At Convox, we’ve always believed in providing robust security features to safeguard your platform. With our latest update to Role-Based Access Control (RBAC), we’re taking permissions management to the next level by introducing custom roles with fine-grained access controls. This upgrade allows you to create specific roles tailored to different users or use cases, ensuring better security and more effective permission management.

What Is the Updated RBAC?

Our enhanced RBAC now supports creating and managing custom roles, giving organizations the flexibility to define who can access what. Previously, Convox offered RBAC, but it was limited in scope. Now, with the introduction of custom roles, administrators can define granular permissions for both the Console and CLI, ensuring unified permission management across interfaces.

Why RBAC Matters

RBAC plays a critical role in minimizing security risks by enforcing the principle of least privilege. With custom roles, organizations can prevent unauthorized access, reduce the risk of configuration changes, and establish clear boundaries for users’ capabilities within the platform.

Core Benefits of Using Enhanced RBAC

• Granular Permissions Control: Define and assign custom roles to users based on their responsibilities, ensuring precise access without exposing sensitive resources.
• Unified Permission Management: Manage user roles and permissions consistently across both the Console and CLI, maintaining coherence in access controls.
• Enhanced Security: Implement zero-trust policies that deny access by default, granting permissions only to users and roles explicitly allowed to perform specific actions.

Creating and Assigning Roles

With this RBAC update, organizations can create custom roles from scratch or clone existing roles to tailor permissions as needed. Here’s how:

1. Create a Role: Go to the Users page in the Convox Console, select the Roles tab, and click Create Role to define a new role or Clone to create a role based on an existing template.
2. Assign Roles: Navigate to the Active Users tab and assign the newly created role to a user by selecting the role from the dropdown list.

Pre-Created Roles for Common Use Cases

To make role assignment easier, Convox offers a set of pre-created roles that cover common scenarios. These pre-configured roles extend across both the Console and CLI for consistent permissions:

• Administrator: Full access to all resources, including billing, users, and audit logs. Ideal for those who need complete control over the platform.
• OperatorV2: Provides control over application deployment, rack configurations, integrations, workflows, and more, while offering view-only access to sensitive areas like billing and user management.
• DeveloperV2: Focuses on application development and deployment, with view-only access to dashboards, jobs, and rack details, giving developers the permissions they need without overexposing infrastructure configurations.

Flexible Permission Policies for Your Organization

Every role in Convox’s enhanced RBAC can include multiple permission policies. These policies consist of:

• Resource Type: Specifies the category of the resource, such as Applications, Racks, or Billing.
• Resource Name: Allows targeting specific resources or applying rules globally using options like strings, dropdown lists, regex filters, or wildcard settings.
• Actions: Defines whether the role has Read or Write access to the selected resource. The default policy is zero-trust, meaning no access unless explicitly granted.

For a full list of available resource types and examples of permission configurations, check out the RBAC Documentation.

Advanced Use Cases for Custom Roles

RBAC enables organizations to create highly specialized roles to match their security needs. Here are a few common examples:

• Non-Billing Administrator: Provides administrative-level write access to all resources except billing. This role is ideal for administrators who manage platform operations but shouldn’t access financial data.
• Engineer with Limited Write Access: Allows engineers to manage deployments and jobs across multiple applications while restricting access to sensitive settings like rack configurations.
• Read-Only Auditor: Grants full visibility into all resources without granting write permissions. This role is perfect for compliance auditors or security personnel.

Expanding Deploy Key Capabilities with RBAC

Along with user roles, RBAC can be used to assign custom roles to Deploy Keys, which are API keys designed for CI environments or automated systems. Deploy keys will only utilize permissions related to Racks and Applications, maintaining security by excluding access to sensitive areas like Billing or User Management.

To learn more about configuring Deploy Keys and their expanded functionality, check out the Deploy Keys Documentation.

Conclusion

The introduction of enhanced RBAC on Convox is a significant step forward in improving platform security and providing fine-grained control over user access. Whether you're managing roles for individual team members or configuring deploy keys for CI pipelines, RBAC ensures that permissions align precisely with your organization’s needs.

We encourage you to explore the new RBAC feature, refine your roles and policies, and experience greater confidence in your platform’s security. For more information, visit our RBAC Documentation.