Role¶
Roles in Digital Rebar Provision control which API operations a user is allowed to perform. Every API action (list, get, create, update, delete, and object-specific actions) is governed by a set of Claims that a Role grants. Users are assigned one or more roles, and their effective permissions are the union of all granted claims.
How Roles Work¶
A Role is a named object that contains a list of Claims. Each Claim specifies three things: a
Scope (the object type, such as machines or bootenvs), an Action (such as get,
list, create, update, or delete), and a Specific (a particular object key, or * for
all objects of that type). All three fields accept comma-separated lists or * as a wildcard.
For example, a Claim with Scope machines, Action get,list, Specific * allows listing and
reading all machines but grants no write access. A role is evaluated as a union — a user is granted
access if any one of their assigned roles satisfies the request.
Built-in Roles¶
DRP ships with a built-in superuser role whose claims cover all scopes and all actions with a
wildcard specific. This role is assigned to the default rocketskates administrator user. Do not
delete the superuser role.
Creating Custom Roles¶
Create a role using drpcli or the portal:
# Create a read-only role for machine inspection
drpcli roles create '{
"Name": "machine-reader",
"Claims": [
{"Scope": "machines", "Action": "get,list", "Specific": "*"},
{"Scope": "bootenvs", "Action": "get,list", "Specific": "*"}
]
}'
To create an operator role that can update machine workflow and stage assignments but cannot delete machines:
drpcli roles create '{
"Name": "machine-operator",
"Claims": [
{"Scope": "machines", "Action": "get,list,update,action", "Specific": "*"},
{"Scope": "bootenvs,stages,workflows", "Action": "get,list", "Specific": "*"}
]
}'
Assigning Roles to Users¶
Roles are assigned by name on a User object. A user can hold multiple roles; their permissions are additive. See User for how to assign roles when creating or updating users.
Role Validation¶
When a role is created or updated, DRP validates each Claim against the known scope and action
registry. Invalid scope names or action names are rejected with an error. Use drpcli roles
validate to check a role definition before applying it.
Roles in Content Packs¶
Roles can be included in content packs, making them easy to distribute as part of a content bundle. When a content pack is installed, its roles are loaded alongside tasks, stages, and workflows. This is useful for distributing a consistent RBAC posture across managed endpoints.