Groups and folders
Groups and folders are ways to manage permissions and organize items in a workspace. They are the privileged method to handle permissions in Windmill.
Recap of how permissions are given to an item (script, flow, resource, variable, schedule) in Windmill:
Folders
Folders group various items, such as scripts, flows, resources, and schedules, together and assign role-based access control permissions to groups and individual users.
Folders should represent projects, and we recommend assigning permissions to groups. You should have as many top-level folders that you have different projects/permission scopes.
Subfolders
You can have as many subfolders as you want but only the top-level folder will have permissions one can inherit from.
To use subfolders, you just need to have '/' in the last part of the path of an item, like you would do on a filesystem.
Groups
Groups of users are a way to classify users together, allowing for shared permissions within the workspace. Users within the same group (also referred to as a role) will have homogenous permissions. Users can belong to multiple groups simultaneously.
Similar to users, groups can be assigned one of three permission levels for a specific item.
- Viewer: read-only access.
- Writer: read and write access.
- Admin: read and write access, and can manage permissions and new admins.
Groups and folders together
Groups and folders work together to organize permissions and access control within your workspace. Groups can be included within folders, but folders cannot be nested within groups.
It means that if you want to allow a team to use a given resource, you can save it in a folder, and either add each member of the team as a user in the folder, or add a group containing the whole team to the folder.
For example, you are building a Slackbot and want it to use manipulate some resources. You can add the g/slack group (which is automatically created when you configure Slack on Windmill to the desired resource).
Instance groups
Instance groups are a special type of group that are automatically managed and synced from your identity provider through SCIM (System for Cross-domain Identity Management). These groups provide enterprise-level user and group management without requiring manual provisioning within Windmill.
Key characteristics
Automatic synchronization: Instance groups are automatically created, updated, and removed based on your identity provider's group structure. This eliminates the need for manual group management in Windmill.
Enterprise integration: They seamlessly integrate with enterprise identity providers like Okta, Microsoft Azure Active Directory, and other SCIM-compatible systems.
Instance-wide scope: Unlike regular workspace groups, instance groups operate at the instance level and can be used across multiple workspaces within your Windmill instance.
Hands-off management: Once SCIM is configured, your IT administrators can manage group membership directly in your identity provider, and changes will automatically reflect in Windmill.
How instance groups work
- SCIM configuration: Your Windmill instance is configured to accept SCIM provisioning from your identity provider
- Group synchronization: Groups from your identity provider are automatically synced to Windmill as instance groups
- User assignment: When users are added to groups in your identity provider, they automatically gain the corresponding group membership in Windmill
- Permission inheritance: Instance groups can be assigned to folders and resources just like regular groups, inheriting the same permission levels (Viewer, Writer, Admin)
Benefits
- Reduced administrative overhead: No need to manually create and manage groups in Windmill
- Consistency: Groups remain synchronized with your organization's identity structure
- Security: Centralized group management through your existing identity provider
- Scalability: Easily manage large numbers of users and groups across your organization