3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-07-24 03:59:49 +02:00
Code Issues Projects Releases Packages Wiki Activity
pomerium/docs/enterprise/concepts.md
Bobby DeSimone c207408824 concepts.md 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
2021-07-29 16:19:28 -05:00

6.8 KiB
Raw Blame History

title sidebarDepth description
Concepts 1 Learn how the Pomerium Enterprise Console works.

Concepts

Namespaces

In the Pomerium Enterprise Console, a namespace is where you can define an organizational unit of users and groups with fine-grained access management. This enables teams to self-service the routes and policies pertinent to them. Namespaces can optionally inherit from their parent units.

Namespaces are the cornerstone organizational unit in Pomerium Enterprise. Namespaces enable:

  • self-service
  • hierarchical policy enforcement (both enforced, and optional)
  • policy organization
  • RBAC for the Enterprise Console itself

Self-Service Capabilities

One of the benefits of an identity-aware access proxy is that, once in place, developers and owners of enterprise applications have an incentive to configure their services to be accessible via the proxy.

Self-service has several benefits:

  • Frees global administrators from continuously modifying the configuration per user requests
  • Encourages service owners to own their configuration fragment
  • Ensures a reasonable compromise between development velocity and security controls

Unlike with a VPN, or network driven access control mechanisms, application owners (with limited access permissions managed through namespaces) can maintain route and policy configuration for their own services, while higher level operations, security, and identity teams are able to enforce higher level authorization and access policies.

Hierarchical Policy Enforcement

RBAC for Enterprise Console Users

Service Accounts

Service accounts handle machine-to-machine communication from Pomerium to your Identity Provider (IdP) in order to retrieve and establish group membership. Configuration is largely dependent on the IdP, but is usually an API access token with sufficient privileges to read users and groups.

Routes

Unlike the open-source Pomerium configuration, access is not defined alongside routing. Instead, authorization is configured by attaching policies to a route.

Policies

In the open-source Pomerium config, routes and policies are configured in a single block, under policy:

policy:
  - from: https://code.corp.domain.example
    to: http://codeserver:8080
    allowed_users:
      - some.user@domain.example
    allow_websockets: true

In the Pomerium Enterprise Console, routes and policies are separate entities. This allows for both easier and more fine-grained access control, as policies can be defined once, optionally associated under a Namespace, and attached to one or more routes. Routes can also inherit policies from their parent Namespace .