Subjects

StackState Self-hosted v5.1.x

StackState is configured by default with file based authentication with predefined roles for Guests (very limited permission level), Power Users and Administrators (full permission level). To change the configuration to use LDAP authentication, see authentication docs.

How to make a new user or group with scopes

To create a new subject (a group or a username), you must follow the stac CLI route below. When you create a subject, it has no permissions at first. All custom subjects need a scope by design, so they don't have access to the full topology. This is a security requirement that makes sure that users have access only to what they need.

Examples

  • Create the stackstate subject with a scope that allows the user to see all elements with the StackState label:

From StackState v5.0, the old sts CLI has been renamed to stac and there is a new sts CLI. The command(s) provided here are for use with the new sts CLI.

➡️ Check which version of the sts CLI you are running

sts rbac create-subject --subject stackstate --scope 'label = "StackState"'
  • Give more context and specific limitations, create the subject stackstateManager with the same scope of the StackState label and additional access to Business Applications within that label:

From StackState v5.0, the old sts CLI has been renamed to stac and there is a new sts CLI. The command(s) provided here are for use with the new sts CLI.

➡️ Check which version of the sts CLI you are running

sts rbac create-subject --subject stackstateManager --scope 'label = "StackState" AND type = "Business Applications"'

NOTE:

  • When passing an STQL query in a stac or sts CLI command, all operators ( such as =, <,AND, and so on) need to be surrounded by spaces, as in the above example.

  • For LDAP authentication, the subject name must exactly match the username or group name configured in LDAP (case-sensitive).

Last updated