Hello, i am currently evaluating whether it would make sense to use Tenzu in a school setting. I therefore have the following questions. If these features don’t yet exist, I would be happy if they could be implemented in the future.
Is it possible to grant project creation rights only to specific users? Ideally, these rights should also be manageable via LDAP.
Can the invitation of external users be globally disabled? (I suspect so, but I’ve overlooked it.)
Thank you very much for your work on this project so far!
In a workspace, you can assign users the “Readonly-member” role. This role make them see the workspace and that’s all, no project creation and no seeing project they are not also a member of. This role is the default for workspace, which means they’ll get this workspace role automatically when they get invited to a project, no matter what project role they receive. You can change the workspace role of a user at any time and you can also explicitly invite someone to a workspace with a different role.
However you can’t forbid anyone with an account from creating their own workspace where they will be able to do whatever they want.
There is no mapping between LDAP properties and Tenzu’s roles and permissions. This is not planned at the time and it wouldn’t make much sense with the current system since Tenzu’s permissions are relative to objects (workspaces and projects). LDAP is only used for authentication and user account properties.
From what I understand of your use case, here’s what could be useful:
If you are using LDAP integration, you can prevent all account creation so the only way to connect is to use the LDAP auth (which is the recommanded mode for LDAP). TENZU_LDAP__ACTIVATION="strict"
There is a settings to restrict users’ to specific email domains only. Something to keep in mind: we didn’t yet polish the UX for that settings so the error messages that are received if you try using a forbidden domain to create an account or invite someone are not explicit, you just get a pretty generic “error” message. TENZU_ACCOUNT__USER_EMAIL_ALLOWED_DOMAINS=’[“domain1.ext”, “domain2.ext”, ...]’
I hope to have answered everything. Don’t hesitate to play with the demo if you want to get hands on experience about roles and permissions! The database is reset every Saturday night so you can play to your heart’s content.