Add user role in ECE or revoke access on "client"


Is is possible to add additional roles in ECE and is it possible to revoke the ECE accounts on created environments.

As a use case, from ECE we create environments for different customers. There are customers who really like to know who has what access to their environment,

KR Henk

It is not possible to add additional / custom roles in ECE, there are just the 4 documented roles (platform admin / view and deployment manager / viewer). It sounds like for your use case you would only want to apply the Deployment Manager and Deployment Viewer roles, and not let these customers have Platform level roles (to avoid access to Runners/ Allocators / system clusters / etc).

It is possible to revoke "native" users by either deleting them or disabling them. The "disable" feature is only available via the API:

curl $ECE_URL/api/v1/users/$USERNAME -u admin:$PW \
  -XPATCH -H 'content-type: application/json' \
  -d '{ "security": { "enabled": false } }'

(and you can call again with "enabled": true to enable them again).

Note that Native users can create API keys, and disabling the user will not disable their keys, you must revoke those separately (in the UI or via the API).

Worth mentioning that it is also possible to configure ECE to log in via SAML, LDAP or Active Directory, and use role mappings to assign users to roles. This might be a more convenient way to manage users if you have a large number of customers compared to using "native" ECE users. The same caveats apply regarding API keys, they must be revoked separately.

1 Like

Perfect, thanks for your great reply!

KR Henk :+1:

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.