Restrict Admin Role Assignment to Service Accounts by Non-Admin Users
long-term
O
Organisational Gayal
Right now, any user who has the "Manage Service Account" permission can assign Admin roles to a Service Account. This allows non-admin users to create SAs with Admin access and generate tokens to perform admin-level actions — which is a security risk.
Why It Matters:
This can lead to unnecessary privilege, where a user who is not supposed to have full access ends up gaining it by assigning Admin roles to SAs they create.
Suggestion:
Add a feature to restrict role assignments, so only users with proper permissions can assign Admin (or other sensitive) roles to Service Accounts. This could be done by:
Splitting the “Manage SA” permission into smaller ones like “Edit SA” and “Assign Role”
Adding checks to prevent non-admins from assigning high-level roles
Log In
A
Abhishek Thamman
marked this post as
long-term
T
Thoughtful Locust
It seems that:
- A user WITHOUT Admin permissions but WITH Manage SA can create a service account
- They can also give the Service account Admin permissions
- Now the user defacto has Admin permissions because they have access to the service account (with admin permissions)
If this understanding is correct then only Admins should be granted Manage SA.
A
Abhishek Thamman
Hi Thoughtful Locust, I understand the concerns here. The best way to solve for this should be through OPA. Service accounts are already a supported entity in OPA (https://developer.harness.io/docs/platform/governance/policy-as-code/harness-governance-overview/). However, achieving the above use case would require an enhancement to send role binding related information to the Harness policy engine. Once that data starts flowing in, you can write a policy that allows/restricts certain roles to assign the admin role to a service account.
I will add this enhancement to our backlog for now.
Thanks,
Abhishek Thamman
A
Abhishek Thamman
marked this post as
pending feedback
A
Abhishek Thamman
Hi Organisational Gayal,
Thanks for your feature request. Harness follows fine-grained access control, that means that if a user has "Manage" Service Account permissions, then the user will be able to modify role assignments for a Service Account. In other words, this is the only permission that governs if role assignments can be modified for Service Accounts.
It would be great if you can elaborate on the use case for splitting the Manage permissions further. Can you provide more details on the two personas that will have these different permissions after splitting?
Thanks,
Abhishek Thamman
Prateek Mittal
marked this post as
under review