Access Controls
Permissions and roles
Access Controls
Manage who can access your BambooSnow resources and what actions they can perform.
Role-Based Access Control
BambooSnow uses RBAC to manage permissions within organizations.
Built-in Roles
| Role | Description | Permissions | |------|-------------|-------------| | Owner | Full control | All permissions | | Admin | Administrative access | Most permissions | | Developer | Standard access | Read/write code resources | | Viewer | Read-only access | View only |
Permission Matrix
| Permission | Owner | Admin | Developer | Viewer | |------------|-------|-------|-----------|--------| | View repositories | ✓ | ✓ | ✓ | ✓ | | Connect repositories | ✓ | ✓ | ✓ | - | | Disconnect repositories | ✓ | ✓ | - | - | | Create agents | ✓ | ✓ | ✓ | - | | Configure agents | ✓ | ✓ | ✓ | - | | Delete agents | ✓ | ✓ | - | - | | View runs | ✓ | ✓ | ✓ | ✓ | | Cancel runs | ✓ | ✓ | ✓ | - | | Manage users | ✓ | ✓ | - | - | | Manage billing | ✓ | - | - | - | | Organization settings | ✓ | ✓ | - | - |
Team Management
Creating Teams
- Go to Settings > Teams
- Click Create Team
- Enter team name and description
- Add members and assign roles
Team Permissions
Teams can be granted access to:
- Specific repositories
- Groups of repositories
- All organization repositories
# Example team configuration
teams:
- name: frontend-team
repositories:
- "org/frontend-app"
- "org/component-library"
role: developer
- name: security-team
repositories: "*" # All repos
role: viewer
additional_permissions:
- security_scan_results
API Key Permissions
API keys can be scoped to specific actions:
Available Scopes
| Scope | Access | |-------|--------| | read | Read-only access to all resources | | write | Create and modify resources | | admin | Full access including settings | | agents:run | Trigger agent runs | | agents:configure | Configure agent settings | | repositories:manage | Connect/disconnect repos | | webhooks:manage | Manage webhook endpoints |
Creating Scoped Keys
POST /v1/api-keys
{
"name": "CI Pipeline Key",
"scopes": ["read", "agents:run"],
"expires_in": "90d",
"allowed_ips": ["10.0.0.0/8"]
}
Repository-Level Permissions
Connecting with Limited Access
When connecting repositories, you can limit access:
repository:
name: owner/repo
access:
branches:
- main
- "release/*"
paths:
include:
- "src/**"
exclude:
- "src/secrets/**"
GitHub Permissions Mapping
BambooSnow respects GitHub permissions:
- Repository admins get Admin role
- Users with write access get Developer role
- Users with read access get Viewer role
Single Sign-On (SSO)
Enterprise plans support SSO integration:
Supported Providers
- Okta
- Azure AD
- Google Workspace
- OneLogin
- Generic SAML 2.0
SSO Configuration
- Go to Settings > Security > SSO
- Select your identity provider
- Enter configuration details
- Test the connection
- Enable for organization
Just-in-Time Provisioning
Automatically provision users on first login:
sso:
jit_provisioning: true
default_role: developer
role_mapping:
- group: "Engineering"
role: developer
- group: "Engineering-Leads"
role: admin
Audit Logging
All access is logged for compliance:
Logged Events
- User authentication
- Permission changes
- Resource access
- Configuration changes
- Data exports
Viewing Audit Logs
- Go to Settings > Security > Audit Log
- Filter by event type, user, or date range
- Export logs for compliance
Log Retention
- Standard: 90 days
- Team: 1 year
- Enterprise: Configurable
IP Allowlisting
Restrict access to specific IP addresses:
security:
ip_allowlist:
- "10.0.0.0/8" # Corporate network
- "192.168.1.0/24" # Office
- "203.0.113.50" # VPN exit
enforcement: strict # or 'audit' for monitoring
Session Management
Session Settings
- Timeout: 24 hours (configurable)
- Max concurrent sessions: 5
- Session location logging
Terminating Sessions
Admins can terminate user sessions:
- Go to Settings > Security > Sessions
- Find the user
- Click Terminate All Sessions