Represents an infrastructure permissions layer. Layers can be used to organize your system
into broad permission groups, such as
production, and for granular
organization such as
Hosts often obtain most or all of their privileges by their layer memberships. Generally speaking, the best way to manage host privileges is to grant privileges to layers, then add hosts to layers.
A Layer is composed of the following:
Layers are used for two purposes:
- Hosts in the layer automatically gain the privileges of the layer, such the ability to read variables.
Members of the layer are automatically granted privileges
on all the hosts in the layer. This is typically used to streamline the management of
A Layer is a role. As such, it can have privileges such as the ability to fetch a secret. Any Hosts which are members of the Layer will inherit these privileges. This is because Conjur is role-based access control (RBAC): a layer is a role and a host is a role. When a layer role is granted to a host role, the host inherits all the privileges of the layer.
For more information about privileges, see the Role section of this Reference.