Roles
StackState Self-hosted v5.0.x
Last updated
StackState Self-hosted v5.0.x
Last updated
This page describes StackState version 5.0.
Go to the .
Every user in StackState needs to have a subject and a set of assigned; this combination is called a role. A role describes a group of users that can access a specific data set. StackState ships with four predefined roles and you can also create custom names and groups to match your needs.
There are four roles predefined in StackState:
Administrator - has full access to all views and has all permissions, except for platform management.
Platform Administrator - has platform management permissions and access to all views.
Power User - typically granted to a user that needs to configure StackState for a team(s), but will not manage the entire StackState installation.
Guest - has read-only access to StackState.
The permissions assigned to each predefined StackState role can be found below. For details of the different permissions and how to manage them using the stac CLI, see
The Administrator role (stackstate-admin): has all permissions assigned, except for access-admin-api, which is assigned only to the Platform Administrator predefined role.
Permissions assigned to the predefined Administrator role (stackstate-admin) are listed below, these were retrieved using the stac CLI. For details of the different permissions and how to manage them using the stac CLI, see .
⚠️ PLEASE NOTE - from StackState v5.0, the old sts CLI is called stac.
In a future release of StackState, the new sts CLI will fully replace the stac CLI. It is advised to install the new sts CLI and upgrade any installed instance of the old sts CLI to stac. For details see:
In addition to the default predefined role names (stackstate-admin, stackstate-platform-admin, stackstate-power-user, stackstate-guest), which are always available, custom role names can be added that have the same permissions. Below is an example of how to do this for both Kubernetes and Linux installations.
Include this YAML snippet in an authentication.yaml when customizing the authentication configuration to extend the default role names with these custom role names.
To use it in for your StackState installation (or already running instance, note that it will restart the API):
The instructions below will take you through the process of setting up a new group called StackStateManager
Subjects need two pieces of information: a subject name and a subject scope. Create a new subject - set its name to stackstateManager and set the scope to 'label = "StackState" AND type = "Business Application”’ as in the following example:
Please note that when passing an STQL query in a stac CLI command, all operators (like =, <,AND, and so on) need to be surrounded by spaces, as in the above example.
Also, please note that the subject's name is case-sensitive.
Configured subjects need permissions to access parts of the UI and to execute actions in it. StackState Manager role requires access to the specific view of business applications, and there is no need to grant any CRUD, or StackPack permissions - they will not be used in day-to-day work by any Manager. To grant permission to view the Business Applications view, follow the below example:
Please note that the subject's name, as well as permissions, are case-sensitive.
If your StackState instance is configured with a file-based authentication, then you need to add newly created subjects to the config file and enable authentication.
In the application_stackstate.conf file locate the authentication block and change enabled = false to enabled = true as in the below example:
Add new users and subjects to the logins table in the application_stackstate.conf as shown in the example below. Note that the default roles are always available (stackstate-admin, stackstate-platform-admin, stackstate-power-user and stackstate-guest)
Permissions assigned to the predefined Platform Administrator role (stackstate-platform-admin) are listed below, these were retrieved using the stac CLI. For details of the different permissions and how to manage them using the stac CLI, see .
Permissions assigned to the predefined Power User role (stackstate-power-user) are listed below, these were retrieved using the stac CLI. For details of the different permissions and how to manage them using the stac CLI, see .
Permissions assigned to the predefined Guest role are listed below, these were retrieved using the stac CLI. For details of the different permissions and how to manage them using the stac CLI, see .