| name | manage-roles | ||||||
|---|---|---|---|---|---|---|---|
| description | Manage Harness RBAC roles, role assignments, permissions, and resource groups via MCP v2 tools. List, create, update, and delete custom roles. View role assignments and permissions for users, groups, and service accounts. Use when asked to manage access control, assign roles, check permissions, create custom roles, review RBAC configuration, onboard users, or audit access. Trigger phrases: manage roles, RBAC, role assignment, user permissions, access control, custom role, resource group, who has access, grant access, revoke access. | ||||||
| metadata |
|
||||||
| license | Apache-2.0 | ||||||
| compatibility | Requires Harness MCP v2 server (harness-mcp-v2) |
Manage Harness RBAC (Role-Based Access Control) via MCP v2 tools.
| Tool | Resource Type | Operations |
|---|---|---|
harness_list |
role |
List all roles |
harness_get |
role |
Get role details |
harness_create |
role |
Create custom role |
harness_update |
role |
Update custom role |
harness_delete |
role |
Delete custom role |
harness_list |
role_assignment |
List role assignments |
harness_get |
role_assignment |
Get assignment details |
harness_list |
permission |
List available permissions |
harness_get |
permission |
Get permission details |
harness_list |
resource_group |
List resource groups |
harness_get |
resource_group |
Get resource group details |
harness_describe |
role |
Discover role schema |
harness_search |
-- | Search across role-related resources |
For built-in roles (account/org/project/module), resource groups, common permissions, and role assignment structure, consult references/builtin-roles.md.
Determine:
- Who needs access (user email, group ID, or service account ID)
- What level of access (admin, developer, viewer, executor, custom)
- Where (account, org, project scope)
- Which resources (all or specific resource group)
harness_list(
resource_type="role",
org_id="<org>", # optional
project_id="<project>", # optional
search_term="<keyword>" # optional
)
harness_list(
resource_type="role_assignment",
org_id="<org>",
project_id="<project>"
)
harness_list(resource_type="permission")
harness_create(
resource_type="role",
org_id="<org>",
project_id="<project>",
body={
"identifier": "custom_deployer",
"name": "Custom Deployer",
"description": "Can execute pipelines and view services",
"permissions": [
"core_pipeline_execute",
"core_pipeline_view",
"core_service_view",
"core_environment_view"
]
}
)
Identifier must match pattern: ^[a-zA-Z_][0-9a-zA-Z_]{0,127}$
harness_list(resource_type="resource_group", org_id="<org>", project_id="<project>")
/manage-roles
Show me all roles available in the payments project
/manage-roles
List all role assignments with admin privileges in the default org
/manage-roles
Create a custom role called "release-manager" that can execute pipelines,
view services and environments, but cannot edit anything
/manage-roles
What roles does jane.smith@company.com have across all projects?
/manage-roles
Show me all resource groups and what they include
- Prefer groups over individual users -- assign roles to USER_GROUP for easier management
- Follow least privilege -- start with viewer roles and add permissions as needed
- Scope narrowly -- use project-level roles over account-level when possible
- Use built-in roles first -- create custom roles only when built-in roles do not fit
- Naming convention:
{role}_{principal}for identifiers (e.g.,deployer_ops_team)
| Error | Cause | Solution |
|---|---|---|
| Role not found | Invalid role identifier | Built-in roles start with _ -- verify exact identifier |
| Resource group not found | Invalid resource group | Check harness_list(resource_type="resource_group") |
| Principal not found | User/group/SA does not exist | Verify the principal exists before assigning |
| Duplicate identifier | Role with same ID exists | Use a unique identifier or update the existing role |
| Permission denied | Caller lacks RBAC management permissions | Need core_role_view / core_role_edit permissions |
- List existing roles and resource groups before creating new ones to avoid duplication.
- Verify role permissions match the principle of least privilege.
- Confirm user/group identifiers are correct before assigning roles — incorrect assignments may grant unintended access.
- List role assignments for the user to confirm a role is assigned
- Check the role has the required permissions (
harness_geton the role) - Verify the resource group scope includes the target resources
- Check that the assignment is not
disabled: true
- Verify all required permissions are included (e.g.,
_viewpermission is needed alongside_edit) - Check the role is assigned at the correct scope (account/org/project)
- Confirm the resource group matches the resources the user needs
- The caller needs
core_role_editto create/update roles - The caller needs
core_roleassignment_editto manage assignments - Account-level operations require account admin or equivalent