Overview
Armory Spinnaker provides the same functionality for authentication (“authn”) and authorization (“authz”). A full reference of how to set up both can be found in the OSS Spinnaker documentation.
Authorization & Manual Judgments
The OSS docs do a pretty good job of explaining that you can limit users’ access to both “accounts” and “applications”, but doesn’t talk much about the interaction of the two.
In short, if you have access to an application, you can view the pipelines, and kick off a manual execution (even if you have “read only” access). However, if those pipelines need to do something in your cloud environments, you will still need to have read/write access to those environments. Since the pipeline will run its stages “as the user” that initiated the pipeline, the stages that attempt to write changes to the environment will fail if that user doesn’t have access to those environments.
There is one exception to this rule, and that is for Manual Judgment stages. You can configure a Manual Judgment stage to “Propagate Authentication”:
Checking this box will cause the pipeline to use the identity (and thus authorizations) of the user who approved the stage to be used for all subsequent stages. By inserting a Manual Judgment stage with this option enabled into your pipeline before the actual deploy, you can allow users with limited access to kick off pipelines safely; a user with full access to the environment can then continue the pipeline successfully after approval.
See Also
Here are some other resources that may help you properly configure security in Spinnaker: