Omnistrate RBAC¶
Overview¶
Omnistrate RBAC allows your team members to assume some predefined roles.
Note
Please note that Omnistrate RBAC for your internal teams is completely different from your customer-facing RBAC for your customers. Omnistrate platform automatically builds RBAC for your customers when you build your SaaS Product using Omnistrate. Check the Tenant Management section for details on Customer RBAC.
Organization Roles¶
Here are the roles and associated permissions for different operations:
| Organization Role | Build Side Service Access including (Pipeline, Build Service Definition, Product Tier) | Operate/Fleet Side Access | Account Config Access | User Invite Access (Access Control) | Billing Access | Service Plan Access | Resource Instance Access | Templates, Deployment Config, Image registry |
|---|---|---|---|---|---|---|---|---|
| Root | CRUDL | CRUL | CRUDL | Invite/Uninvite except root | CRUDL | RL | CRUDL | CRUDL |
| Admin | CRUDL | CRUL | RL | Invite/Uninvite except root | RL | RL | CRUDL | CRUDL |
| Service Editor | CRUDL | RL | No Access | No Access | No Access | RL | CRUDL | CRUDL |
| Service Operator | RL | CRUL | No Access | No Access | No Access | RL | CRUDL | RL |
| Service Reader | RL | RL | No Access | No Access | No Access | RL | CRUDL | RL |
Legend:
C: Create; R: Read/Describe; U: Update; D: Delete; L: List
As an example, you may want to grant Service Editor role to your development team building control plane on top of Omnistrate and Service Operator to your platform teams to operate your SaaS using Omnistrate.
Common assignment patterns¶
- Use
Service Editorfor build and release workflows that update service definitions, Plans, pipelines, and registries. - Use
Service Operatorfor day-2 operations on existing instances and deployment cells. - Use
AdminorRootfor cloud account onboarding or offboarding, organization access control, and other account-level configuration.
Practical limitations¶
- A user can hold only one organization role at a time.
- If one automation flow needs both build or release privileges and cloud-account administration, use a higher-privilege role or split the workflow across separate bot users.
- You can change a user's organization role directly from the Omnistrate console without needing to remove and re-invite the user. Navigate to People in the Omnistrate console, select the user, and update their role.
Restrictions¶
A given user can only be part of one organization. If a user is created without any invitation, it will have its own default organization.
If a user is invited to an existing organization, that user will be part of that organization. If you would like to join a different organization, you need to be removed from your current organization and re-invited by the new organization you wish to join. Please be aware that during this transition, your original Omnistrate account will be deactivated, and you will need to create a new account. In other words, by moving to a new organization, you will lose access to any services or data associated with your original organization.
If this process does not align with your needs, please contact [email protected] and we're here to help.
SSO for the Omnistrate Console¶
Omnistrate supports Single Sign-on (SSO) for the Omnistrate console, allowing your team members to authenticate using your organization's identity provider, such as Microsoft Entra ID, Okta, or any OpenID Connect-compatible provider.
To configure SSO for your Omnistrate console, contact [email protected] with the following details:
- Your Omnistrate organization ID
- The identity provider you want to use (for example, Microsoft Entra ID)
- Your OpenID Connect discovery URL or metadata endpoint
Once configured, your team members can sign in to the Omnistrate console using their corporate credentials, enforcing your organization's authentication policies (including MFA) across all Omnistrate access.
Note
SSO for the Omnistrate console is separate from SSO for your Customer Portal. To configure SSO for your customers, see Identity Providers (Single Sign-on).
Disabling Username and Password Authentication¶
After configuring SSO for your Omnistrate console, you can disable the default username/password authentication for your entire organization. This ensures that all team members must authenticate through your configured identity provider.
To disable username/password authentication at the organization level, contact [email protected]. Once enabled, this setting:
- Prevents all organization members from signing in with username and password
- Requires all users to authenticate through the configured identity provider
- Applies to the Omnistrate console only (Customer Portal authentication is configured separately)
Warning
Before disabling username/password authentication, ensure that at least one identity provider is configured and tested for your organization. Otherwise, your team members will be locked out of the Omnistrate console.