Skip to main content

Manage Group Membership Example

This example demonstrates how to manage team access by modifying an OrganizationUserGroup manifest. This is the required method for granting access to production and financial environments, implementing the Scalable Team Management via Groups use case.

[!IMPORTANT] Production Security Policy: Direct user assignment (members:) is strictly disallowed for production projects. All access must be managed via groups to ensure compliance (SOC2/PCI), scalability, and clear name abstractions.

Scenario

A new developer, Jane Smith, needs access to the AstraPay platform. Instead of modifying the production project manifest directly, you will add her abstracted user identity to the payments-contributors group.

Identity Abstractions

In Infrastream, we use name abstractions to reference users and groups. These reference the metadata.name of the corresponding OrganizationUser or OrganizationUserGroup manifest.

IdentityAbstraction (Manifest Name)Actual Identity (GCP/Workspace)
Jane Smithjane-smithjane.smith@company.com
Payments Contributorspayments-contributorsastrapay-contributors@company.com

Group Manifest: Before

File: organization/acme-corp/organization-user-group/payments-contributors.yaml

apiVersion: lowops.manifests.v1
kind: OrganizationUserGroup
metadata:
  name: payments-contributors
spec:
  description: Developers with contribution access to AstraPay production.
  members:
    users:
      - tech-lead
      - senior-dev-1
    external: []

Group Manifest: After

To onboard Jane, simply add her abstraction jane-smith to the users list.

apiVersion: lowops.manifests.v1
kind: OrganizationUserGroup
metadata:
  name: payments-contributors
spec:
  description: Developers with contribution access to AstraPay production.
  members:
    users:
      - tech-lead
      - senior-dev-1
      - jane-smith  # ← ADDED: Jane Smith is now part of the group
    external: []

How This Grants Project Access

The astrapay-prod project manifest references this group abstraction. Because Jane is now a member of payments-contributors, she automatically inherits the permissions defined in the project:

File: organizational-unit/payments/environment/production/project/astrapay-prod/astrapay-prod.yaml

spec:
  permissions:
    contributors:
      groups:
        - payments-contributors  # Jane inherits access via this abstraction
      members: []              # REMINDER: Keep empty for production

Git Workflow

# 1. Locate the group manifest in your repository
# (e.g., in organization/acme-corp/organization-user-group/)

# 2. Edit the group manifest
vim payments-contributors.yaml

# 3. Commit and push
git add .
git commit -m "Onboard jane-smith to payments-contributors group"
git push origin onboarding/jane-smith

Business Value

  • Zero-Touch Onboarding: Grant access to multiple projects/resources at once by updating a single group.
  • Security Compliance: Enforces group-based access required by financial regulators (PCI DSS).
  • Self-Documenting: Using abstractions like jane-smith makes manifests readable and independent of raw email changes.