Owner Based Access Control
Understanding the Roles and Access Controls for Entities within OBAC.
Last updated
Understanding the Roles and Access Controls for Entities within OBAC.
Last updated
Owner-Based Access Control is an access control model where the ability to modify and delete entities is restricted to just its owners, Team Owners, and the Account Owner.
It is an alternative to the Role Based Access Control (RBAC) model, and it offers a robust framework that reduces the scope for human errors by restricting the ability to modify and delete entities to just its owners.
Note:
Please note that this feature is made available to select accounts only. You can reach out to our Support Team to have it enabled for your account.
Important:
This section applies exclusively to organizations with Owner Based Access Control enabled. There are no changes for other organizations that have opted for Role Based Access Control.
Note:
Users can refer to this document to learn how they can migrate from Role-Based Access Control (RBAC) to Owner-Based Access Control (OBAC) in Terraform: Migrating from RBAC to OBAC with Terraform.
With Owner-Based Access Control, there are three different types of roles in a Team:
Each role decides what a user can do. Roles show what actions users can take in a team.
In a team:
Team Owners can manage the team, including adding/removing members, changing team member's roles, and deleting the team.
Team Owners can modify or delete any team entity, regardless of ownership.
Only Team Owners can create, modify, and delete Stakeholder Groups for the team.
Both Team Owners and Team Members can create entities and squads.
Note: Teams can have multiple Team Owners.
In a team:
Team Members can create entities and squads.
In a team:
Stakeholders have read-only access to all team entities.
With Owner-Based Access Control, there are three different types of roles in a Squad:
Each role decides what a user can do. Roles show what actions users can take in a squad.
In a squad:
Squad Owners can manage the squad, including adding/removing members, changing squad member's roles, and deleting the squad.
Squad Owners are the only ones who can transfer ownership of an entity owned by the squad to another user or squad.
Important:
User permissions to create entities and squads are based on their team role, not their squad role. Both team members and team owners can create entities and squads.
Team Owners have authority over all squads in a team, even if they are not explicitly part of those squads.
Stakeholders are not part of any squads.
In a squad:
Squad Members can view and edit the entities within a squad.
View Entities
All users have access to view the entities associated with their team.
Create Entities
All members of a team (except stakeholders) can create entities.
Modify Entities
If an entity is owned by a user, the user can modify the entity.
If an entity is owned by a squad, all members within the squad can modify the entity.
Note: Team Owners and the Account Owner have the access to modify all entities within the team.
Change Entity Owner
If an entity is owned by a user, the user can change the entity's owner.
If an entity is owned by a squad, only the owners of that squad can change the entity's owner.
Note: Team Owners and the Account Owner have the access to change the owner of any entity within the team.
Delete Entities
If an entity is owned by a user, only that user can delete the entity.
If an entity is owned by a squad, only the owners of that squad can delete the entity.
Note: Team Owners and the Account Owner have the access to delete all entities within the team.
