The document outlines an office hours session focused on access control policies, specifically how Rundeck's access control language (ACL) enhances security by regulating user permissions for creating jobs and executing commands. Key points include overviews of ACL functionality, examples of policy applications, and recommendations for effective policy management. It also addresses community questions regarding specific access controls and links to further ACL documentation.

1. Shape Up
Skills Builder - September 4th, 2020
Confidential
Rundeck Community
Office Hours:
Access Control Policies
December 2021

2. Speakers
Nathan Fluegel
Automation Success
Manager, PagerDuty

3. Agenda
1 Intro to ACL policies
2 Quick Download: Access Control Basics
3 Questions from the Community
4 Demo

4. Physical, VMs,
Containers, Serverless,
Network Devices…
Nodes (Infrastructure)
Rundeck
Architecture
External
Authentication
LDAP, AD, SSO
HTTP(S)
Rundeck CLI
Web API
Client CLI
Browser
Web GUI
Webhooks
config/settings files, resources,
plugins, users/groups/acl
server logs, execution history
Server Resources
Authorization

5. What is Rundeck ACL good for?
ACL = Access Control Language
• Only authorized users have the ability to create
jobs or run commands
• “Job Runners” can be limited to only running
authorized jobs
• Only access machines you need to, when
carrying out a job
ACL controls object access:
Projects
Jobs
Keys
…
And Available Actions:
View
Edit
Run
…
Core to Rundeck security,
provides guard rails

6. Access Control Policies
Key Rundeck Resources and Access
System Resources
Project Context
System/Rundeck
Context
Project Components/Resources

7. Both system and project
rules can be stored here.
Requires admin access.
Only project-specific rules
can be stored here. Can be
delegated to project admins.

8. Quick Download: Access
Control Basics
Rundeck can control access to resources and actions,
providing guardrails that control who can do what and
when.
● Control access to resources (projects, jobs, nodes,
keys)
● Allow and deny specific actions (create jobs, run
ad hoc commands, view activity history)
● Use existing usernames and groups from your
Enterprise directory

9. ACL example (basic job runner)
Is this for the
system or a
project?
What
resources? In
what way?
Which user or
group is
associated?

10. ACL example (basic job runner)

11. ACL Recommendations
➔ Store as many policies as possible at the project level
➔ Create and edit policies in the Rundeck database to avoid managing ACL
files
➔ Consider limiting keys and passwords within projects for maximum security

12. Community Q&A
➔ Can access to key storage be controlled on a per-project basis?
➔ What’s the easiest way to provide admin-level access to all projects for a
specific group?
➔ I have users who can run jobs but not see job history. What gives?

13. Key ACL docs pages
➔ Overview of ACL policy process
https://docs.rundeck.com/docs/manual/document-format-reference/aclpolicy-v1
0.html#overview
➔ Details of ACL clauses and all available options
https://docs.rundeck.com/docs/administration/security/authorization.html#acces
s-control-policy-2

14. Proprietary & Confidential
Rundeck Resources
Visit:
www.rundeck.com/open-source
Join the Conversation:
https://community.pagerduty.com/for
um/c/rundeck
Sign up for release notes here:
https://www.rundeck.com/release-no
tes-signup

15. Thank You!