Enforce Least Privilege & Separation of Duties during Continuous Deployment

Feb 2, 2023 by Stephen Atwell

Role-based access controls (RBAC) are an essential part of any secure Continuous Deployment Platform. RBAC enables enforcement of the principle of least privilege by limiting access to applications and services to the minimum set of users. RBAC enforces separation of duties through role-based manual approvals. This helps to meet these common requirements and provides an additional layer of security within your DevOps organization.

This blog post discusses how Armory Continuous Deployment-as-a-Service uses automation and role-based access controls to ensure that changes to production applications are properly reviewed before being released. It also describes how to restrict application access by role. Finally, we’ll provide an overview of the Armory platform’s capabilities, including tenant and role management, configuration as code, and role-based approvals.

What Are Role-Based Access Controls?

RBAC is a security system that allows administrators to limit access based on the roles of users. This ensures that only authorized users can access or modify sensitive data and systems, and can require certain users to perform certain tasks in order to ensure separation of duties.

RBAC uses roles to define permissions. Each role has its own set of permissions and restrictions. For example, a user with the “administrator” role might be able to access all applications and services, while a user with the “WebUI developer” role might only be able to access the deployment of the Web UI service.

Separation of Duties

Many companies have SOC controls that ensure their applications are stable and secure. SOC often requires a separation of duties: Code requires approval before production deployment. This often takes the form of manual role-based sign-offs. For example, someone from QA may need to sign-off that tests passed, and someone from InfoSec may need to sign off that security scanners passed. Until you implement full automation, role-based approvals allow you to enforce and audit separation of duties around these tasks within your deployment pipeline.

Historically these process typically starts with a developer creating a change request. An authorized user must review this request. If approved a release manager deploys the change to production.

Using Role-Based Approvals to Enforce Separation of Duties

Using CD-as-a-Service developers can now start the release automation process. When the code is ready for approval the required approver can be notified, and simply click a button. After approval the change deploys automatically. This prevents unauthorized changes. It also provides visibility into manual processes so that they can be automated.

To enable separation of duties Armory Continuous Deployment-as-a-Service allows any Manual approval to optionally specify a list of roles. Only a user with one of these roles is able to issue the approval. Other users can see that an approval is needed, and can see the list of roles authorized to issue it. This example shows an environment, Security-Scanning, that requires an approval by the InfoSec role before it will proceed to any downstream environments.

    account: demo-staging-cluster
    strategy: rolling
      - pause:
            untilApproved: true
            - InfoSec
Other users can see who must approve.

Moving Beyond Role-based Approvals

While role-based approvals are a great way to start on your CD journey, many companies remove manual approvals from their deployment pipeline long-term. Once automation of a manual check is available it can replace the manual approvals. The role that approved the change can instead approve changes to the automation to continue enforcing separation of duties. Audits should check the approval of automation changes. Audits should also check that all changes were approved by the automation.

Enforcing Principle of Least Privilege Through Tenants

Armory CD-as-a-Service can break it’s configuration up into multiple secure tenants. This allows particular applications or teams to have their own dedicated security zone within Armory CD-as-a-Service. A tenant contains a set of Kubernetes clusters, applications, secrets, etc. Roles grant a particular access level within the scope of a tenant. Grant one or more roles to each user to give them access to their team’s resources. This allows you to easily break your application access up by team, while still supporting users who need access to applications owned by multiple teams.

The High-Level CD-as-a-Service Security Model. Tenants enable enforcement of the principal of least privilege during continuous deployment.

The principal of least privilege requires that teams have access to the minimum permissions needed to do their job. Enforce least privilege by creating a tenant per team and giving each tenant only the resources needed for that team’s applications.

Maintaining your RBAC as Code

Modern source control systems allow advanced permissions, automated validation and change control. They are also familiar tools for the typical team setting up a CD tool. Because of this Armory CD-as-a-Service took an ‘as-code’ approach to implementing it’s RBAC rules. CD-as-a-Service defines the RBAC configuration as yaml. You can update this yaml through git, just like any other code. When changes occur, your CI system can invoke the Armory CLI to automatically apply the updated RBAC configuration. This provides full audibility and change control to ensure your security configuration is itself secure.

This example RBAC configuration for Armory CD-as-a-Service creates a tenant-restricted ‘admin’ and ‘non-admin’ role for each of two teams.

- Team1
- Team2
    - name:Team1 Member
      tenant: Team1
        - type: api
          resource: deployment
          permission: full
    - name:Team1 Admin
      tenant: Team1
        - type: api
          resource: tenant
          permission: full
    - name: Team2 Member
      tenant: Team2
        - type: api
          resource: deployment
          permission: full
    - name: Vanguard Admin
      tenant: Team2
        - type: api
          resource: tenant
          permission: full


Role-based access controls are an essential part of any secure IT infrastructure. By limiting access to certain tenants, companies prevent users from modifying other team’s applications. Platform teams and developers can also leverage role-based approvals to ensure separation of duties within their application.

The Armory platform provides an automated and secure way to manage role-based access controls. It includes features such as tenant and role management, configuration as code, and role-based approvals. These features prevent users from making unauthorized changes. Do you want a secure and flexible CD solution for Kubernetes that can leverage RBAC to ensure the principle of least privilege and separation of duties? Sign up to try Armory CD-as-a-Service for free today.

Share this post:

Recently Published Posts

Lambda Deployment is now supported by Armory CD-as-a-Service

Nov 28, 2023

Armory simplifies serverless deployment: Armory Continuous Deployment-as-a-Service extends its robust deployment capabilities to AWS Lambda.

Read more

New Feature: Trigger Nodes and Source Context

Sep 29, 2023

The Power of Graphs for Ingesting and Acting on Complex Orchestration Logic We’ve been having deep conversations with customers and peer thought leaders about the challenges presented by executing multi-environment continuous deployment, and have developed an appreciation for the power of using visual tools such as directed acyclic graphs (DAG) to understand and share the […]

Read more

Continuous Deployments meet Continuous Communication

Sep 7, 2023

Automation and the SDLC Automating the software development life cycle has been one of the highest priorities for teams since development became a profession. We know that automation can cut down on burnout and increase efficiency, giving back time to ourselves and our teams to dig in and bust out innovative ideas. If it’s not […]

Read more