Support role impersonation in tw CLI for RBAC testing and automation
evaluating
C
Crimson Koala
Administrators need the ability to assume different workspace roles (Owner, Admin, Maintain, Launch, View) when running
tw
CLI commands to programmatically verify role-based access control privileges. Currently, testing RBAC requires manually switching roles in the Platform UI. An --assume-role
flag would enable automated compliance testing and CI/CD validation of role permissions.C
Charcoal Mandrill
I just wanted to point out;
> Otherwise, we will need to log into the Seqera Platform as each of these roles and test these privileges manually, one-by-one.
If you are using something like the enterprise OIDC for your Seqera Platform, this is not even possible. Its not possible to log in to any other Seqera Platform user accounts when you are required by your institution to only allow access to Platform via OIDC which is tied to a user's company user account with AD etc. applied.
So this situation is even worse in enterprise settings where there seems to be no actual way for any of the Seqera Platform admins to verify that the user access controls to various resources inside Platform are actually working as intended to limit users' ability to access and modify these resources.
If there's some way to do this I would love to know and I think it would correspond to the feature request being asked for here.
Rob Newman
marked this post as
evaluating
Rob Newman
marked this post as
acknowledged
Rob Newman
Hello Crimson Koala: This has been logged as a feature enhancement on the Tower CLI Github repository
Rob Newman
Hello Crimson Koala: The Tower CLI leverages the Seqera API functionality and currently there is no "impersonate user" or "assume role" mechanism on the Seqera API. We will investigate the feasibility of this.