devtron-labs · ashokdevtron · Jan 15, 2024 · Jan 2, 2024 · Jan 8, 2024 · Jan 9, 2024
@@ -25,9 +25,16 @@
   * [Container/OCI Registry](user-guide/global-configurations/container-registries.md)
   * [Chart Repositories](user-guide/global-configurations/chart-repo.md)
   * [Custom Charts](user-guide/global-configurations/custom-charts.md)
-  * [SSO Login Services](user-guide/global-configurations/sso-login.md)
-    * [Example - Okta SSO](user-guide/global-configurations/okta.md)
   * [Authorization](user-guide/global-configurations/authorization/README.md)
+    * [SSO Login Services](user-guide/global-configurations/sso-login.md)
+      * [Google](user-guide/global-configurations/authorization/sso/google.md)
+      * [GitHub](user-guide/global-configurations/authorization/sso/github.md)
+      * [GitLab](user-guide/global-configurations/authorization/sso/gitlab.md)
+      * [Microsoft](user-guide/global-configurations/authorization/sso/microsoft.md)
+      * [LDAP](user-guide/global-configurations/authorization/sso/ldap.md)
+      * [OIDC](user-guide/global-configurations/authorization/sso/oidc.md)
+      * [OpenShift](user-guide/global-configurations/authorization/sso/openshift.md)
+      * [Example - Okta SSO](user-guide/global-configurations/okta.md)
     * [User Permissions](user-guide/global-configurations/authorization/user-access.md)
     * [Permission Groups](user-guide/global-configurations/authorization/permission-groups.md)
     * [API Tokens](user-guide/global-configurations/authorization/api-tokens.md)

@@ -4,37 +4,42 @@ Using the `Permission groups`, you can assign a user to a particular group and a
 
 The advantage of the `Permission groups` is to define a set of privileges like create, edit, or delete for the given set of resources that can be shared among the users within the group.
 
-**Note**: The [User permissions](https://docs.devtron.ai/global-configurations/authorization/user-access) section for `Specific permissions` contains a drop-down list of all existing groups for which a user has an access. This is an optional field and more than one groups can be selected for a user.
+{% hint style="info" %}
+The [User permissions](../../global-configurations/authorization/user-access) section for `Specific permissions` contains a drop-down list of all existing groups for which a user has an access. This is an optional field and more than one groups can be selected for a user.
+{% endhint %}
 
 ## Add Group
 
-To add a group, go to the `Authorization > Permissions groups` section of `Global Configurations`. Click **Add group**.
+Go to **Global Configurations** → **Authorization** → **Permissions groups** → **Add group**.
 
 ![](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/permission-group/permission-group-1.png)
 
 Enter the `Group Name` and `Description`.
 
 ![](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/permission-group/permission-group-2.png)
 
-Assign the permissions of groups to users to manage access for:
+You can either grant [super-admin](../../global-configurations/authorization/user-access.md#role-based-access-levels) permission to a user group or specific permissions to manage access for:
 
    * [Devtron Apps](#devtron-apps-permissions)
    * [Helm Apps](#helm-apps-permissions)
+   * [Jobs](#jobs)
    * [Kubernetes Resources](#kubernetes-resources-permissions)
    * [Chart Groups](#chart-group-permissions)
 
 ### Devtron Apps Permissions
 
 In `Devtron Apps` option, you can provide access to a group to manage permission for custom apps created using Devtron.
 
-**Note**: The `Devtron Apps` option will be available only if you install [CI/CD integration](https://docs.devtron.ai/usage/integrations/build-and-deploy-ci-cd).
+{% hint style="info" %}
+The `Devtron Apps` option will be available only if you install [CI/CD integration](https://docs.devtron.ai/usage/integrations/build-and-deploy-ci-cd).
+{% endhint %}
 
 Provide the information in the following fields:
 
-![](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/permission-group/permission-group-devtron-apps.jpg)
+![](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/permission-group/permission-group-devtron-apps-v2.jpg)
 
 
-| Registry Type | Credentials |
+| Dropdown | Description |
 | --- | --- |
 | **Project** | Select a project from the drop-down list to which you want to give permission to the group. You can select only one project at a time.<br>Note: If you want to select more than one project, then click `Add row`.</br> |
 | **Environment** | Select the specific environment or all environments from the drop-down list.<br>Note: If you select `All environments` option, then a user gets access to all the current environments including any new environment which gets associated with the application later.</br> |
@@ -43,17 +48,17 @@ Provide the information in the following fields:
 
 You can add multiple rows for `Devtron Apps` permission.
 
-Once you have finished assigning the appropriate permissions for the groups, Click `Save`.
+Once you have finished assigning the appropriate permissions for the groups, Click **Save**.
 
 ### Helm Apps Permissions
 
 In `Helm Apps` option, you can provide access to a group to manage permission for Helm apps deployed from Devtron or outside Devtron.
 
 Provide the information in the following fields:
 
-![](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/permission-group/permission-groups-helm-apps.jpg)
+![](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/permission-group/permission-groups-helm-apps-v2.jpg)
 
-| Registry Type | Credentials |
+| Dropdown | Description |
 | --- | --- |
 | **Project** | Select a project from the drop-down list to which you want to give permission to the group. You can select only one project at a time.<br>Note: If you want to select more than one project, then click `Add row`.</br> |
 | **Environment or cluster/namespace** | Select the specific environment or `all existing environments in default cluster` from the drop-down list.<br>Note: If you select `all existing + future environments in default cluster` option, then a user gets access to all the current environments including any new environment which gets associated with the application later.</br> |
@@ -62,25 +67,47 @@ Provide the information in the following fields:
 
 You can add multiple rows for Devtron app permission.
 
-Once you have finished assigning the appropriate permissions for the groups, Click `Save`.
+Once you have finished assigning the appropriate permissions for the groups, Click **Save**.
+
+### Jobs
+
+In `Jobs` option, you can provide access to a group to manage permission for jobs created using Devtron.
+
+Provide the information in the following fields:
+
+![](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/permission-group/permission-groups-jobs-v2.jpg)
+
+| Dropdown | Description |
+| --- | --- |
+| **Project** | Select a project from the drop-down list to which you want to give permission to the group. You can select only one project at a time.<br>Note: If you want to select more than one project, then click `Add row`.</br> |
+| **Job Name** | Select the specific job name or all jobs from the drop-down list.<br>Note: If you select `All Jobs` option, then the user gets access to all the current jobs including any new job which gets associated with the project later.</br>  |
+| **Workflow**  | Select the specific workflow or all workflows from the drop-down list.<br>Note: If you select `All Workflows` option, then the user gets access to all the current workflows including any new workflow which gets associated with the project later.</br> |
+| **Environment** | Select the specific environment or all environments from the drop-down list.<br>Note: If you select `All environments` option, then the user gets access to all the current environments including any new environment which gets associated with the project later.</br> |
+| **Role**  | Select one of the [roles](#role-based-access-levels) to which you want to give permission to the user:<ul><li>`View only`</li></ul> <ul><li>`Run job`</li></ul><ul><li>`Admin`</li></ul>  |
+
+You can add multiple rows for `Jobs` permission.
+
+Once you have finished assigning the appropriate permissions for the groups, Click **Save**.
 
 
 ### Kubernetes Resources Permissions
 
 In `Kubernetes Resources` option, you can provide permission to view, inspect, manage, and delete resources in your clusters from [Kubernetes Resource Browser](https://docs.devtron.ai/usage/resource-browser) page in Devtron. You can also create resources from the `Kubernetes Resource Browser` page.
 
-**Note**: Only super admin users will be able to see `Kubernetes Resources` tab and provide permission to other users to access `Resource Browser`.
+{% hint style="info" %}
+Only super admin users will be able to see `Kubernetes Resources` tab and provide permission to other users to access `Resource Browser`.
+{% endhint %}
 
 To provide Kubernetes resource permission, click `Add permission`.
 
-![](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/permission-group/kubernetes-resources-permission-group.jpg)
+![](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/permission-group/kubernetes-resources-permission-group-v2.jpg)
 
 On the `Kubernetes resource permission`, provide the information in the following fields:
 
 
-![](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-access/user-permission/kubernetes-resource-permission-page-latest.jpg)
+![](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/user-access/user-permission/kubernetes-resources-permission-page-v2.jpg)
 
-| Registry Type | Credentials |
+| Dropdown | Description |
 | --- | --- |
 | **Cluster** | Select a cluster from the drop-down list to which you want to give permission to the user. You can select only one cluster at a time.<br>Note: To add another cluster, then click `Add another`.</br> |
 | **Namespace** | Select the namespace from the drop-down list. |
@@ -91,39 +118,43 @@ On the `Kubernetes resource permission`, provide the information in the followin
 
 You can add multiple rows for Kubernetes resource permission.
 
-Once you have finished assigning the appropriate permissions for the groups, Click `Save`.
+Once you have finished assigning the appropriate permissions for the groups, Click **Save**.
 
 ### Chart Group Permissions
 
 In `Chart group permission` option, you can manage the access of groups for Chart Groups in your project.
 
-**Note**: The `Chart group permission` option will be available only if you install [CI/CD integration](https://docs.devtron.ai/usage/integrations/build-and-deploy-ci-cd).
+{% hint style="info" %}
+The `Chart group permission` option will be available only if you install [CI/CD integration](https://docs.devtron.ai/usage/integrations/build-and-deploy-ci-cd).
+{% endhint %}
 
-![](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/permission-group/kubernetes-resources-permission-group.jpg)
+![](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/permission-group/permission-group-chart-v2.jpg)
 
-**NOTE:** You can only give users the ability to `create` or `edit`, not both.
+{% hint style="info" %}
+You can only give users the ability to `create` or `edit`, not both.
+{% endhint %}
 
 | Action | Permissions |
 | :---   | :---         |
 | View  | Enable `View` to view chart groups only. |
 | Create | Enable `Create` if you want the users to create, view, edit or delete the chart groups. |
 | Edit | <ul><li>**Deny**: Select `Deny` option from the drop-down list to restrict the users to edit the chart groups.</li><li>**Specific chart groups**: Select the `Specific Charts Groups` option from the drop-down list and then select the chart group for which you want to allow users to edit.</li></ul> |
 
-Click `Save`once you have configured all the required permissions for the groups.
+Click **Save** once you have configured all the required permissions for the groups.
 
 
 ### Edit Permissions Groups
 
 You can edit the permission groups by clicking the `downward arrow.`
 
-![](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/permission-group/permission-group-4.png)
+![](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/permission-group/edit-permission-group.jpg)
 
 Edit the permission group.
 
-![](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/permission-group/permission-group-5.png)
+![](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/permission-group/save-permission-group.jpg)
 
-Once you are done editing the permission group, click `Save`.
+Once you are done editing the permission group, click **Save**.
 
-If you want to delete the groups with particular permission group, click `Delete`.
+If you want to delete the groups with particular permission group, click **Delete**.
 
 
@@ -0,0 +1,37 @@
+# GitHub
+
+## Sample Configuration
+
+![](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/sso-login-service/github.jpg)
+
+---
+
+## Values You Would Require at SSO Provider
+
+Devtron provides a sample configuration out of the box. There are some values that you need to either get from your SSO provider or give to your SSO provider.
+
+### Values to Fetch
+
+* clientID
+
+* clientSecret
+
+    ![Fetching Client ID and Secret](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/sso-login-service/secret/github-id-secret.jpg)
+
+### Values to Provide
+
+* redirectURI (provided in SSO Login Services by Devtron)
+
+    ![Copying Redirect URI from Devtron](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/sso-login-service/redirect/github-redurl.jpg)
+
+    ![Pasting Redirect URI](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/sso-login-service/redirect/github-redirect.jpg)
+
+---
+
+## Reference
+
+* [View GitHub Documentation](https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/creating-an-oauth-app)
+
+* [View Dex IdP Documentation](https://dexidp.io/docs/connectors/github/)
+
+
@@ -0,0 +1,35 @@
+# GitLab
+
+## Sample Configuration
+
+![](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/sso-login-service/gitlab.jpg)
+
+---
+
+## Values You Would Require at SSO Provider
+
+Devtron provides a sample configuration out of the box. There are some values that you need to either get from your SSO provider or give to your SSO provider.
+
+### Values to Fetch
+
+* clientID
+* clientSecret
+
+    ![Fetching Client ID and Secret](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/sso-login-service/secret/gitlab-id-secret.jpg)
+
+### Values to Provide
+
+* redirectURI (provided in SSO Login Services by Devtron)
+
+    ![Copying Redirect URI from Devtron](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/sso-login-service/redirect/gitlab-redurl.jpg)
+
+    ![Pasting Redirect URI](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/sso-login-service/redirect/gitlab-redirect-v2.jpg)
+
+---
+
+## Reference
+
+* [View GitLab Documentation](https://docs.gitlab.com/ee/integration/oauth_provider.html)
+
+* [View Dex IdP Documentation](https://dexidp.io/docs/connectors/gitlab/)
+
@@ -0,0 +1,39 @@
+# Google
+
+## Sample Configuration
+
+![](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/sso-login-service/google.jpg)
+
+---
+
+## Values You Would Require at SSO Provider
+
+Devtron provides a sample configuration out of the box. There are some values that you need to either get from your SSO provider or give to your SSO provider.
+
+### Values to Fetch
+
+* clientID
+
+* clientSecret
+
+    ![Fetching Client ID and Secret](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/sso-login-service/secret/google-id-secret.jpg)
+
+
+### Values to Provide
+
+* redirectURI (provided in SSO Login Services by Devtron)
+
+    ![Copying Redirect URI from Devtron](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/sso-login-service/redirect/google-redurl.jpg)
+
+    ![Pasting Redirect URI](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/sso-login-service/redirect/google-redirect.jpg)
+
+---
+
+## Reference
+
+* [View Google Documentation](https://developers.google.com/identity/gsi/web/guides/get-google-api-clientid)
+
+* [View Dex IdP Documentation](https://dexidp.io/docs/connectors/google/)
+
+
+
@@ -0,0 +1,50 @@
+# LDAP
+
+## Sample Configuration
+
+![](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/sso-login-service/ldap.jpg)
+
+---
+
+## Values to fetch from LDAP
+
+Devtron provides a sample configuration out of the box. Here are some values you need to fetch from your LDAP.
+
+* bindDN
+* bindPW
+* baseDN
+
+---
+
+## Reference
+
+[What is LDAP](https://www.okta.com/identity-101/what-is-ldap/)
+
+---
+
+## Auto-assign Permissions [![](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/elements/EnterpriseTag.svg)](https://devtron.ai/pricing)
+
+Since LDAP supports creation of User Groups, this feature simplifies the onboarding process of organizations having a large headcount of users. It also eliminates repetitive permission assignment by automatically mapping your LDAP User groups to Devtron's [Permission Groups](../permission-groups.md) during single sign-on (SSO) login.
+
+![Enabling Permission Auto-assignment](https://devtron-public-asset.s3.us-east-2.amazonaws.com/images/global-configurations/sso-login-service/secret/auto-grant-ldap.jpg)
+
+If you've created user groups in LDAP, you can create corresponding permission groups in Devtron with the same names. When members of those user groups first log in to Devtron, they'll automatically inherit the permissions from their Devtron permission group. This means you can't manually adjust or add [individual permissions for users](../user-access.md) mapped to a permission group.
+
+{% hint style="warning" %}
+SSO login requires exact matching between Devtron permission group names and LDAP user groups. Any discrepancies or missing groups will prevent successful login.
+
+Once you save the configuration with this auto-assign feature enabled, existing user permissions will be cleared and the future permissions will be managed through [Permission Groups](../permission-groups.md) linked to LDAP user groups.
+{% endhint %}
+
+{% hint style="info" %}
+If you're missing some permissions that you know you should have, try logging out and signing back in to Devtron. This will refresh your permissions based on your latest LDAP user group.
+{% endhint %}
+
+
+
+
+
+
+
+
+