It is currently only guaranteed to work with Keycloak.
In order to utilize access controls, Holocron requires an SSO service to be configured. Any request to the Holocron API will need a JWT attached as an `Authorization` header, using the `Bearer <token>` format. As such, you will need to set Holocron behind some form of reverse proxy, service mesh, or similar.
### How Keycloak needs to be setup in order to work with Holocron?
Keycloak needs an admin, and leadership group setup for it to work with Holocron.
Currently, Holocron has only been tested to work with Keycloak, but any other form of SSO should work if it can be configured similarly to below.
A group will need to be created for any Holocron administrators. The API will need to be provided the name of the group with the `SSO_ADMIN_GROUP` environment variable. It will also need the key names for where to find key information about the user from the decoded JWT; These can be provided with the environment variables `SSO_GROUPS_KEY` and `SSO_USERNAME_KEY`.
If the experimental feature `COST_METRICS` is enabled, another group should be created for anyone who should be able to work with pay data. This group can be provided with the environment variable `SSO_LEADERSHIP_GROUP`.
### App access control
### App access control
Holocron has the following access control groups and roles which are managed by some SSO service like keycloak and internally by the API. The roles are described below, and the access control matrix for the roles are shown below.
If enabled, Holocron has the following access control groups and roles:
1.**Admin**: This role has all the global rights to the app with the exception of seeing and updating pay data. In order to obtain this role, user must be in the `SSO_ADMIN_GROUP` group (for more information on this group consult the **Collector Environmental Variables** section).
1.**Admin**: This role has all the global rights to the app with the exception of seeing and updating pay data. In order to obtain this role, user must be in the `SSO_ADMIN_GROUP` group (for more information on this group consult the **Collector Environmental Variables** section).
2.**OrgLeadership**: This role only gives the permission to view and update pay data. In order to obtain this role, user must be in the `SSO_LEADERSHIP_GROUP` group (for more information on this group consult the **Collector Environmental Variables** section).
2.**OrgLeadership**: If the experimental feature `COST_METRICS` is enabled, this role gives the permission to view and update pay data. In order to obtain this role, user must be in the `SSO_LEADERSHIP_GROUP` group (for more information on this group consult the **Collector Environmental Variables** section).
3.**OrgAdmin** (Organization Admin): This role gives the permission to view metrics, update, and delete organization. It also give rights to create, view metrics, update, and delete teams and value streams within the organization the person is OrgAdmin for. This role is managed internally by the API.
3.**OrgAdmin** (Organization Admin): This role gives the permission to view metrics of, update, and delete a specific organization. It also gives rights to create, view metrics, update, and delete teams and value streams within that same organization. This role is managed internally by the API.
4.**VSAdmin** (Value Stream Admin): This role gives the the permission to view metrics, update and delete value stream. It also gives rights to create, view, update, and delete teams within the value stream the person is VSAdmin for. This role is managed internally by the API.
4.**VSAdmin** (Value Stream Admin): This role gives the permission to view metrics of, update, and delete a specific value stream. It also gives rights to create, view metrics, update, and delete teams within that same value stream. This role is managed internally by the API.
5.**TeamAdmin** (Team Admin): This role gives the permission to view metrics, update, and delete team the person is TeamAdmin for. This role is managed internally by the API.
5.**TeamAdmin** (Team Admin): This role gives the permission to view metrics of, update, and delete a team. This role is managed internally by the API.
More on these roles access control is show in the matrix below.
More on these roles access control is show in the matrix below.
