All-new Role-Based Access Control Engine, Custom Roles and more
Access control across the Phase platform has been reworked from the ground up to be more granular and completely customizable. We've added a whole new modular permissions framework, with 3 managed roles and full support for custom roles.
All-new access control framework
Until now, users on Phase could only be assigned one of 3 roles: Owner, Admin or Developer. These were hardcoded roles created to accommodate a basic permission model. These roles had implicit rules about what actions were allowed or not, and while this system worked for very basic use-cases, it lacked the sophistication and flexibility that larger teams and enterprises required.
To address this, we've completely reworked the access control and permission model across the Phase platform. As part of this update, we've formalized the 3 managed roles, as well as added support for custom roles with arbitrary permission policies for any use case.
Permission framework
The new permission framework is a modular system that allows you to define and manage granular permissions across a range of resources. We've divided resources into two categories: Organisation resources and App resources. As the names imply, these two categories of resources allow you to define a permission policy for each role based on the resources that can be managed at the Organisation and App level respectively.
Organization-level permissions:
| Resource | Description |
|---|---|
| Organisation | Manage overall access to the organization |
| Billing | Control access to billing & payment information in settings |
| Apps | Manage access to applications within the organization |
| Members | Control user membership and access within the organization |
| Service Accounts | Manage service account permissions |
| Roles | Define and assign roles within the organization |
| Integration Credentials | Manage credentials for third-party integrations |
App-level permissions:
| Resource | Description |
|---|---|
| Environments | Control access to different secret environments within the app |
| Secrets | Manage access to app secrets |
| Lockbox | Control access to Lockbox secret sharing |
| Logs | Manage access to app and secret audit logs |
| Tokens | Control creation and management of access tokens |
| Members | Manage user access within the app |
| Integrations | Control setup and management of app integrations |
| Encryption Mode | Manage encryption settings for the app |
For each of the resources above, you can define a set of allowed CRUD (Create, Read, Update, Delete) actions that are available to a specific role. These permissions are then used by the permission engine when evaluating access requests, API calls, or various other operations.
Managed roles
The Owner, Admin and Developer roles have been formalized using this new permission model. You can check out the specific rules enforced by each of these roles by navigating to the Roles tab in the new Access page from the sidebar:
You can click "View" on any managed role to view the details of the permissions policy:
Check out the docs for a full list of managed roles and their associated permissions policies. As we continue to extend the feature set of Phase, we will extend these managed roles with sensible defaults, and may add additional managed roles as well.
Custom roles
One of the primary goals of the new access and permissions system is to allow users to create their own custom roles with permission policies that are tailored to their needs. Custom roles can be created by clicking the "Create role" button and setting a permission policy for each resource:
You can either select an access level from one of:
- No access
- Read access
- Full access
or set a custom access level based on your needs. We don't enforce any restrictions on the permissions that you define for a role, so feel free to experiment with different combinations and see what works best for you!
However, bear in mind that certain combinations of permissions are required to perform certain actions. We've put together a helpful cheat sheet to help you make sure you've set up the correct permission combinations for certain common use-cases.
UI Navigation updates
As part of this release, we've also updated the UI to consolidate access related resources into a new "Access" page, accessible from the sidebar. The "Access" page contains tabs to manage organisation Members and Roles. The Authentication tab lets you view and manage personal access tokens (PATs).
The all new access and permission engine is live on Phase Cloud and available with version v2.32.0 for self-hosted users.
Reach out on Slack or GitHub for any questions or feedback on this release!