localurl:/docs/administration/account-user-management/add-users/

-title:Set up OAuth2 for GitOps

localurl:/docs/administration/account-user-management/oauth-setup/

-title:Access control

-title:Access control for pipelines

localurl:/docs/administration/account-user-management/access-control/

-title:Access control for GitOps

localurl:/docs/administration/account-user-management/gitops-abac/

-title:Audit

localurl:/docs/administration/account-user-management/audit/

-title:User settings

url:"/create-codefresh-account"

-title:Adding users and teams

url:"/add-users"

-title:Configuring access control

-title:Configuring access control for pipelines

url:"/access-control"

-title:Configuring access control for GitOps

url:"/gitops-abac"

-title:Setting up OAuth2 for GitOps

url:"/oauth-setup"

-title:Authorize access to organizations/projects

title:"Configuring access control"

description:"Restrict resources in a company environment"

title:"Configuring access control for pipelines"

description:"Restrict resourcesto pipelinesin a company environment"

group:administration

sub_group:account-user-management

redirect_from:

[Codefresh Provider for Terraform](https://registry.terraform.io/providers/codefresh-io/codefresh/latest/docs){:target="\_blank"}

[Codefresh installation options]({{site.baseurl}}/docs/installation/installation-options/)

[Managing your Kubernetes cluster]({{site.baseurl}}/docs/deployments/kubernetes/manage-kubernetes/)

-/docs/create-an-account/

-/docs/getting-started/

-/docs/getting-started/introduction/

toc:true

Before you can do create pipelines, build, and deploy applications in Codefresh, you need to create a Codefresh account.

title:"Access control for GitOps"

description:"Restrict access to GitOps entities through ABAC"

toc:true

Control access to entities in GitOps through ABAC (Attribute-Based Access Control). ABAC allows fine-grained access to application entities through the use of rules.

For GitOps, you can currently define ABAC for application entities in the Codefresh UI or programmatically via Terraform.

For more information on ABAC, see[ABAC on Wikipedia](https://en.wikipedia.org/wiki/Attribute-based_access_control){:target="\_blank"}.

Rules define the*who*,*what*, and*where* control access to GitOps applications, through the following elements:

* Teams

Teams control the_who_ part of the rule.

* Actions

Actions control the_what_ part of the rule. You need to select at least one action.

* Attributes

Attributes control the_where_ part of the rule.

Attributes are a combination of standard Kubernetes and Codefresh-specific attributes. You have Kubernetes attributes such as clusters, namespaces, and labels, and attributes unique to Codefresh such as Runtimes and Git Sources.

For each rule, you must select or define:

* The team or teams the rule applies to, with at least one team being mandatory

* The action or actions permitted for the entity, with at least one action being mandatory

* The attribute or attributes determining where access is permitted

**How to**

1. In the Codefresh UI, on the toolbar, click the**Settings** icon.

1. On the sidebar, from Access & Collaboration, select[**GitOps Permissions**](https://g.codefresh.io/account-admin/permissions/teams){:target="\_blank"}.

1. To create a rule, click**Add** and define the**Teams**,**Actions**, and**Attributes** for the rule.

1. To confirm, click**Add** once again.

{% include

image.html

lightbox="true"

file="/images/administration/access-control/gitops/gitops-add-rule.png"

url="/images/administration/access-control/gitops/gitops-add-rule.png"

alt="Add rule for GitOps applications"

caption="Add rule for GitOps applications"

max-width="50%"

%}

The rule you added for the entity is displayed in the GitOps Permissions page. Edit or delete the rule by clicking the respective icons.

You can also create rules enforcing ABAC for GitOps via Terraform.

See the documentation for[codefresh_abac_rules](https://registry.terraform.io/providers/codefresh-io/codefresh/latest/docs/resources/abac_rules){:target="\_blank"}.

{: .table .table-bordered .table-hover}

| Rule Element| Description|

| --------------| --------------|

|Teams| The team or teams to which to give access to the Application Entity. See[Adding users and teams]({{site.baseurl}}/docs/administration/account-user-management/add-users/).|

|Actions | The actions permitted for the application entity, and can be any or all of the following: {::nomarkdown} <ul><li><b>Refresh</b>: Allow users to manually regular refresh or hard refresh. The Refresh action is automatically disabled on selecting the Sync action which takes precedence. See <a href="https://codefresh.io/docs/docs/deployments/gitops/manage-application/#refreshhard-refresh-applications">Refresh/Hard Refresh applications</a>.</li><li><b>Sync</b>: Allow users to manually sync an application on-demand, and define the options for manual sync.<br>Selecting Sync automatically disables the Refresh action as Sync takes precedence over it. <br> See <a href="https://codefresh.io/docs/docs/deployments/gitops/manage-application/#manually-synchronize-an-application">Manually synchronize an application</a>.</li><li><b>Terminate Sync</b>: Allow users to manually stop an ongoing sync for an application. See <a href="https://codefresh.io/docs/docs/deployments/gitops/manage-application/#terminate-on-going-application-sync">Terminate on-going application sync</a></li><li><b>Rollback application</b>: Allow users to rollback the current release of an application to a previous deployment version or release in Codefresh. See <a href="https://codefresh.io/docs/docs/deployments/gitops/manage-application/#rollback-gitops-applications">Rollback GitOps applications</a>.</li><li><b>Pause rollout</b> and <b>Resume rollout</b>: Allow users to pause an ongoing rollout and resume a paused rollout either directly from the Timeline tab of the application, or through the controls in the Rollout Player. <br>See <a href="https://codefresh.io/docs/docs/deployments/gitops/manage-application/#pauseresume-ongoing-rollouts">Pause/resume ongoing rollouts</a> and <a href="https://codefresh.io/docs/docs/deployments/gitops/manage-application/#manage-an-ongoing-rollout-with-the-rollout-player">Managing an ongoing rollout with the Rollout Player</a>.</li><li><b>Promote full rollout</b>: Allow users to use the Promote Full button in the Rollout Player to skip the remaining steps in the rollout and promote to deployment. See <a href="https://codefresh.io/docs/docs/deployments/gitops/manage-application/#manage-an-ongoing-rollout-with-the-rollout-player">Managing an ongoing rollout with the Rollout Player</a>.</li><li><b>Skip current step in rollout</b>: Allow users to use the Skip Step button in the Rollout Player to skip executing the current step in the rollout. <br>See <a href="https://codefresh.io/docs/docs/deployments/gitops/manage-application/#manage-an-ongoing-rollout-with-the-rollout-player">Managing an ongoing rollout with the Rollout Player</a>.</li><b>Delete resource</b>: Allow users to delete an application resource from the Current State tab. See <a href="https://codefresh.io/docs/docs/deployments/gitops/manage-application/#delete-an-application">Delete an application</a>.</li></ul>{:/} |

|Attributes |Adding attributes, either individually or in combination, allow more fine-grained access control to enforce the _where_ policies for teams and actions. <br>Single attributes are useful to grant or deny access based on a specific property. For example, allow access to application entities on a cluster or within a namespace. <br>Combinations of attributes help enforce more complex access control. For example, require both a Runtime and a Label attribute to grant access to an application entity.<br>You can also add multiple instances of the same attribute with different values. For example, multiple Label attibutes with different values to sync application entities.{::nomarkdown} <ul><li><b>Cluster</b>: Allow access to all application entities in the cluster, regardless of the namespace, Runtime, and Git Sources of specific applications.</li><li><b>Namespace</b>: Allow access to application entities only within the namespace. If users have multiple accounts on different clusters with the same namespace, they can access applications in all those namespaces.</li><li><b>Runtime</b>: Allow access to application entities associated with the defined Runtime.</li><li><b>Git Source</b>: Allow access to application entities only in the defined Git Source. A Git Source is always associated with a Runtime.</li><li><b>Label</b>: Allow access only to application entities that share the same label.</li></ul>{:/} |

This rule grants the DevOps team permission to perform all actions for application entities on the production cluster, regardless of namespaces, Runtimes, Git Sources and labels.

**Rule elements**

* Team:`DevOps`

* Actions:`All`

* Attributes:`Cluster: production-cluster`

This rule grants two different teams permissions to perform all actions for application entities deployed on a specific cluster but within a specific namespace.

**Rule elements**

* Teams:`Product`,`Docs`

* Actions:`All`

* Attributes:

This rule grants the Support team permission to manually sync application entities or manually terminate on-going syncs for application entities deployed in a specific namespace, but only for those entities that share the same label.

**Rule elements**

* Team:`Customer Support`

* Actions:`Sync`,`Terminate Sync`

* Attributes:

[Codefresh Provider for Terraform](https://registry.terraform.io/providers/codefresh-io/codefresh/latest/docs){:target="\_blank"}

[Access control for pipelines]({{site.baseurl}}/docs/administration/account-user-management/access-control/)

| --------------| --------------|

|Application filters | Filter by a range of attributes to customize the information in the dashboard to bring you what you need. {::nomarkdown} <ul><li>Application state<br>A snapshot that displays a breakdown of the deployed applications by their health status.<br>Click a status to filter by applications that match it.<br>Codefresh tracks Argo CD's set of health statuses. See the official documentation on <a href="https://argo-cd.readthedocs.io/en/stable/operator-manual/health" target=”_blank”>Health sets</a>.</li><li>Application attributes<br>Attribute filters support multi-selection, and results are based on an OR relationship within the same filter with multiple options, and an AND relationship between filters.<br>Clicking <b>More Filters</b> gives you options to filter by Health status, Cluster names, Namespace, and Type. <br><ul><li>Application Type: Can be any of the following<ul><li>Applications: Standalone applications. See the official documentation on <a href="https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#applications" target=”_blank”>Applications</a>.</li><li>ApplicationSet: Applications created using the ApplicationSet Custom Resource (CR) template. An ApplicationSet can generate single or multiple applications. See the official documentation on <a href="https://argo-cd.readthedocs.io/en/stable/user-guide/application-set" target=”_blank”>Generating Applications with ApplicationSet</a>.</li><li>Git Source: Applications created by Codefresh that includes other applications and CI resources. See <a href="https://codefresh.io/docs/docs/installation/gitops/git-sources/">Git Sources</a>.</li></ul></li></li><li>Labels:The K8s labels defined for the applications. The list displays labels of <i>all</i> the applications, even if you have applied filters.<br>To see the available labels, select <b>Add</b>, and then select the required label and one or more values. <br>To filter by the labels, select <b>Add</b> and then <b>Apply</b>.<br> See the official documentation on <a href="https://kubernetes.io/docs/concepts/overview/working-with-objects/labels" target=”_blank”>Labels and selectors</a>.</li></ul></ul>{:/}|

|{::nomarkdown}<imgsrc="../../../../images/icons/icon-mark-favorite.png?display=inline-block">{:/}| Star applications as favorites and view only the starred applications.{::nomarkdown}<br>Select the <imgsrc="../../../../images/icons/icon-mark-favorite.png?display=inline-block"> to star the application as a favorite.<br><br>To filter by favorite applications, on the filters bar, select <imgsrc="../../../../images/icons/icon-fav-starred.png?display=inline-block">.<br>{:/} TIP: If you star applications as favorites in the GitOps Apps dashboard, you can filter by the same applications in the[DORA metrics dashboard]({{site.baseurl}}/docs/dashboards/dora-metrics/#metrics-for-favorite-applications).|

|Application actions| Options to monitor/manage applications through the application's context menu. {::nomarkdown}<ul><li>Quick view<br>A comprehensive read-only view of the deployment and definition information for the application.</li>{:/}See [Application Quick View](#view-deployment-configuration-info-for-selected-gitops-application) in this article.{::nomarkdown}<li>Synchronize/Sync<br>Manually synchronize the application.</li>{:/}See [Manually sync applications]({{site.baseurl}}/docs/deployments/gitops/manage-application/#manually-synchronize-an-application).{::nomarkdown}<li>Edit<br>Modify application definitions.</li>{:/}See [Edit application definitions]({{site.baseurl}}/docs/deployments/gitops/manage-application/#edit-application-definitions).{::nomarkdown}<li>Refresh and Hard Refresh: Always available in the application's toolbar. <ul><li>Refresh: Retrieve desired (Git) state, compare with the live (cluster) state, and refresh the application to sync with the desired state.</li><li>Hard Refresh: Refresh the application to sync with the Git state, while removing the cache.</li></ul>See <a href="https://codefresh.io/docs/docs/deployments/gitops/manage-application/#refreshhard-refresh-gitops-applications">Refresh/hard refresh GitOps applications</a>.{:/} |

*[Events](#events-for-application-resources)

The Current State tab supports Tree and List view formats.

**Context menu**

Every resource has a context menu that opens on clicking the three dots on the right of the resource. The options available differ according to the type of resource.

If you have deep links configured for applications/resources for Hybrid GitOps Runtimes, these are also displayed in the context menu. To configure deep links in Codefresh, see[(Hybrid GitOps) Configure Deep Links to applications & resources]({{site.baseurl}}/docs/installation/gitops/monitor-manage-runtimes/#hybrid-gitops-configure-deep-links-to-applications--resources).

max-width="50%"

%}

Delete specific resources in an application directly from the Codefresh UI.

Application creation and deployment is one part of the continuous deployment/delivery process. An equally important part is optimizing deployed applications when needed.

The actions you can perform depend on the permissions assigned to you.

*[Edit applications](#edit-application-definitions)

Optimize deployed applications by changing application definitions when needed.

*[Refresh applications](#refreshhard-refresh-gitops-applications)

Manually refresh applications with a single-click, as an alternative to manually synchronizing them.

*[Rollback applications](#rollback-gitops-applications)

Rollback applications to previous deployment versions.

Update General or Advanced configuration settings for a deployed application through the Configuration tab. Once the application is deployed to the cluster, the Configuration tab is available on selecting the application in the GitOps Apps dashboard.

**How to**

1. In the Codefresh UI, from Ops in the sidebar, select[GitOps Apps](https://g.codefresh.io/2.0/applications-dashboard/list){:target="\_blank"}.

1. Sync an application:

* Select the application to sync, and do one of the following:

1. To sync an application, select the application to sync, and do one of the following:

* From the context menu on the right, select**Synchronize**.

* On the top-right, click**Synchronize**.

Sync a resource:

1. To sync a resource:

* Click the application with the resource to sync.

* In the**Current State** tab, open the context menu of the resource, and then select**Sync**.

{:/}

Manually terminate an on-going synchronization process for the application. You may need to terminate an on-going sync that remains indefinitely as Syncing, or because you have detected problems in the current deployment

Terminating a sync operation reverts the deployment to the previously deployed version or image.

%}

As an alternative to manually syncing an application, either refresh or hard refresh the application. Both options are always available in the application toolbar.

1. In the Codefresh UI, from Ops in the sidebar, select[GitOps Apps](https://g.codefresh.io/2.0/applications-dashboard/list){:target="\_blank"}.