Merge pull request #1737 from rundeck/ACL-Revamp

ACL Revamp and Fixes

Author: fdevans

docs/administration/security/authorization.md

@@ -3,12 +3,24 @@ title: "Group/API Key Create User API Key"
 order: 600
 ---
 
-# Group/API Key Create User API Ke
+# Group/API Key Create User API Key
 
 ## Use Case Description
 Users who don't have admin access may not have the ability to create API tokens.  To create tokens for yourself, add this snippet to your ACL policies for and appropriate group.
 Assign members of a specific Rundeck Group access to create API keys associated with their username.
 
+## What This User CAN Do
+- Generate API tokens for themselves (User Tokens)
+- Create tokens with their own username and authorization roles
+
+## What This User CANNOT Do
+- Generate Service Tokens with different usernames
+- Generate tokens with elevated permissions beyond their own roles
+- View or manage other users' API tokens
+- Access admin-level API token management
+
+**Note**: This policy should be combined with appropriate project and resource access policies. This alone only grants the ability to create tokens, not access to any projects or resources.
+
 ## Code Description
 Find and replace these values with your own.
 - Group: `grp-api-access`

docs/learning/howto/acls/group-apikey.md

@@ -9,6 +9,24 @@ order: 400
 
 Assign a specific Rundeck Group access to only run jobs in a specific Job Group (folder), in a specified project.  It will allow running jobs against all nodes in the project.
 
+## What This User CAN Do
+- View jobs in the specified job group (folder)
+- Run jobs in the specified job group
+- View execution history for jobs in the group
+- View all nodes in the project
+- Run jobs on all nodes
+- Read project-specific key storage entries
+
+## What This User CANNOT Do
+- View or run jobs outside the specified job group
+- Create, modify, or delete any jobs
+- Run ad-hoc commands
+- Create, update, or delete nodes
+- Configure project settings
+- Manage project ACLs
+- Create or modify key storage entries
+- Manage webhooks
+
 ## Code Description
 Find and replace these values with your own.
 - Project Unique ID: `prj-sandbox`
@@ -26,10 +44,13 @@ context:
 for:
   resource:
     - allow: [run,read]
+    - equals:
+        kind: event
+      allow: [read]
   job:
     - equals:
         group: jgrp-sandbox
-      allow: [run,read]
+      allow: [run,read,view,view_history]
   node:
     - allow: [read,run]
 by:
@@ -48,12 +69,15 @@ for:
 by:
   group: grp-sandbox-exec
 ---
-description: Allow [read] for key storage access at the project level.  If accessing keys outside the project context, you'll need a comparable system-level rule.
+description: Allow [read] for key storage access at the project level.
 context:
-  project: prj-sandbox
+  application: rundeck
 for:
   storage:
-  - allow: [read]
+  - allow:
+      - read
+    match:
+      path: keys/project/prj-sandbox(/.*)?
 by:
   group: grp-sandbox-exec
 ```

docs/learning/howto/acls/group-jobgroup.md

@@ -9,6 +9,24 @@ order: 500
 
 Assign a specific Rundeck Group access to run a single, named Job in a specified project.  It will allow running that job against all nodes in the project.
 
+## What This User CAN Do
+- View the specified job
+- Run the specified job
+- View execution history for the specified job
+- View all nodes in the project
+- Run the job on all nodes
+- Read project-specific key storage entries
+
+## What This User CANNOT Do
+- View or run any other jobs in the project
+- Create, modify, or delete any jobs
+- Run ad-hoc commands
+- Create, update, or delete nodes
+- Configure project settings
+- Manage project ACLs
+- Create or modify key storage entries
+- Manage webhooks
+
 ## Code Description
 Find and replace these values with your own.
 - Project Unique ID: `prj-sandbox`
@@ -26,10 +44,13 @@ context:
 for:
   resource:
     - allow: [run,read]
+    - equals:
+        kind: event
+      allow: [read]
   job:
     - equals:
         name: jname-sandbox
-      allow: [run,read]
+      allow: [run,read,view,view_history]
   node:
     - allow: [read,run]
 by:
@@ -48,12 +69,15 @@ for:
 by:
   group: grp-sandbox-exec
 ---
-description: Allow [read] for key storage access at the project level.  If accessing keys outside the project context, you'll need a comparable system-level rule.
+description: Allow [read] for key storage access at the project level.
 context:
-  project: prj-sandbox
+  application: rundeck
 for:
   storage:
-  - allow: [read]
+  - allow:
+      - read
+    match:
+      path: keys/project/prj-sandbox(/.*)?
 by:
   group: grp-sandbox-exec
 ```

docs/learning/howto/acls/group-jobname.md

@@ -9,6 +9,20 @@ order: 400
 
 Assign a specific Rundeck Group access to manage and create Runners.  Valid for Runbook Automation commercial products only.
 
+## What This User CAN Do
+- View Runner configuration and status
+- Create new Runner entries
+- Ping Runners to check their status
+- Full management of all Runner resources
+
+## What This User CANNOT Do
+- Update existing Runner entries (not included in current policy)
+- Delete Runner entries (not included in current policy)
+- Regenerate Runner credentials (not included in current policy)
+- Access project-level resources (requires separate project access policies)
+
+**Note**: To grant full Runner management capabilities including update, delete, and credential regeneration, add those actions to the `allow` list in the policy.
+
 ## Code Description
 Find and replace these values with your own.
 - Group: `grp-runner-manage`

docs/learning/howto/acls/group-manage-runner.md

@@ -0,0 +1,139 @@
+---
+title: "Group/Multiple Projects Execute Access"
+order: 350
+---
+
+# Group/Multiple Projects Execute Access
+
+## Use Case Description
+
+Assign a specific Rundeck Group access to run jobs across multiple projects with the same permissions. This is useful for teams that work across several projects or for applications that span multiple environments.
+
+## What This User CAN Do
+- View all specified projects in their project list
+- View and run all jobs in each specified project
+- View execution history across all projects
+- View nodes in all specified projects
+- Run jobs on nodes in all specified projects
+- Read project-specific key storage entries for each project
+
+## What This User CANNOT Do
+- Create, modify, or delete jobs in any project
+- Run ad-hoc commands
+- Create, update, or delete nodes
+- Configure any project settings
+- Manage project ACLs
+- Create or modify key storage entries
+- Access projects not explicitly listed
+- Manage webhooks
+
+## Code Description
+Find and replace these values with your own.
+- Project Unique IDs: `prj-dev`, `prj-test`, `prj-prod`
+- Group: `grp-multiproject-exec`
+
+You can modify the regex pattern to match your project naming convention. Examples:
+- Three specific projects: `(prj-dev|prj-test|prj-prod)`
+- All projects starting with "app-": `app-.*`
+- All development projects: `.*-dev`
+
+Steps to implement are covered in the [overview page](index.md).
+
+## ACL Code
+
+``` yaml
+description: Application - Read access to multiple projects
+context:
+  application: 'rundeck'
+for:
+  project:
+    - match:
+        name: '(prj-dev|prj-test|prj-prod)'
+      allow: [read]
+  storage:
+    - allow: [read]
+      match:
+        path: keys/project/(prj-dev|prj-test|prj-prod)(/.*)?
+by:
+  group: grp-multiproject-exec
+---
+description: Project - Execute access to jobs in multiple projects
+context:
+  project: '(prj-dev|prj-test|prj-prod)'
+for:
+  job:
+    - allow: [read, view, view_history, run]
+  node:
+    - allow: [read, run]
+  resource:
+    - equals:
+        kind: event
+      allow: [read]
+    - equals:
+        kind: node
+      allow: [read]
+by:
+  group: grp-multiproject-exec
+```
+
+## Advanced: Different Permissions Per Project
+
+If you need different permissions for different projects (e.g., read-only in production but full access in development), create separate policies for each project instead of using a single regex pattern.
+
+**Example:**
+```yaml
+# Full access to development
+description: Application - Dev project access
+context:
+  application: 'rundeck'
+for:
+  project:
+    - equals:
+        name: prj-dev
+      allow: [read]
+by:
+  group: grp-dev-team
+---
+description: Project - Full job management in dev
+context:
+  project: prj-dev
+for:
+  resource:
+    - equals:
+        kind: job
+      allow: [create, delete]
+  job:
+    - allow: [read, view, update, run, kill]
+  node:
+    - allow: [read, run]
+by:
+  group: grp-dev-team
+---
+# Read-only access to production
+description: Application - Prod project read access
+context:
+  application: 'rundeck'
+for:
+  project:
+    - equals:
+        name: prj-prod
+      allow: [read]
+by:
+  group: grp-dev-team
+---
+description: Project - Read-only in production
+context:
+  project: prj-prod
+for:
+  job:
+    - allow: [read, view, view_history]
+  node:
+    - allow: [read]
+  resource:
+    - equals:
+        kind: event
+      allow: [read]
+by:
+  group: grp-dev-team
+```
+