DEPENDENCIES_MANAGE_EDIT
          • ROLE_APP_DEPENDENCIES_MANAGE_ADMIN
      • edit
        • Roles:
          • ROLE_APP_DEPENDENCIES_MANAGE_EDIT
          • ROLE_APP_DEPENDENCIES_MANAGE_ADMIN
      • admin
        • Roles:
          • ROLE_APP_DEPENDENCIES_MANAGE_ADMIN

  3. manage-builds

    • Scopes:
      • read
        • Roles:
          • ROLE_BUILDS_MANAGE_READ
          • ROLE_BUILDS_MANAGE_EDIT
          • ROLE_BUILDS_MANAGE_IMPORT
          • ROLE_BUILDS_MANAGE_ADMIN
      • edit
        • Roles:
          • ROLE_BUILDS_MANAGE_EDIT
          • ROLE_BUILDS_MANAGE_ADMIN
      • import
        • Roles:
          • ROLE_BUILDS_MANAGE_IMPORT
          • ROLE_BUILDS_MANAGE_EDIT
          • ROLE_BUILDS_MANAGE_ADMIN
      • admin
        • Roles:
          • ROLE_BUILDS_MANAGE_ADMIN

  4. manage-active-policy

    • Scopes:
      • read
        • Roles:
          • ROLE_ACTIVE_POLICY_MANAGE_READ
          • ROLE_ACTIVE_POLICY_MANAGE_EDIT
      • edit
        • Roles:
          • ROLE_ACTIVE_POLICY_MANAGE_EDIT

  5. manage-app-configs

    • Scopes:
      • read
        • Roles:
          • ROLE_APP_CONFIG_MANAGE_READ
          • ROLE_APP_CONFIG_MANAGE_IMPORT
          • ROLE_APP_CONFIG_MANAGE_EDIT
          • ROLE_APP_CONFIG_MANAGE_ADMIN
      • edit
        • Roles:
          • ROLE_APP_CONFIG_MANAGE_EDIT
          • ROLE_APP_CONFIG_MANAGE_ADMIN
      • import
        • Roles:
          • ROLE_APP_CONFIG_MANAGE_IMPORT
          • ROLE_APP_CONFIG_MANAGE_EDIT
          • ROLE_APP_CONFIG_MANAGE_ADMIN
      • admin
        • Roles:
          • ROLE_APP_CONFIG_MANAGE_ADMIN

  6. manage-app-configs-overrides

    • Scopes:
      • read
        • Roles:
          • ROLE_APP_CONFIG_OVERRIDES_MANAGE_READ
          • ROLE_APP_CONFIG_OVERRIDES_MANAGE_IMPORT
          • ROLE_APP_CONFIG_OVERRIDES_MANAGE_EDIT
          • ROLE_APP_CONFIG_OVERRIDES_MANAGE_ADMIN
      • import
        • Roles:
          • ROLE_APP_CONFIG_OVERRIDES_MANAGE_IMPORT
          • ROLE_APP_CONFIG_OVERRIDES_MANAGE_EDIT
          • ROLE_APP_CONFIG_OVERRIDES_MANAGE_ADMIN
      • edit
        • Roles:
          • ROLE_APP_CONFIG_OVERRIDES_MANAGE_EDIT
          • ROLE_APP_CONFIG_OVERRIDES_MANAGE_ADMIN
      • admin
        • Roles:
          • ROLE_APP_CONFIG_OVERRIDES_MANAGE_ADMIN

Permissions explained

Configuring access

To define or adjust access for these roles, use the following format in your environment variables:

SECURITY_ACCESSAUTHORIZATIONS_<AUTHORIZATIONNAME>_SCOPES_<SCOPENAME>_ROLESALLOWED: NEEDED_ROLE_NAMES

Roles must be defined in your identity provider (e.g., Keycloak, RH-SSO, Entra or any compatible provider).

Custom roles can be configured as needed, and multiple roles can be assigned to each scope.