Permissions Management

The DC/OS Identity and Access Management (IAM) system is designed to protect resources via fine-grained authorization. Each protected resource has one associated Access Control List (ACL) that declares which principals may perform which actions on a named resource. This is performed according to the whitelisting (deny-by-default) model.

Permissions can be applied to users and groups using either the DC/OS web interface, the IAM HTTP API or the DC/OS Enterprise CLI. Each interface provides a way to manage Access Control Entries (ACEs). Each ACE includes the following pieces of information:

A principal identifier
A resource identifier
An action identifier

These three pieces of information are strings.

Action identifiers must be chosen from a fixed set of actions. The available action identifiers are create, read, update, delete, and full. By convention, full indicates that the permission supports all other action identifiers. The identifier full may include actions not supported by any other action identifier.

Managing permissions from the CLI

There are four commands used for managing permissions from the DC/OS Enterprise CLI.

To manage permissions for groups from the DC/OS Enterprise CLI, use the following commands:

To manage permissions for users from the DC/OS Enterprise CLI, use the following commands:

Managing permissions using the API

The IAM HTTP API provides operations to manage permissions for users and groups.

Note that all entities must exist when creating a permission.

A typical pattern to create a permission is:

Call PUT /acls/{rid} to create the access control list for the protected resource {rid}, ignoring any returned 409 status code (which indicates that it already exists); then
Call PUT /acls/{rid}/users/{uid}/{action} or PUT /acls/{rid}/groups/{gid}/{action} to create the specific user or group access control entry.