As customers scale their usage of the HashiCorp Cloud Platform (HCP), more complex identity and access management (IAM) problems can emerge. User onboarding, management of role-based access control (RBAC), and auditing are just a few of the areas that need to scale with user-management processes.
Security best practices emphasize the importance of rigorously adhering to the principle of least privilege by clearly defining roles based on job function. At HashiCorp, we want to help organizations enforce regular reviews of roles and their associated permissions so they have more control over their users’ access. In pursuit of this objective, we released a feature called HCP groups, which offers organizations a centralized role-management interface within the HCP console.
It’s now easier than ever for organizations to group user identities and assign roles and projects to them. HCP groups bear many similarities to RBAC, where roles represent a set of permissions and responsibilities relevant to a specific job or function within your organization. For example, roles might include "project admin", "project contributor", "administrator", and so on, each with its own set of permissions. This capability can make user management faster and more robust, paving the way for tighter integration with identity-management processes.
What are HCP groups?
Groups are an identity principle that lets administrators bundle user identities and treat them as a single unit that can receive role assignments and project associations. This enables more efficient and logical user management along with clearer permissions auditing.
Each group can have one or more user members, and a group can then be associated with one or more projects. Groups can also have a different role assignment for different associated projects.
For example, you may have an application engineering group with five members. Using HCP groups, you can give the application engineering group admin role permissions for a development project, contributor role permissions for a QA project, and view-only role permissions for a production project, as shown here:
How to get started with HCP groups
Groups can be managed within the organization's “Access control (IAM)” settings section of the portal. To get started, follow these seven steps:
- Log into the HCP portal, navigate to the top of the page and click on your organization.
- Inside of the organization dashboard, you’ll see a menu item called “Access control (IAM)” which you can click to view a list of all users.
- In the menu, click “Groups”. Then click the button “Create group”.
- Add users to the newly created group.
- Navigate back to your project dashboard and click on “Access Control (IAM)” for your project.
- Then click on “Groups” under “Access Control (IAM)” and then click the “Add groups” button.
- Select the group and assign the group role. You can choose between “Project admin”, “Project contributor”, or “Project viewer”. Then click “Add Groups” to apply the role to that group.
When thinking about role permissions, keep in mind that HCP chooses the most elevated role when resolving multiple roles assigned to a user via groups and at the organization level.
You can find more information and step-by-step instructions in the HCP groups documentation.
(Note: If you are interested in using identity groupings that already exist in your identity provider for HCP, HashiCorp would like to help with your particular use case. Please use this brief form to let us know about your interest.)
Next steps with HCP groups
HCP groups represents a significant enhancement to HCP’s IAM capabilities. A streamlined approach to role management and user access control through groups helps organizations improve security, efficiency, and compliance with best practices.
from HashiCorp Blog https://bit.ly/46UXtwN