{"id":"3042655a-3bc2-4099-912e-242bba2fdbf4","shortId":"UBAFWE","kind":"skill","title":"manage-roles","tagline":">-","description":"# Manage Roles Skill\n\nManage Harness RBAC (Role-Based Access Control) via MCP v2 tools.\n\n## MCP v2 Tools Used\n\n| Tool | Resource Type | Operations |\n|------|--------------|------------|\n| `harness_list` | `role` | List all roles |\n| `harness_get` | `role` | Get role details |\n| `harness_create` | `role` | Create custom role |\n| `harness_update` | `role` | Update custom role |\n| `harness_delete` | `role` | Delete custom role |\n| `harness_list` | `role_assignment` | List role assignments |\n| `harness_get` | `role_assignment` | Get assignment details |\n| `harness_list` | `permission` | List available permissions |\n| `harness_get` | `permission` | Get permission details |\n| `harness_list` | `resource_group` | List resource groups |\n| `harness_get` | `resource_group` | Get resource group details |\n| `harness_describe` | `role` | Discover role schema |\n| `harness_search` | -- | Search across role-related resources |\n\nFor built-in roles (account/org/project/module), resource groups, common permissions, and role assignment structure, consult references/builtin-roles.md.\n\n## Instructions\n\n### Step 1: Understand Requirements\n\nDetermine:\n- **Who** needs access (user email, group ID, or service account ID)\n- **What** level of access (admin, developer, viewer, executor, custom)\n- **Where** (account, org, project scope)\n- **Which resources** (all or specific resource group)\n\n### Step 2: List Existing Roles\n\n```\nharness_list(\n  resource_type=\"role\",\n  org_id=\"<org>\",           # optional\n  project_id=\"<project>\",   # optional\n  search_term=\"<keyword>\"   # optional\n)\n```\n\n### Step 3: Check Current Assignments\n\n```\nharness_list(\n  resource_type=\"role_assignment\",\n  org_id=\"<org>\",\n  project_id=\"<project>\"\n)\n```\n\n### Step 4: List Available Permissions (for custom roles)\n\n```\nharness_list(resource_type=\"permission\")\n```\n\n### Step 5: Create Custom Role (if needed)\n\n```\nharness_create(\n  resource_type=\"role\",\n  org_id=\"<org>\",\n  project_id=\"<project>\",\n  body={\n    \"identifier\": \"custom_deployer\",\n    \"name\": \"Custom Deployer\",\n    \"description\": \"Can execute pipelines and view services\",\n    \"permissions\": [\n      \"core_pipeline_execute\",\n      \"core_pipeline_view\",\n      \"core_service_view\",\n      \"core_environment_view\"\n    ]\n  }\n)\n```\n\nIdentifier must match pattern: `^[a-zA-Z_][0-9a-zA-Z_]{0,127}$`\n\n### Step 6: View Resource Groups\n\n```\nharness_list(resource_type=\"resource_group\", org_id=\"<org>\", project_id=\"<project>\")\n```\n\n## Examples\n\n### List all roles in a project\n\n```\n/manage-roles\nShow me all roles available in the payments project\n```\n\n### Check who has admin access\n\n```\n/manage-roles\nList all role assignments with admin privileges in the default org\n```\n\n### Create a custom read-only deployer role\n\n```\n/manage-roles\nCreate a custom role called \"release-manager\" that can execute pipelines,\nview services and environments, but cannot edit anything\n```\n\n### Audit access for a user\n\n```\n/manage-roles\nWhat roles does jane.smith@company.com have across all projects?\n```\n\n### Review resource groups\n\n```\n/manage-roles\nShow me all resource groups and what they include\n```\n\n## Best Practices\n\n- **Prefer groups over individual users** -- assign roles to USER_GROUP for easier management\n- **Follow least privilege** -- start with viewer roles and add permissions as needed\n- **Scope narrowly** -- use project-level roles over account-level when possible\n- **Use built-in roles first** -- create custom roles only when built-in roles do not fit\n- **Naming convention:** `{role}_{principal}` for identifiers (e.g., `deployer_ops_team`)\n\n## Error Handling\n\n| Error | Cause | Solution |\n|-------|-------|----------|\n| Role not found | Invalid role identifier | Built-in roles start with `_` -- verify exact identifier |\n| Resource group not found | Invalid resource group | Check `harness_list(resource_type=\"resource_group\")` |\n| Principal not found | User/group/SA does not exist | Verify the principal exists before assigning |\n| Duplicate identifier | Role with same ID exists | Use a unique identifier or update the existing role |\n| Permission denied | Caller lacks RBAC management permissions | Need `core_role_view` / `core_role_edit` permissions |\n\n## Performance Notes\n\n- List existing roles and resource groups before creating new ones to avoid duplication.\n- Verify role permissions match the principle of least privilege.\n- Confirm user/group identifiers are correct before assigning roles — incorrect assignments may grant unintended access.\n\n## Troubleshooting\n\n### User Cannot Access Resources\n\n1. List role assignments for the user to confirm a role is assigned\n2. Check the role has the required permissions (`harness_get` on the role)\n3. Verify the resource group scope includes the target resources\n4. Check that the assignment is not `disabled: true`\n\n### Custom Role Not Working\n\n1. Verify all required permissions are included (e.g., `_view` permission is needed alongside `_edit`)\n2. Check the role is assigned at the correct scope (account/org/project)\n3. Confirm the resource group matches the resources the user needs\n\n### Permission Denied When Managing Roles\n\n1. The caller needs `core_role_edit` to create/update roles\n2. The caller needs `core_roleassignment_edit` to manage assignments\n3. Account-level operations require account admin or equivalent","tags":["manage","roles","harness","skills","agent-skills","agents"],"capabilities":["skill","source-harness","skill-manage-roles","topic-agent-skills","topic-agents"],"categories":["harness-skills"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/harness/harness-skills/manage-roles","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add harness/harness-skills","source_repo":"https://github.com/harness/harness-skills","install_from":"skills.sh"}},"qualityScore":"0.457","qualityRationale":"deterministic score 0.46 from registry signals: · indexed on github topic:agent-skills · 15 github stars · SKILL.md body (5,315 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-05-18T19:06:30.726Z","embedding":null,"createdAt":"2026-05-09T01:05:29.361Z","updatedAt":"2026-05-18T19:06:30.726Z","lastSeenAt":"2026-05-18T19:06:30.726Z","tsv":"'-9':265 '/manage-roles':294,309,329,355,367 '0':264,270 '1':130,566,615,656 '127':271 '2':167,579,629,666 '3':186,592,640,676 '4':201,602 '5':214 '6':273 'a-za-z':260,266 'access':13,136,148,308,351,560,564 'account':143,155,413,678,682 'account-level':412,677 'account/org/project':639 'account/org/project/module':117 'across':107,361 'add':400 'admin':149,307,315,683 'alongsid':627 'anyth':349 'assign':60,63,67,69,124,189,195,313,384,491,553,556,569,578,606,634,675 'audit':350 'avail':75,203,299 'avoid':536 'base':12 'best':377 'bodi':229 'built':114,419,429,457 'built-in':113,418,428,456 'call':334 'caller':510,658,668 'cannot':347,563 'caus':448 'check':187,304,472,580,603,630 'common':120 'confirm':547,574,641 'consult':126 'control':14 'convent':436 'core':244,247,250,253,516,519,660,670 'correct':551,637 'creat':40,42,215,221,321,330,423,532 'create/update':664 'current':188 'custom':43,49,55,153,206,216,231,234,323,332,424,611 'default':319 'delet':52,54 'deni':509,652 'deploy':232,235,327,442 'describ':99 'descript':236 'detail':38,70,82,97 'determin':133 'develop':150 'disabl':609 'discov':101 'duplic':492,537 'e.g':441,622 'easier':390 'edit':348,521,628,662,672 'email':138 'environ':254,345 'equival':685 'error':445,447 'exact':463 'exampl':287 'execut':238,246,340 'executor':152 'exist':169,485,489,498,506,526 'first':422 'fit':434 'follow':392 'found':452,468,481 'get':34,36,65,68,78,80,91,94,588 'grant':558 'group':86,89,93,96,119,139,165,276,282,366,372,380,388,466,471,478,530,596,644 'handl':446 'har':8,27,33,39,45,51,57,64,71,77,83,90,98,104,171,190,208,220,277,473,587 'id':140,144,177,180,197,199,226,228,284,286,497 'identifi':230,256,440,455,464,493,502,549 'includ':376,598,621 'incorrect':555 'individu':382 'instruct':128 'invalid':453,469 'jane.smith@company.com':359 'lack':511 'least':393,545 'level':146,409,414,679 'list':28,30,58,61,72,74,84,87,168,172,191,202,209,278,288,310,474,525,567 'manag':2,4,7,337,391,513,654,674 'manage-rol':1 'match':258,541,645 'may':557 'mcp':16,19 'must':257 'name':233,435 'narrowli':405 'need':135,219,403,515,626,650,659,669 'new':533 'note':524 'one':534 'op':443 'oper':26,680 'option':178,181,184 'org':156,176,196,225,283,320 'pattern':259 'payment':302 'perform':523 'permiss':73,76,79,81,121,204,212,243,401,508,514,522,540,586,619,624,651 'pipelin':239,245,248,341 'possibl':416 'practic':378 'prefer':379 'princip':438,479,488 'principl':543 'privileg':316,394,546 'project':157,179,198,227,285,293,303,363,408 'project-level':407 'rbac':9,512 'read':325 'read-on':324 'references/builtin-roles.md':127 'relat':110 'releas':336 'release-manag':335 'requir':132,585,618,681 'resourc':24,85,88,92,95,111,118,160,164,173,192,210,222,275,279,281,365,371,465,470,475,477,529,565,595,601,643,647 'review':364 'role':3,5,11,29,32,35,37,41,44,47,50,53,56,59,62,66,100,102,109,116,123,170,175,194,207,217,224,290,298,312,328,333,357,385,398,410,421,425,431,437,450,454,459,494,507,517,520,527,539,554,568,576,582,591,612,632,655,661,665 'role-bas':10 'role-rel':108 'roleassign':671 'schema':103 'scope':158,404,597,638 'search':105,106,182 'servic':142,242,251,343 'show':295,368 'skill':6 'skill-manage-roles' 'solut':449 'source-harness' 'specif':163 'start':395,460 'step':129,166,185,200,213,272 'structur':125 'target':600 'team':444 'term':183 'tool':18,21,23 'topic-agent-skills' 'topic-agents' 'troubleshoot':561 'true':610 'type':25,174,193,211,223,280,476 'understand':131 'unintend':559 'uniqu':501 'updat':46,48,504 'use':22,406,417,499 'user':137,354,383,387,562,572,649 'user/group':548 'user/group/sa':482 'v2':17,20 'verifi':462,486,538,593,616 'via':15 'view':241,249,252,255,274,342,518,623 'viewer':151,397 'work':614 'z':263,269 'za':262,268","prices":[{"id":"78956dd7-42a5-4680-9af7-cc649b81b5f1","listingId":"3042655a-3bc2-4099-912e-242bba2fdbf4","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"harness","category":"harness-skills","install_from":"skills.sh"},"createdAt":"2026-05-09T01:05:29.361Z"}],"sources":[{"listingId":"3042655a-3bc2-4099-912e-242bba2fdbf4","source":"github","sourceId":"harness/harness-skills/manage-roles","sourceUrl":"https://github.com/harness/harness-skills/tree/main/skills/manage-roles","isPrimary":false,"firstSeenAt":"2026-05-09T01:05:29.361Z","lastSeenAt":"2026-05-18T19:06:30.726Z"}],"details":{"listingId":"3042655a-3bc2-4099-912e-242bba2fdbf4","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"harness","slug":"manage-roles","github":{"repo":"harness/harness-skills","stars":15,"topics":["agent-skills","agents"],"license":"apache-2.0","html_url":"https://github.com/harness/harness-skills","pushed_at":"2026-05-13T01:28:28Z","description":"A collection of structured AI agent skills that   enable Claude Code, Cursor, GitHub Copilot, and   other AI coding assistants to create, operate,   debug, and govern Harness CI/CD workflows through   natural language.","skill_md_sha":"397261ad5f31d6d7a75d2a528c98cc86d4ee3684","skill_md_path":"skills/manage-roles/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/harness/harness-skills/tree/main/skills/manage-roles"},"layout":"multi","source":"github","category":"harness-skills","frontmatter":{"name":"manage-roles","license":"Apache-2.0","description":">-","compatibility":"Requires Harness MCP v2 server (harness-mcp-v2)"},"skills_sh_url":"https://skills.sh/harness/harness-skills/manage-roles"},"updatedAt":"2026-05-18T19:06:30.726Z"}}