home
Naukri Code 360
expand-more
Library
expand-more
DevOps
expand-more
Infrastructure as a Code
expand-more
Configuration Management
expand-more
Chef
expand-more
Chef Automate Users Authorisation
Table of contents
1.
Introduction
2.
Identity Access Management
2.1.
Policies
2.2.
Role-Based Access Control
2.3.
IAM Projects
3.
IAM Administration
3.1.
Custom Policies
3.2.
Policy Membership
4.
IAM Actions
5.
Frequently Asked Questions
5.1.
Give some examples of resources that respect and do not respect projects.
5.2.
What are LDAP and SAML?
5.3.
Is it possible to change the project limit set by Chef Automate?
6.
Conclusion
Last Updated: Mar 27, 2024

Chef Automate Users Authorisation

Author Yashesvinee V
0 upvote
Career growth poll
Do you think IIT Guwahati certified course can help you in your career?

Introduction

Authorisation of users is an essential access control practice to run applications and services safely. It ensures the user has the correct permissions to safely access sensitive Data and Information. Identity and access management is one such way to ensure that all users have the right level of access to resources like networks and databases. Chef Automate's Identity and Access Management allows direct administration and management of policy members from the browser.

Chef Automate Users Authorisation

Identity Access Management

Policies are a core component of IAM in Chef Automate. It defines permissions for every user on what action they can perform and on which resource. Chef Automate supports the project's feature, allowing for filtering and segregating data amongst a user base. The below diagram shows the policy structure of IAM in Chef Automate.

Policy Structure of IAM

Policies

IAM policies allow the use of permissions and distinguish between policy membership and policy definition for fine-grained control, including role-based access control. Multi-statement policies support complex permissions, and each statement specifies single permission. The permission statements are combined and evaluated to obtain the net effect. A policy grants access if at least one statement explicitly allows it and none denies it. Policies are evaluated using the following order.

  • All requests are denied by default.
     
  • Any explicit ALLOW overrides the default DENY.
     
  • Any explicit DENY in any policy overrides any ALLOWs in any policy.
     

A policy must have a Role that defines a list of Actions. It can be applied to a user, team or API token. There are two types of policies - Chef-managed and Custom Policies.

Role-Based Access Control

A role is a named list of actions that provide the benefit of encapsulation. It offers reusability as the role can be applied to any statement that needs it. There are Chef-managed and Custom type roles. Chef Automate has five Chef-managed roles and two Custom roles by default. The Chef-managed roles are:

  • Viewer - It allows you to view everything in the system except IAM.
     
  • Editor- It can do everything in the system except IAM and license application.
     
  • Owner - It can do everything in the system, including IAM.
     
  • Project Owner - In addition to everything an editor can do, it allows one to view and assign projects.
     
  • Ingest - It can ingest data into the system.
     

The custom roles are:

  • Compliance Viewer. It allows viewing compliance resources.
     
  • Compliance Editor: it allows editing compliance resources.
     

IAM Projects

IAM projects are collections of resources created in Chef Automate or ingested from external data providers like Chef Infra and Chef InSpec. Projects reduce the scope of a  policy’s permissions to only the resources assigned. Following are the steps to set up a project.

Step 1: Create a new project on the Projects list page.

Step 2: Edit existing IAM policy or create new policies to restrict permissions to specific projects as required.

Step 3:  Assign teams or tokens to projects.

Step 4: Select the projects to filter in the UI. The global project filter can select one or more projects for viewing.

All resources for an updated or a to-be-created project remain unassigned. Resources for project assignment could be ingested client-run and compliance nodes or teams, API Tokens, Policies, and Roles created in Chef Automate. Chef Automate has resources that respect projects and resources that do not respect projects. This depends on whether they respond to or ignore the applied project filters.

Projects group permissions for ingested data and Chef Automate resources, specifically Compliance reports, Chef Infra Server events, and Infrastructure nodes. Chef Automate allows a maximum of 300 projects. During the creation of a project, the system adds three additional policies for the user's convenience. The policy names are:

  • <project-name> Project Owners
  • <project-name> Project Editors
  • <project-name> Project Viewers

IAM Administration

Users can view all Policies in Chef Automate by selecting the Settings tab in the top navigation bar and then selecting the Policies section in the left navigation. The view displays Chef-managed policies, Imported v1 default policies, also called legacy policies and imported v1 custom policies created by the user.

Custom Policies

Chef-managed policies are just a start. Users can custom-design them from the command line to define more fine-grained policies. The custom policy is written in a JSON file. Permission actions for a policy can be assigned to one or more projects. If the project array is left empty, the policy is unassigned. Permissions are defined as statements and declared in an array. The statement field specifies the actions a user is permitted to perform on the assigned resources. The projects field can contain more than one existing project, and a wildcard * is used to indicate permission to resources in any project. Here is an example of the complete JSON policy file.

Policy File

Policy Membership

Users, teams and API tokens are policy members. Local users and teams are managed directly by Chef Automate. Members can be added and deleted from the Policies list in the Settings tab. Current membership can be viewed under Members. Member expressions are used for externally managed users, teams, and API tokens. They are case-sensitive and are written in the following format.

Teams - team:<type>:<name>

Users - user:<type>:<name>

API Token - token:<id> 

The value of type can be LDAP or SAML. Token ID  can be obtained from the  API Tokens page. 

IAM Actions

IAM Actions list the associated actions required to access a particular page in the browser. The wildcard * gives broad permissions to perform all related actions, including get, list, create, delete, etc. Specifying the action restricts user access to that action.

IAM Actions

Frequently Asked Questions

Give some examples of resources that respect and do not respect projects.

API Tokens, Policies, Teams and Roles respect projects. Compliance Profiles, Data Feeds, Habitat Services, Node Credentials and Node Managers do not respect projects.

What are LDAP and SAML?

LDAP stands for Lightweight Directory Access Protocol, and SAML  stands for Security Assertion Markup Language. Both are protocols primarily used to authorise users' access to an organisation's resources and securely authenticate their identity.

Is it possible to change the project limit set by Chef Automate?

Chef Automate limits the number of projects to 300. This can be increased using the command line. The desired limit is set in a file called authz.toml, and the existing Chef Automate configuration is updated using the command: ‘chef-automate config patch authz.toml’.

Conclusion

This blog discusses the authorisation of Chef Users. It gives an overview of Identity Access Management in Chef. It also mentions the different administrative operations of IAM and IAM Actions. Check out our articles on Chef InSpec Terminology, Chef Shell for Debugging and Troubleshooting Chef Workstation. Explore our Library on Coding Ninjas Studio to gain knowledge on Data Structures and Algorithms, Machine Learning, Deep Learning, Cloud Computing and many more! Test your coding skills by solving our test series and participating in the contests hosted on Coding Ninjas Studio! 

Looking for questions from tech giants like Amazon, Microsoft, Uber, etc.? Look at the problems, interview experiences, and interview bundle for placement preparations.

Upvote our blogs if you find them insightful and engaging! Happy Coding!

Thank you 

Previous article
Chef User Authentication
Next article
Terms Related to Chef Automate Users
Live masterclass
author
Top GenAI Skills to crack 30 LPA+ roles at Amazon & Google
by Sumit Shukla
02 Feb, 2026
03:00 PM
discord 34+ registered
author
Python + AI Skills to ace 30L+ CTC Data roles at Amazon
by Prerita Agarwal
01 Feb, 2026
06:30 AM
discord 534+ registered
author
Top 5 GenAI Projects to Crack 25 LPA+ Roles in 2026
by Shantanu Shubham
01 Feb, 2026
08:30 AM
discord 181+ registered
author
Zero to Data Analyst: Amazon Analyst Roadmap for 30L+ CTC
by Abhishek Soni
02 Feb, 2026
01:30 PM
discord 343+ registered
author
Top GenAI Skills to crack 30 LPA+ roles at Amazon & Google
by Sumit Shukla
02 Feb, 2026
03:00 PM
discord 34+ registered
author
Python + AI Skills to ace 30L+ CTC Data roles at Amazon
by Prerita Agarwal
01 Feb, 2026
06:30 AM
discord 534+ registered
View more events