Role-based access control (RBAC) ensures the right users have access to the right resources. In mabl, you can use resource groups to apply more granular RBAC. The benefits of managing access with resource groups include:
- Improved security: comply with the security requirements of your organization by restricting access to protected resources to certain users.
- Improved collaboration: ensure that workspace members only have access to the resources that are relevant to their work, and lower the chances of unintentional changes.
At present, credentials and DataTables can be managed with resource groups. At a later date, we will support adding other resources to resource groups. This article explains how to manage permissions with resource groups:
Resource groups are available for all mabl Core customers and trial users. If your team is not on a mabl Core plan, reach out to your customer success manager for more information.
Create a resource group
Workspace owners can go to Settings > Resource groups to create a new resource group. Give the resource group a name and description that indicate the purpose of the resource group.
Depending on your team's requirements, you can create resource groups that align with different team roles. For example, you can create two separate resource groups to manage access to credentials and DataTables for the QA members and engineers in your workspace:
Assign roles
Decide who can access the resource group on the teams page: Settings > Team:
- Check the box next to each user that you want to invite to the resource group.
- Click on Grant access to resource group.
- Select the resource group(s) and assign roles to each user. Resource group roles define the permissions for interacting with the resources in a resource group.
Granting access to a resource group
Only workspace owners can create, update, and delete role assignments at the workspace level and the resource group level.
For a breakdown of permissions by role, see the reference on roles and permissions.
Add resources
The final step is to add resources to the resource group. This step determines who can view and manage the resources. Users without access to the group are restricted from viewing, editing, or using these resources. Any resources that aren't in a resource group are considered shared resources.
To add an existing resource to a resource group, open the detailed view in the mabl app, click on the pencil to Manage resource groups, and add it to the appropriate resource group.
Managing resource groups settings for a credential
To add a new resource to a resource group, select the appropriate resource group from a dropdown on the creation form:
Adding a new DataTable to a resource group
Restricted access
If a user is not a member of a resource group, they can see that the resource exists, but they cannot view, edit, delete, or use the resource.
A restricted resource group
For example, if you are an editor of shared resources, you can create and manage all resources that are not part of a resource group. If the resource is part of a resource group, your access depends on whether you were granted access to the resource group:
- If you have an assigned role in the group, you can access the resource.
- If you do not have an assigned role in the group, you can see that the resource exists, but you do not have permission to view, use, or interact with that resource.
In practical terms, not having access to a resource has the following implications:
- The resource is not available when you create, edit, or run tests and plans
- If a test run uses the resource, buttons to view the test output are disabled
- If another user shares a link to a browser, mobile, or API test result that uses the protected credential or DataTable, you will see an error if you visit the page. Performance test results are not restricted because they do not surface screenshots or logs that contain the protected resource.
Shared resources
Resources that are not part of a resource group are considered shared resources. All members of the workspace can access them to the extent that their workspace role allows. Unless a resource is added to a resource group, it becomes a shared resource.
Deleting resource groups
If a workspace owner deletes a resource group, the resources that belonged to that deleted resource group will still remain in your workspace. If the resources do not belong to any other resource groups, they will become shared resources.
Workspace owners can restore a resource group from the activity feed: Settings > Activity feed. When a resource group is restored, its associations with resources and users are restored as well.