Skip to Content
Authorization

Authorization

Spiral uses a role-based access control (RBAC) model for authorization, where currently the only unit of permissioning is the project.

In this model, principals (users, teams, service accounts) are granted roles on projects.

A role confers a set of permissions on the project, which are used to determine whether a principal is allowed to perform a given action.

Roles

The roles currently defined in Spiral are:

  • admin - full access to the project
  • editor - read/write access to the project
  • viewer - read-only access to the project

These roles expand to resource-specific permissions, such as table:read and table:write.

Please reach out to us if you have specific requirements for custom roles.

Principals

Principals are entities that can be granted roles on projects. Currently, the following types of principals are supported:

  • Org-scoped Users - an individual org/user pair
  • Teams - groups of users as defined manually in Spiral
  • Groups - groups of users as synchronized from an external identity provider
  • Organizations - a team implicitly defined as all members of an organization
  • Workloads - non-human entities

Please contact us if you want to use workloads for authentication. We strongly recommend OIDC. We can integrate an OIDC provider and/or help you set it up.

Grants

Grants are the association of a principal with a role on a project. They are the mechanism by which permissions are conferred. Grants can be listed, created, updated, and deleted using the Spiral CLI. To create a grant, see grant command.

OIDC

OIDC  is a protocol for authenticating users between systems.

Instead of creating and trying to securely manage API keys, you can use grants to authenticate actual workloads. Spiral integrates with several OIDC providers. Check out the OIDC Integrations page for available integrations and how to set them up.

Last updated on
ProjectsSecurity