When managing access to Minimus hardened images, different teams have different needs. Developers need to browse the Image Gallery and copy registry pull tokens for authentication. DevOps engineers need to configure self-hosted registries for air-gapped production environments and manage authentication tokens to maintain a strong security posture. Security leads and IT administrators need full oversight of user management and activity logs to maintain IAM infrastructure.
Before RBAC, organizations faced a dilemma: either grant everyone administrative access (creating security risks) or spend significant time manually configuring individual permissions for each user (a process that doesn't scale). As teams grow beyond 5-10 users, this permission management challenge becomes increasingly complex and time-consuming.
Minimus now supports Role-Based Access Control (RBAC), enabling granular permission management for all users in your organization. Instead of choosing between overly broad access or tedious individual configuration, you can assign users one of three permission levels: Viewer, Operator, or Admin. Each role is carefully designed to match common job functions and security requirements.
Existing Minimus users will find their current roles have been automatically preserved during the RBAC rollout, ensuring zero disruption to workflows.
Implementing RBAC delivers immediate benefits across security, operations, and compliance:
Users receive access only to the features they need for their specific role, reducing the attack surface and preventing accidental misconfigurations. DevOps engineers can manage infrastructure without accessing user management. Developers can consume images without modifying security policies.
Eliminate the need to configure individual permissions for every user. Assign roles based on job function, and permissions automatically align with organizational needs. When employees change roles or leave, updating a single role assignment instantly adjusts their access across all Minimus features.
New team members can be assigned appropriate roles in seconds rather than requiring custom permission configuration. Offboarding becomes equally simple, removing a user or changing their role instantly revokes the associated access.
RBAC creates clear, auditable trails of who has access to what. Activity Logs (available to Admin users) provide visibility into user actions, helping meet regulatory compliance requirements and internal security policies.
Minimus supports two methods for adding users:
Add individual users via their Google email address, GitHub username, or Microsoft email address directly in the Minimus Console. This method is ideal for smaller teams or organizations not using SSO.
Connect your identity provider (Microsoft Azure, Google Workspace, or Okta) to automatically sync users and groups. This approach scales better for larger organizations and centralizes identity management in your existing IAM infrastructure. Follow the Configure SSO (Generic Guide) in the documentation to set up your integration.
Minimus RBAC operates on two identity types:
Assign roles to specific users for fine-grained control. Individual role assignments can be managed independently through the Minimus Console.
Create groups in the Minimus Console to assign roles to multiple users simultaneously. For SSO (Single Sign-On) enabled organizations, groups can be automatically mapped from your identity provider, allowing you to manage role assignments directly from your existing IAM tools rather than duplicating effort in multiple systems.
Combining SSO with RBAC delivers additional benefits: centralized identity management means a single source of truth for user access, automated group synchronization reduces administrative overhead, and role changes in your identity provider automatically propagate to Minimus without manual updates. This integration is particularly valuable for organizations with frequent role changes, multiple applications, or strict compliance requirements.
Minimus currently supports three RBAC roles, each designed for different levels of access:
Admin
Operator
Viewer
The table below provides a detailed breakdown of what each role can access within the Minimus Console:
When users don't have access to a feature, it won't appear in their Console interface. Read-only access allows users to view features and settings but prevents any modifications.
A user's effective role is determined at login by evaluating all role sources and selecting the highest privilege level. This approach ensures users always have the access they need while preventing accidental permission loss.
If a user has multiple role assignments (for example, individually assigned as Viewer but part of an SSO group with Admin permissions), Minimus evaluates all sources at login and grants the highest privilege level. The calculation happens automatically at runtime.
Sarah is assigned the Viewer role individually in the Minimus Console, but she's also part of the "DevOps-Admins" SSO group that has Admin permissions. When Sarah logs in, Minimus evaluates both role sources and grants her Admin access, the highest privilege level between the two.
This design ensures that adding users to additional groups or granting supplementary permissions never accidentally reduces their access level.
Assigning the highest role provides a clear, predictable method for resolving overlapping permissions. This approach prevents accidental loss of required access, avoids ambiguity in permission calculation, and simplifies access configurations for both administrators and users.
Learn more: Check out the comprehensive RBAC documentation for detailed configuration guides, including SSO setup and advanced role management.
.svg)
.svg)
.svg)
.svg)
