Folder RBAC for Object Creation and Editing
Users with editor permissions on folders can now create objects in Kloudfuse. This feature enables granular control over who can create objects within specific folders based on their permission levels.
Overview
Folder level RBAC for Kloudfuse object creation and editing allows users with editor permissions on a folder to create objects within that folder, without requiring global administrator privileges. This enables:
-
Granular access control - Control who can create objects on a per-folder basis
-
Organizational structure - Maintain clear ownership and organization of objects
-
Security compliance - Ensure objects are created only in approved folders with proper permissions
How It Works
Permission Evaluation
Kloudfuse evaluates permissions from multiple sources when determining folder access. Permissions can be assigned through various mechanisms including role-based permissions, folder-specific permissions, and individual user permissions.
When a user attempts to create an object in a folder, the system evaluates all applicable permissions and grants access based on the highest permission level found across all sources.
See example below for clarification.
Kloudfuse Objects
Kloudfuse objects affected by folder level RBAC include:
-
SLOs
-
Scheduled Views
-
Saved Queries
-
Lookup Tables
-
Favorite Facets
-
Scheduled Searches
Permission Requirements
To create objects in a folder, users must have:
-
Edit permissions (or higher) from any applicable permission source
-
The folder must exist and be accessible to the user
| Permission Level | Object Creation Rights |
|---|---|
View |
Cannot create objects (read-only access) |
Edit |
Can create, modify, and delete objects in the folder |
Admin |
Can create objects and manage folder permissions |
Access Control Behavior
Folder Permission Checks
When creating an object, the system performs the following checks:
-
Evaluates all applicable permissions from various sources
-
Grants access based on the highest permission level found
-
Verifies the user has Edit or Admin permissions on the selected folder
-
Validates that the folder exists and is accessible
If any check fails, the object creation will be denied with an appropriate error message.
Examples of Permission Sources
Permissions can come from multiple sources. Below are examples of common permission assignment methods:
Role-based folder permissions - Permissions assigned to roles that apply to all users with those roles:
Individual user permissions - Permissions assigned directly to specific users:
Team permissions - Permissions assigned to teams that apply to all users in those teams:
Example
Let’s say user1 has the editor role for his account, and is trying to create an object inside FolderA. Lets take a look at FolderA’s permissions: - Role-based folder permission: FolderA has View permission for editors - Individual user permission: user1 has Edit permission
Kloudfuse evaluates all applicable permissions and uses the highest permission level found. In this case, user1 will have Edit permissions for that folder and can create objects in FolderA.
