Admin Guide

This guide covers administrative tasks for the Isolate platform, including user management, approval policies, resource management, federation setup, and project registration.

Overview

As an Isolate administrator, you have access to platform-wide management capabilities:

  • User Management: Add/remove users, assign roles, manage permissions
  • Approval Policies: Configure automatic approval rules and access controls
  • Resource Management: Discover, adopt, and configure access levels for cloud resources
  • Federation: Set up multi-cloud/multi-project resource discovery
  • Project Registration: Connect GCP, AWS, and Azure projects to Isolate

User Management

Role Hierarchy

Isolate uses a hierarchical role system where higher roles inherit all capabilities of lower roles:

Role Level Capabilities
developer 1 Create/manage own instances, connect via CLI
engineering_manager 2 + Approve any connection request
devops 3 + Federation admin, resource management, audit access
super_admin 4 + Organization setup, role impersonation, all permissions

Managing Users

Navigate to /users (requires devops+ role) to manage platform users:

Adding Users

  1. Click "Add User"
  2. Enter the user's email address (must match their SSO identity)
  3. Select their role from the dropdown
  4. Click "Create User"

Updating User Roles

  1. Find the user in the users list
  2. Click the role dropdown next to their name
  3. Select the new role
  4. Changes take effect immediately

Removing Users

  1. Click the "Delete" button next to the user
  2. Confirm the deletion
  3. User loses all access immediately
  4. Their active instances remain unaffected

Super Admin Configuration

Super admin emails are configured via the SUPER_ADMIN_EMAILS environment variable:

# In deployment configuration
SUPER_ADMIN_EMAILS=alice@company.com,bob@company.com

# Super admins can impersonate lower roles via cookie
# Useful for testing and troubleshooting user permissions

Approval Policies

Policy Overview

Approval policies automatically determine whether access requests should be approved, require manual review, or be denied. Policies are evaluated in priority order (lowest number first).

Policy Conditions

Policies can match on various request attributes:

  • User Email: Exact match or domain suffix (e.g., @company.com)
  • User Role: Minimum role level required
  • Resource Type: cloudsql, gke, alloydb, aws-rds, azure-sql, etc.
  • Project: Specific project name or pattern
  • Environment: production, staging, development
  • Time of Day: Business hours restrictions
  • Request Duration: Maximum allowed access time

Policy Actions

Action Description Use Case
auto-approve Immediately grant access Trusted users, dev environments, short durations
require-approval Queue for manual review Production access, sensitive data, longer durations
deny Reject the request Blocked users, restricted resources, off-hours

Creating Policies

Navigate to /policies to create and manage approval policies:

  1. Click "Create Policy"
  2. Set the policy priority (lower numbers evaluated first)
  3. Configure conditions (all must match for policy to apply)
  4. Select the action (auto-approve, require-approval, or deny)
  5. Add an optional description
  6. Save the policy

Example Policies

# Auto-approve staging access for developers
Priority: 10
Conditions: environment=staging, role>=developer, duration<=8h
Action: auto-approve

# Require approval for production database access
Priority: 20
Conditions: environment=production, resource_type=cloudsql
Action: require-approval

# Deny external contractor access to sensitive projects
Priority: 5
Conditions: user_email=*@contractor.com, project=sensitive-*
Action: deny

Resource Management

Resource Discovery

Navigate to /resources to manage discoverable cloud resources:

Discovering Resources

  1. Click "Discover Resources"
  2. Select the cloud provider (GCP, AWS, Azure)
  3. Choose the project/subscription/account
  4. Optionally filter by resource type or region
  5. Click "Start Discovery"
  6. Review discovered resources and click "Adopt" to add them to Isolate

Adopting Resources

Adopting a resource makes it available for instance creation in Isolate:

  • Database Resources: CloudSQL, RDS, Azure SQL instances become backup sources
  • Kubernetes Resources: GKE, EKS, AKS clusters become available for proxy access
  • Metadata: Resource labels, environments, and configurations are imported

Access Levels

Each resource has an access level that determines who can request access:

Access Level Who Can Request Use Case
public Any authenticated user Development environments, shared resources
team Users with engineering_manager+ role Team-specific staging environments
restricted Users with devops+ role Production systems, sensitive data

Resource Configuration

For each adopted resource, you can configure:

  • Display Name: Friendly name shown in the UI
  • Environment Tags: production, staging, development
  • Backup Location: GCS bucket, S3 bucket, or Azure Blob container
  • Default TTL: Maximum instance duration for this resource
  • Allowed Instance Types: Restrict available VM/database tiers

Federation

Federation Architecture

Federation allows Isolate to discover and manage resources across multiple cloud projects, accounts, or subscriptions using a hub-and-spoke model.

Central Isolate Hub (GCP)
    |
    +-- Federation Agent (GCP Project A) -> CloudSQL + GKE
    |
    +-- Federation Agent (AWS Account B) -> RDS + EKS
    |
    +-- Federation Agent (Azure Sub C) -> Azure SQL + AKS

Setting Up Federation

Create an Organization

  1. Navigate to /federation (requires super_admin role)
  2. Click "Create Organization"
  3. Enter organization name and description
  4. Only one organization per Isolate deployment is allowed

Generate Federation Tokens

  1. Click "Generate Token"
  2. Copy the registration token (32-char hex, expires in 24 hours)
  3. Use this token when deploying federation agents

Managing Federation Nodes

The federation page shows all registered nodes with their status:

Status Meaning Action Needed
active Heartbeat received < 5 min ago None
inactive No heartbeat for > 5 min Check agent logs/connectivity
revoked Manually disabled by admin Re-enable or regenerate token

Revoking Nodes

  1. Find the node in the federation list
  2. Click "Revoke"
  3. The node's permanent token is invalidated
  4. Agent can no longer authenticate

Deleting Nodes

  1. Click "Delete" next to the node
  2. Confirm the deletion
  3. Node record and all its synced resources are removed
  4. This action is irreversible

Federation Health Monitoring

The federation topology page visualizes node connectivity and resource distribution:

  • Network Graph: Shows hub-and-spoke connections
  • Resource Counts: Databases and clusters per node
  • Heartbeat Status: Last contact time for each agent
  • Sync Status: When resources were last updated

Project Registration

Adding Cloud Projects

Navigate to /projects to register GCP, AWS, and Azure projects with Isolate:

GCP Projects

  1. Click "Create Project"
  2. Select "Google Cloud Platform"
  3. Enter project ID and region
  4. Download the generated installation script
  5. Run the script in the target GCP project to deploy the federation agent

AWS Accounts

  1. Select "Amazon Web Services"
  2. Enter AWS account ID and region
  3. Copy the CloudFormation template or installation script
  4. Deploy in the target AWS account

Azure Subscriptions

  1. Select "Microsoft Azure"
  2. Enter subscription ID and location
  3. Copy the ARM template or PowerShell script
  4. Deploy in the target Azure subscription

Installation Scripts

Generated installation scripts handle:

  • Service Account/Role Creation: Minimal permissions for resource discovery
  • Agent Deployment: Container or VM with federation agent
  • Network Configuration: Firewall rules for outbound HTTPS to Isolate hub
  • Token Configuration: Automatic registration with the provided token

Project Status

The projects page shows registration status for each cloud project:

  • Pending: Installation script generated, agent not yet connected
  • Active: Agent is running and syncing resources
  • Error: Agent deployment failed or connectivity issues
  • Inactive: Agent was connected but heartbeat stopped

Troubleshooting

User Management Issues

User Can't Access Isolate

  • Verify user email matches their SSO identity exactly
  • Check user role (minimum 'developer' required)
  • Ensure user is assigned to appropriate projects
  • Check IAP/AuthKit configuration

Role Changes Not Taking Effect

  • Role changes are immediate in the database
  • User may need to refresh browser or re-authenticate
  • Check browser console for JavaScript errors
  • Verify role hierarchy (super_admin > devops > engineering_manager > developer)

Federation Issues

Agent Not Connecting

# Check agent logs (varies by cloud provider)
# GCP: gcloud logging read
# AWS: aws logs tail
# Azure: az container logs

# Test connectivity to hub
curl -v https://your-isolate-url.com/health

# Verify token is valid (check expiry)
# Registration tokens expire after 24 hours

Resources Not Syncing

  • Check agent has necessary cloud permissions
  • Verify network connectivity (outbound HTTPS allowed)
  • Look for errors in agent resource discovery logs
  • Check if resources are in expected regions/projects

Policy Issues

Requests Being Denied Unexpectedly

  • Check policy priority order (lower numbers evaluated first)
  • Verify policy conditions match request attributes
  • Test with policy simulator if available
  • Check for conflicting deny policies

Auto-approval Not Working

  • Ensure auto-approve policy has higher priority than require-approval policies
  • Check all policy conditions are met
  • Verify user has minimum required role
  • Check time/duration restrictions

Security Note: Always follow the principle of least privilege when assigning roles and creating approval policies. Regularly audit user access and policy effectiveness.