Authorization policies

Learn how to manage authorization policies in Endor Labs.

Authorization in Endor Labs is defined by a set of authorization policies. Authorization policies define the permissions provided to an identity authenticated by a supported identity provider when that identity meets specific rule criteria defined as attributes or claims about the identity.

Authorization policies must contain the following information:

  • The supported identity provider through which a given identity comes from.
  • The role provided to an identity.
  • An optional expiration time for the policy.
  • The rule criteria or claims for which the identity must have to be authorized to access Endor Labs.
  • After setting up the authorization policy, you can invite users to Endor Labs.

Set up authorization policies

To set up an authorization policy to your Endor Labs tenant:

  1. Sign in to Endor Labs and select Access Control in the left sidebar.
  2. Select Auth Policy and click Add Auth Policy.
  3. Select the identity provider for which you want to configure an authorization policy.
  4. Select the role to be granted for that a matching identity.
  5. Select an expiration time for which an authorization rule may exist in the system.
    • This may be either No expiration, 24 hours, 72 hours, one week, two weeks, or 30 days.
  6. Select the claims for which the authorization rule will provide access.
    • For GitHub and GitLab this may be the user’s platform handle.
    • For Google, this may be the user’s email address or the domain of the email address.
    • For a custom identity provider, this may be set to a key value pair associated with the claims provided by your external identity provider.
    • For Email this may be the email address an authentication link is sent to.
    • For GitHub Action OIDC this may be the organization or repository for which a workload runs under.
    • For AWS Role this may be the AWS ARN of the role the machine is set to impersonate.
    • For Google Cloud this may be the principal email of a service account the workload is set to impersonate.
    • For Azure these may be the user’s tenant ID, app ID, object ID and subscription ID.
  7. Under Advanced, select a set of namespaces for which the authorization policy applies. If you choose to propagate this policy to all child namespaces, then the authorization policy will apply to any selected namespaces and their children.
  8. Click Add Auth Policy to save your authorization policy.

After adding the authorization policy, a user with the corresponding authorization claims can sign in to Endor Labs with their configured permissions.

See Invite users to Endor Labs.