You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If ops team needs to do some work on the managed controlplanes there should be a way to get into user's account.
We should support several auth methods running at the same time for the same account.
For the support access we can have a separate url <account>.omni.siderolabs.io/support which will have our OIDC auth enabled. Omni can start support auth flow if you open /support url.
The support access should only be enabled for the accounts that have managed control planes.
And it should be possible to opt-in for support for the account in SaaS.
Introduce another role for the support level access Role.Support.
This role will have all rights as Admin, but will also have access to the annotated resources which are readonly for the account owner.
For managed control planes we can apply Role.Support for the specific clusters to the users in support group using ACL, while base role will be Role.Reader
The text was updated successfully, but these errors were encountered:
If ops team needs to do some work on the managed controlplanes there should be a way to get into user's account.
We should support several auth methods running at the same time for the same account.
For the support access we can have a separate url
<account>.omni.siderolabs.io/supportwhich will have our OIDC auth enabled. Omni can startsupportauth flow if you open/supporturl.The support access should only be enabled for the accounts that have managed control planes.
And it should be possible to opt-in for support for the account in SaaS.
Introduce another role for the support level access
Role.Support.This role will have all rights as
Admin, but will also have access to the annotated resources which are readonly for the account owner.For managed control planes we can apply
Role.Supportfor the specific clusters to the users in support group using ACL, while base role will beRole.ReaderThe text was updated successfully, but these errors were encountered: