User Management
DevOpsGenie provides centralized identity and access management across all clusters, environments, and cloud accounts. This page covers how users, teams, and service accounts are provisioned, authenticated, and authorized.
Authentication
DevOpsGenie supports two authentication providers:
| Provider | Protocol | Recommended For |
|---|---|---|
| Okta | OIDC / SAML 2.0 | Enterprise — existing Okta deployment |
| Azure AD (Entra ID) | OIDC / SAML 2.0 | Microsoft 365 organizations |
| Google Workspace | OIDC | GCP-primary organizations |
| GitHub | OAuth 2.0 | Developer-first teams |
| Local accounts | Username + password | Development / evaluation only |
Configuring Okta SSO
devopsgenie.yaml
auth:
provider: okta
okta:
domain: devopsgenie.okta.com
clientId: "0oa..."
# Store clientSecret in Secrets Manager — never in plain config
clientSecretRef:
secretName: okta-credentials
key: client-secret
sessionDuration: 8h
requireMfa: true
Authorization — RBAC Model
DevOpsGenie uses a three-tier RBAC model:
Organization
└── Teams
└── Namespaces / Environments
Platform Roles
| Role | Scope | Capabilities |
|---|---|---|
platform-admin | Organization | Full access — provision clusters, manage policies, view all |
cluster-admin | Cluster | Manage node groups, add-ons, and cluster-scoped resources |
team-lead | Team namespaces | Manage workloads, view secrets, configure alerts |
developer | Team namespaces | Deploy workloads, read logs, port-forward, exec into pods |
readonly | Team namespaces | Read-only across all resources |
ci-deployer | Team namespaces | Create/update Deployments and ConfigMaps only (for CI pipelines) |
Assigning Roles
# Assign a user to the developer role in the payments namespace
devopsgenie rbac assign \
--user alice@devopsgenie.io \
--role developer \
--namespace team-payments
# Assign an entire team
devopsgenie rbac assign \
--team payments-engineering \
--role developer \
--namespace team-payments
# View current assignments
devopsgenie rbac list --namespace team-payments
Kubernetes RBAC Binding (generated by DevOpsGenie)
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: developer-payments-engineering
namespace: team-payments
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: devopsgenie:developer
subjects:
- kind: Group
name: payments-engineering
apiGroup: rbac.authorization.k8s.io
Team Management
Creating a Team
devopsgenie team create payments-engineering \
--display-name "Payments Engineering" \
--cost-center "eng-payments" \
--namespace team-payments
# Add members
devopsgenie team add-member payments-engineering alice@devopsgenie.io
devopsgenie team add-member payments-engineering bob@devopsgenie.io
Team Self-Service Permissions
By default, team leads can:
- Create and delete namespaces within their team's scope
- Manage HPA and scaling policies for their workloads
- View (not edit) resource quotas
- Request quota increases (requires
platform-adminapproval)
Service Accounts for CI/CD
CI pipelines should use dedicated, least-privilege service accounts:
# Create a CI service account for the payments team
devopsgenie service-account create ci-payments \
--team payments-engineering \
--role ci-deployer \
--namespace team-payments \
--token-ttl 24h
# Get a short-lived token for the pipeline
devopsgenie service-account token ci-payments --duration 1h
Audit Logging
Every authentication event, RBAC binding change, and administrative action is logged:
# View recent access events
devopsgenie audit log \
--namespace team-payments \
--since 24h \
--level info
# Export audit logs to SIEM
devopsgenie audit export \
--format json \
--destination s3://devopsgenie-audit-logs/
Multi-Cluster Access
For organizations with multiple clusters, DevOpsGenie federates identity across all of them:
# Grant developer access to the staging cluster
devopsgenie rbac assign \
--user alice@devopsgenie.io \
--role developer \
--namespace team-payments \
--cluster devopsgenie-staging
# View access across all clusters
devopsgenie rbac list --user alice@devopsgenie.io --all-clusters