RBAC Overview
Rack Gateway uses Role-Based Access Control (RBAC) to manage what users can do. Each user is assigned a role that determines their permissions.
The Four Roles
Section titled “The Four Roles”Rack Gateway has four built-in roles arranged in a hierarchy:
Each role inherits all permissions from the roles below it.
Role Capabilities
Section titled “Role Capabilities”| Role | Can Do | Cannot Do |
|---|---|---|
| Viewer | List apps, view logs, see builds, read processes | Any write operations |
| Ops | All Viewer + restart apps, exec into containers, manage processes | Build, deploy, create apps |
| Deployer | All Ops + build, deploy, create/update apps, manage environment | Delete apps, user management |
| Admin | Everything including user management, settings, destructive operations | Nothing restricted |
Permission Format
Section titled “Permission Format”Permissions follow a consistent format:
{scope}:{resource}:{action}Examples:
convox:app:list- List applicationsconvox:process:exec- Execute commands in containersconvox:build:create- Create new buildsgateway:user:create- Create gateway users
Role Details
Section titled “Role Details”Viewer
Section titled “Viewer”Read-only access for monitoring and observability.
Allowed operations:
- List applications
- View application status and processes
- Read logs
- View builds (not releases - they contain secrets)
- View rack information
Use case: Stakeholders who need visibility but shouldn’t make changes.
Operational access for incident response and debugging.
Inherits: All Viewer permissions
Additional operations:
- Restart applications
- Execute commands in containers (
exec) - Start and stop processes
- Scale applications (within limits)
Use case: On-call engineers and operations staff.
Deployer
Section titled “Deployer”Deployment access for engineers who ship code.
Inherits: All Ops permissions
Additional operations:
- Create builds
- Promote releases
- Create and update applications
- Manage environment variables
- Manage resources
Use case: Software engineers and DevOps.
Full administrative access.
Inherits: All Deployer permissions
Additional operations:
- Delete applications
- Manage users and roles
- Configure gateway settings
- View and manage all API tokens
- Access audit logs
- Perform destructive operations
Use case: Platform administrators and security team.
How RBAC Works
Section titled “How RBAC Works”When a request comes through the gateway:
Request → Extract User → Check Role → Map to Permission → Allow/Deny- Extract User - Identify the user from session or API token
- Check Role - Look up the user’s role
- Map to Permission - Convert the API endpoint to a permission
- Allow/Deny - Check if the role grants the permission
Example: Deploying an App
Section titled “Example: Deploying an App”rack-gateway deploy -a myapp- User identified as
developer@company.com - User has role
deployer - Deploy maps to
convox:release:promote - Deployer role includes this permission → Allowed
Example: Deleting an App
Section titled “Example: Deleting an App”rack-gateway apps delete myapp- User identified as
developer@company.com - User has role
deployer - Delete maps to
convox:app:delete - Deployer role does NOT include this → Denied
API Tokens and RBAC
Section titled “API Tokens and RBAC”API tokens have their own role assignment:
# Create a deployer-level token for CI/CDrack-gateway api-token create --name "CI/CD" --role deployerThe token’s role determines what operations it can perform, independent of who created it.
Assigning Roles
Section titled “Assigning Roles”Roles are assigned by administrators through the web UI:
- Go to Users
- Click on a user
- Select their role from the dropdown
- Save changes
Role changes take effect immediately for new requests.
RBAC and Audit Logging
Section titled “RBAC and Audit Logging”All RBAC decisions are logged:
{ "timestamp": "2024-01-15T10:30:00Z", "user_email": "developer@company.com", "method": "DELETE", "path": "/apps/myapp", "rbac_decision": "deny", "required_permission": "convox:app:delete", "user_role": "deployer"}This provides a complete trail of access decisions for compliance.
Best Practices
Section titled “Best Practices”- Start with Viewer - Give new users viewer access, upgrade as needed
- Separate Ops and Deploy - Not everyone who deploys needs exec access
- Limit Admins - Only a few trusted users should be admins
- Use API Tokens for CI/CD - Don’t use personal sessions in automation
- Regular Reviews - Periodically review who has what role
See RBAC Best Practices for detailed guidance.
Next Steps
Section titled “Next Steps”- Roles - Detailed role definitions
- Permissions - Complete permission reference
- Best Practices - Implementation patterns