Skip to main content

How to set up an AAD group

To control access to functionality within Yalla, we apply Role-Based Access Control (RBAC) at the platform level to determine what individuals can do. In your platform.yaml, you can specify which users should be permissioned to manage the applications within your platform.

project:
  name: playground
  description: Playground project for testing
  access:
    admins:
      - user.one@bp.com
    editors:
      - user.two@bp.com
    readers:
      - user.three@bp.com

If you're setting up a platform for the first time, a Yalla administrator will approve any access changes for you. After that, existing platform administrators can approve future changes to access to add or remove team members.

Overview of roles

RoleDescriptionAccess
AdminAdministrators have the highest level of access, and can manage everything related to the platform in Yalla. Example roles: Platform Owner, Tech Lead, Senior Developers.Can update platform.yaml, including cluster information, RBAC, deployment flow. All access provided to editors.
EditorEditors have read and write access to most functionality for the platform in Yalla. Example roles: Developers.Is a required PR reviewer for platform files (apart from platform.yaml). Can create and rollback deployments. Can create dashboards in Grafana. Can manage secrets via CLI. All access provided to readers.
ReaderReaders have read access to the platform within Yalla. Example roles: External stakeholders, product managers.Can read logs and dashboards in Grafana.

Deployment Gates to Production

Some teams may want to configure deployment gates to require a user from the Admin group to approve a deployment to production. This can be configured in the deployment_flow section of platform.yaml.

project:
  name: playground
  description: Playground project for testing
  access:
    admins:
      - user.one@bp.com
    editors:
      - user.two@bp.com
    readers:
      - user.three@bp.com
  deployment_flow:
  - phase: 1
    env_name: staging
  - phase: 2
    env_name: prod
    approvers:
    - Admin

How RBAC works

When access is defined in a platform, security groups in AAD are automatically created and populated with members. These groups are linked to bp tools such as Grafana to automatically provide access to tools. Additionally, they are used within Yalla services to authorize users when performing actions, such as updating secrets via the Yalla CLI.

How pull request reviews work

When a pull request is created targeting platforms/<platform>/platform.yaml, the admins for the relevant platform will be added as required reviewers. For all other files under that platform, editors (which automatically includes admin members), will be added.

The service account for deployments will be able to approve changes automatically.