User Management

RBAC (Role-Based Access Control)

Firefly provides a role-based access control system to manage user permissions within the platform. RBAC in Firefly is currently straightforward, with two primary roles available: Admin and Viewer. Each role comes with a different level of access and capabilities in the Firefly platform.

Admin Role

Admin users have full access to the Firefly platform. They can manage integrations, view and modify all assets, and perform codification and remediation actions. Crucially, an Admin can manage user accounts and settings. For example, Admins are the ones who can invite new users to the workspace and assign roles (either Admin or Viewer) to them. Admins can also create API key pairs, set up integrations/providers, define ignore rules, exclude drifts, configure notifications, and generally make any changes in the Firefly environment. Essentially, this role is for those who need control over configuration and governance in Firefly.

Viewer Role

Viewers have read-only access. A user with the Viewer role can log in to Firefly and see the inventory of assets, their IaC status, drifts, insights, etc., but cannot make changes that affect the environment's configuration. Viewers cannot onboard new integrations, cannot invite other users, and cannot initiate codification or other write actions. This role is ideal for team members who need visibility (for example, auditors, DevOps engineers, or stakeholders who just want to monitor infrastructure state) without the ability to alter settings. The Viewer is essentially a consumption role, they can consume the data and dashboards but not modify resources or settings.

Differences in permissions

In summary, the Admin role encompasses all permissions (including those of Viewer plus administrative actions), while the Viewer role is restricted to read-only activities. For instance, if there's a button to "Remediate Drift" or "Create Jira Issue" on an asset in the UI, a Viewer would not have access to execute that, whereas an Admin would. Similarly, only Admins can use the settings pages for things like user management, integrations, API keys, etc., whereas Viewers will be blocked from using them.

Currently, these two roles apply to the entire organization (account) in Firefly. Every user is either an Admin or Viewer for the whole environment.

Note: Granular RBAC (such as limiting a user's access to only specific cloud accounts or projects) is will be soon available in the platform.

Future RBAC expansion

Firefly is working to expand its RBAC system in the near future. While today you are limited to just Admin and Viewer roles, future updates will introduce more roles and permission settings. This will include roles with scoped access (e.g., specific cloud account, projects), custom roles, or integration-specific permissions, to cater to enterprise needs for more nuanced access control. Keep an eye on Firefly's updates for more advanced RBAC features as the platform evolves.

Multi-Tenant Capabilities

Firefly provides organizations with comprehensive multi-tenant capabilities, enabling administrators to establish and manage multiple isolated Firefly tenants within a single organizational framework. Each tenant operates as a completely independent environment, designed to serve distinct teams with access to their respective cloud accounts and resources.

Key Capabilities

Complete Tenant Isolation: Each tenant maintains full separation from others, ensuring data privacy, security boundaries, and independent governance policies. This means that users in one tenant cannot access or view resources from another tenant, providing strict isolation at the organizational level.

Team-Specific Access Control: Tenants can be configured to serve different teams with tailored access to their designated cloud accounts and infrastructure. This allows organizations to create dedicated environments for different departments, projects, or business units while maintaining centralized oversight.

Centralized Administration: Organization administrators retain the ability to seamlessly navigate between tenants while maintaining oversight and control. This enables efficient management of multiple teams and environments from a single administrative interface.

Scalable Governance: The multi-tenant architecture supports diverse organizational structures, from departmental divisions to subsidiary management.

This architecture enables organizations to maintain centralized oversight while providing teams with the autonomy and isolation they need to manage their specific cloud environments effectively. Each tenant can have its own set of integrations, policies, and user management while still being part of the broader organizational framework.

Creating Firefly Key-Pair for API and FireflyCI

To use Firefly's API or integrate with FireflyCI (Firefly's CI/CD integration), you need to generate an API key pair (Access Key and Secret Key) for authentication. Follow these steps to create a new key pair and use it securely:

1. Navigate to the Key Pair settings: In the Firefly web console, go to Settings > Users.

2. Create a new key pair: Click Create Key Pair. Firefly will generate an Access Key and Secret Key for you.

3. Copy the keys: Once generated, copy the Access Key and Secret Key. They will be shown only once, so make sure to save them immediately.

4. Store the keys securely: Save your key pair in a secure place (e.g. a password manager or secrets vault). Treat the Secret Key like a password, keep it confidential.

5. Close the dialog: After copying your credentials, click Close to finish the key pair creation process.

For next steps, please check FireflyCI and Firefly API.