IAM v1 Policies

This page provides an in-depth look at each of Chef Automate’s IAM v1 default policies and the specific endpoints they protect.

Configuration Management

Configuration Management Policies

These default policies allow all users to perform any action on Configuration Management resources

  {
      "action": "*",
      "resource": "cfgmgmt",
      "subjects": [
          "user:*"
      ]
  },
  {
      "action": "*",
      "resource": "cfgmgmt:*",
      "subjects": [
          "user:*"
      ]
  }

Configuration Management (Client Runs) Pages

Corresponds to “Client Runs” tab or /nodes

Compliance

Compliance Policies

These default policies allow all users to perform any action on Compliance resources

  {
      "action": "*",
      "resource": "compliance:*",
      "subjects": [
          "user:*"
      ]
  }

Compliance Pages

Corresponds to “Compliance” tab (/compliance/reporting/overview), “Scan Jobs” tab (/compliance/scanner/jobs) & “Profiles” tab (/profiles)

Event Feed

Event Feed Policies

These default policies allow all users to perform any action on Event Feed resources

  {
      "action": "*",
      "resource": "events",
      "subjects": [
          "user:*"
      ]
  },
  {
      "action": "*",
      "resource": "events:*",
      "subjects": [
          "user:*"
      ]
  }

Event Feed Page

Corresponds to “Event Feed” tab (/event-feed)

Applications

Applications page

These default policies allow all users to perform any action on application page resources

  {
      "action": "*",
      "resource": "service_groups",
      "subjects": [
          "user:*"
      ]
  },
  {
      "action": "*",
      "resource": "service_groups:*",
      "subjects": [
          "user:*"
      ]
  }

Applications Page

Corresponds to “Application tab (/applications)

Telemetry

TelemetryPolicies

This default policy allow all users to perform any action on Telemetry resources

  {
      "action": "*",
      "resource": "telemetry:config",
      "subjects": [
          "user:*"
      ]
  }

Telemetry access

Corresponds to Telemetry (/telemetry)

Secrets

Secrets Policies

These default policies allow all users to perform any action on Secrets resources

  {
      "action": "*",
      "resource": "secrets",
      "subjects": [
          "user:*"
      ]
  },
  {
      "action": "*",
      "resource": "secrets:*",
      "subjects": [
          "user:*"
      ]
  }

Secrets (Credentials) Page

Corresponds to the “Credentials” tab or /compliance/credentials

Nodes

Nodes Policies

These default policies allow all users to perform any action on Nodes resources

  {
      "action": "*",
      "resource": "nodes",
      "subjects": [
          "user:*"
      ]
  },
  {
      "action": "*",
      "resource": "nodes:*",
      "subjects": [
          "user:*"
      ]
  }

Nodes (Scanner) Page

Corresponds to /compliance/scanner/nodes

Node Manager

Node Manager Policies

These default policies allow all users to perform any action on Node Manager resources

  {
      "action": "*",
      "resource": "nodemanagers",
      "subjects": [
          "user:*"
      ]
  },
  {
      "action": "*",
      "resource": "nodemanagers:*",
      "subjects": [
          "user:*"
      ]
  }

Node Manager Page

Ingest

Ingest Policy

This default policy allows only clients, such as Chef Client, to perform any action on Ingest resources

Notes:

  • No users may post data to these endpoints.
  {
      "action": "*",
      "resource": "ingest:*",
      "subjects": [
          "token:*"
      ]
  }

Ingest API Endpoints (Internal)

Corresponds to /ingest/events

Profile

Profile Policy

These default policies allow all users to access their own profile and update it

Notes:

  • ${a2:username} denotes a policy variable that is filled in with the actual user name upon evaluation.
  {
      "action": "*",
      "resource": "users:${a2:username}",
      "subjects": [
          "user:local:*"
      ]
  },
  {
      "action": "read",
      "resource": "auth:users:${a2:username}",
      "subjects": [
          "user:local:*"
      ]
  }

Profile Pages

Administrative

Administrative Policy

By default, only members of the admin team can perform actions on these resources.

Notes:

  • Admins can perform any action on any resource, including Authorization and Notifications resources, which are inaccessible to non-admins.

  • This policy cannot be deleted

  {
      "action": "*",
      "resource": "*",
      "subjects": [
          "team:local:admins"
      ]
  }

Admin & Notifications (Administrative) Pages

Corresponds to the “Admin” (/auth) and “Notifications” tab (/notifications)