User & Role Management in the Harness Software Delivery Platform
Get deep insights into how Harness leverages best-of-breed tech in user & role management - without compromising quality.
Enough has been said and written about how enterprises are continuing to erase the boundaries that define the perimeter of the workspace. Employees are increasingly working from anywhere and also making use of their personal devices (BYOD) to access work applications. IT teams are continuously adapting to a world where it’s impossible to define a strict security parameter, and that makes the job extremely hard for them.
Allowing users to work anytime, anywhere, using any device without compromising security is the biggest challenge that IT teams are faced with. Therefore, IT teams are under tremendous pressure to adopt emerging security paradigms like Zero Trust Security, and at the same time, they need to ensure that these security measures don’t bring down productivity. This approach relies on strong identity and authentication measures and granular access controls to draw virtual boundaries.
The onus lies equally and squarely on the makers of new SaaS applications to ensure that they remove the barriers in adoption of their applications by providing options to integrate seamlessly with the security ecosystem of customers and make the life of IT teams easy.
In this article, we will explore how Harness Platform leverages best-of-breed technologies to provide a multitude of options to IT teams to easily manage the Harness platform in this boundaryless world - without making any compromises on security. We will cover the complete lifecycle, from inviting users to controlling and tracking their activities within the Harness platform that ensures continuous security throughout the lifecycle.
Invite Users – Let’s Collaborate
"Alone we can do so little; together we can do so much." – Helen Keller
The world of software development is thriving on the collaboration of people who work together on solving some of the world’s most complex problems. To make collaboration easy, it’s important that admins are able to easily invite users to work on the Harness platform, so that they not only work together to manage their CI/CD pipelines in the self-serviced Harness platform, but can also monitor the expenses incurred on the cloud services. Harness provides various options to easily invite users to the Harness platform by leveraging customers’ existing investments in Identity and Access Management solutions.
1. SCIM – SCIM, or System for Cross Identity Management, automates the process of adding users to the Harness platform via customers’ trusted Identity Provider (IdP), e.g. Okta, Azure Active Directory, etc.
2. AD/LDAP Group Sync – Harness also automatically syncs users with your existing directory service to add them to the platform.
Our platform not only adds users, but also obtains the group membership information of the users to easily group them in the required structure that makes management easier and collaboration faster.
Additionally, you can also invite users manually.
While automation makes the process faster and avoids human error, it’s also important to make sure there are enough checks and balances in place to prevent unauthorized users from entering the platform. Harness provides various options to achieve this:
1. Restrict Email Domains – Admins can restrict the email domains from which users are allowed to join the platform.
2. Attributes to filter LDAP groups – Admins can specify attributes to filter groups that will be synced with the Harness platform.
3. Rules for SCIM – While configuring the IdP for syncing users with Harness, Admins can define rules for syncing users with Harness.
Automation to add users via syncing is a great way to make sure that the platform always stays in sync with the Identity Provider. As employees join the organization, change roles or responsibilities, or leave the organization, Harness stays up-to-date to reflect those changes.
Sign-In – Let’s Get Ship Done
As organizations let go of their perimeter, it’s important to protect every endpoint for every application within the organization. IT Admins are increasingly relying on strong identity and authentication measures to protect access to business-critical applications and sensitive data. At the same time, it’s important to provide a smooth sign-in experience to users to ensure that they remain highly productive.
Harness fully supports the philosophy of Zero Trust Security by supplying various options that allows Admins to provide seamless and secure sign-in experience for their users. Harness does this by leveraging their existing investments in security and access management solutions. A seamless sign-in increases overall productivity due to faster logins and fewer lost passwords, and at the same time, reduces cost by minimizing support calls to IT.
The Harness platform supports following authentication options:
1. SSO – Harness provides out-of-the-box (OOTB) integration with leading providers of SSO solutions based on both SAML and OAuth. SSO brings in a number of security benefits, as it reduces the attack surface because users only log in once and only use one set of credentials. SSO authentication gives IT Admins centralized control over who has access to what and enforces their enterprise security policies uniformly on all users and applications.
2. AD/LDAP – Harness allows users to use their existing AD/LDAP credentials even when their AD/LDAP is on premise. Active Directory simplifies life for IT Admins and end users while enhancing security for organizations by exercising centralized control over user and rights management.
3. Username/Password – In scenarios where it’s not possible to make use of SAML, OAuth, or AD/LDAP for sign-in, Harness also provides the option to use Username/Password. There are multiple options to enforce best practices for using passwords including length, renewal interva,l etc. To further strengthen the security control, there is also an option to use 2FA (2-Factor Authentication) by using TOTP-based apps.
Securing users isn’t enough as a lot of communication now happens between services and it’s important to authenticate and authorize service-to-service communication as well. Harness provides the following options to secure service-to-service communication:
1. Service Accounts – Service Accounts let customers generate API tokens that can be used to authenticate and authorize the calling service. Appropriate access control policies can be associated with Service Accounts to limit the exposure to require functionality.
2. Personal Access Tokens (PAT) – Just like Service Accounts, API tokens can be associated with a given user to allow access to services.
Control Access – Draw the Boundaries
One of the quite effective ways to draw boundaries in this boundaryless world is to define access control policies that allow Admins to control who can do what. The key to defining effective and easy-to-manage access control policies lies in how organizations are structured. An effective organization structure facilitates collaboration and discoverability, and if not done well, it can make communication and collaboration harder for developers. Harness provides ways to create a logical structure that naturally aligns with how most organizations are structured.
1. Account – Account is the topmost entity that can exercise control and has visibility over the entire platform. This ensures oversight and governance.
2. Organization – Organization, in Harness, is a unit of control where people and projects from the same BU can be organized in an independent hierarchy. Customers can create multiple organizations that can co-exist independently.
3. Project – Project represents the basic unit of collaboration in which users are grouped together to work on the same project. Each organization can have multiple projects.
This structure provides enough flexibility to define roles that are transversal, as well as the ability to define fine-grained control by limiting the scope of roles to the required level in organization hierarchy. For example, with the combinations of Roles and Resource groups, Admins can create permissions on specific resources and restrict them to the scope a user is allowed access to.
In Harness, RBAC policies are defined using:
1. Role – A Role is a set of permissions that allow or deny specific operations on a specific set of resources.
2. Resource Group – A Resource Group is a grouping of resources that are managed by the same set of users using the same set of access control policies. Resource Groups can be of two types:
a. All Resources – Groups all resources of a given type.
b. Named Resources – Groups together a specific set of individual resources.
When a User or a User Group is associated with a Role and a Resource Group, it provides them the permission as defined in the role to the resources as grouped together in the resource group.
Track – Establish Accountability
Despite putting all the right measures in place, things can still go wrong at times, and it becomes important to get to the root of the problem – what happened, when it happened, and who did it. The audit log allows IT admins to review the actions performed by users and it includes details such as who performed the action, what the action was, and when it was performed.
The ability to trace records back to their origin provides many benefits, including transparency, and helps to establish accountability in the organization. It also helps in the reconstruction of events that lead to the incident that can be further used to improve the policies to prevent the incidents from happening again.
Harness provides a detailed Audit Trail of actions performed by users with the following details:
- Timestamp – When the action took place.
- Event Source – Source of the request/action.
- Actor – Who took the action.
- Entity – Which entity was the object of action.
- Details – Details of the action, including what changed.
This comes along with various filtering options so that you can quickly get to the bottom of the incident by focusing only on the events of interest.
Security is no more a point in time thing taken care of by specialized systems and specialist people. All users and all systems must play their role in ensuring ubiquitous and continuous security. Harness provides various features that aligns with the concept of Zero Trust Security and makes the life of IT teams easy in managing and securing Harness by working together seamlessly with customers’ existing security infrastructure.
For further reading, keep your eyes peeled on the blog - we'll be releasing an in-depth technical piece on our Audit Trails. You can also check out our eBook, Applying Governance to CI/CD, for more information.