Authorization

These sections show you how to configure the authorization of AxoConsole with different authentication backends.

You can configure authorization in the spec.pomerium.policy section of the AxoConsole manifest. In on-premise deployments, the manifest is in the /var/lib/rancher/k3s/server/manifests/axoflow.yaml file.

You can list individual email addresses and user groups to have read and write (using the keys under spec.pomerium.policy) and read-only (using the keys under spec.pomerium.policy.readOnly) access to AxoConsole. Which key to use depends on the authentication backend configured for AxoConsole:

• emails: Email addresses used with static passwords and GitHub authentication.

  With GitHub authentication, use the primary GitHub email addresses of your users, otherwise the authorization will fail.

• claim/groups: LDAP groups used with LDAP authentication. For example:

    policy:
      emails: []
      domains: []
      groups: []
      claim/groups:
        - managers
      readOnly:
        emails: []
        domains: []
        groups: []
        claim/groups:
          - employee