Access Control

Overview

Flowctl implements a comprehensive Role-Based Access Control (RBAC) system that manages user permissions through roles and namespaces. Access control is enforced using Casbin.

Key Concepts

Flowctl has two levels of user roles:

Global User Roles - Applied at the application level
- Superuser: Has admin access to all namespaces and can manage all resources
- User: Standard user who only has flow execution access in the default namespace
Namespace Roles - Applied within specific namespaces
- User: Can view and execute flows
- Reviewer: Can view flows, executions, and approve flow actions
- Admin: Full control over namespace resources

Namespaces

Namespaces are logical containers that organize and isolate resources in flowctl. Each namespace can contain:

Flows
Executions
Nodes (remote servers)
Credentials
Secrets
Members (users and groups with roles)

Default Namespace

When you first install flowctl, a default namespace is automatically created. You can organize your flows into additional namespaces as needed.

Namespace Roles and Permissions

User Role

The User role is the most restrictive namespace role, suitable for team members who need to run flows but not modify them.

Permissions:

✓ View flows
✓ Execute flows
✓ View executions
✓ View namespace information
✓ View namespace members
✗ Create, update, or delete flows
✗ Approve flow actions
✗ Manage nodes, credentials, or secrets
✗ Manage namespace members

Reviewer Role

The Reviewer role inherits all User permissions and adds approval capabilities.

Permissions:

✓ All User role permissions
✓ View approval requests
✓ Approve or reject flow actions
✗ Create, update, or delete flows
✗ Manage nodes, credentials, or secrets
✗ Manage namespace members

Admin Role

The Admin role has full control over all resources within a namespace.

Permissions:

✓ All Reviewer role permissions
✓ Create, update, and delete flows
✓ View, create, update, and delete nodes
✓ View, create, update, and delete credentials
✓ View, create, update, and delete secrets
✓ Add and remove namespace members
✓ Update member roles

Permission Matrix

Here’s a complete breakdown of what each namespace role can do:

Resource	User	Reviewer	Admin
Flows
View	✓	✓	✓
Create	✗	✗	✓
Update	✗	✗	✓
Delete	✗	✗	✓
Execute	✓	✓	✓
Executions
View	✓	✓	✓
Approvals
View	✗	✓	✓
Approve/Reject	✗	✓	✓
Nodes
View	✗	✗	✓
Create	✗	✗	✓
Update	✗	✗	✓
Delete	✗	✗	✓
Credentials
View	✗	✗	✓
Create	✗	✗	✓
Update	✗	✗	✓
Delete	✗	✗	✓
Secrets
View	✗	✗	✓
Create	✗	✗	✓
Update	✗	✗	✓
Delete	✗	✗	✓
Members
View	✓	✓	✓
Add	✗	✗	✓
Update Role	✗	✗	✓
Remove	✗	✗	✓

Managing Namespace Members

Adding Members to a Namespace

Namespace admins can add users or groups to their namespace:

Go to the “Members” section
Click “Add Member”
Select the user or group
Assign a role (User, Reviewer, or Admin)
Save

Groups

Flowctl supports groups for easier permission management. Instead of assigning roles to individual users, you can:

Create a group (e.g., “DevOps Team”, “QA Team”)
Add users to the group
Assign the group to namespaces with specific roles

When a user is added to a group, they automatically inherit all namespace access that the group has.

Authentication

Admin User

The initial admin user configured in config.toml can authenticate using username and password. This user automatically has the “superuser” global role.

[app]
  admin_username = "admin"
  admin_password = "secure_password"

OIDC Authentication

All non-admin users authenticate via SSO using OIDC. Configure OIDC in your config.toml:

[app.oidc]
  client_id = "your-client-id"
  client_secret = "your-client-secret"
  issuer = "https://your-oidc-provider.com/"