In Simplified Role Management for the Replicated Platform I posted about ReplBAC, a utility I wrote for managing Vendor Portal roles in an infrastructure-as-code style.
ReplBAC eliminates the tedious clicking and manual role assignment that comes with Vendor Portal team management. Instead of navigating web interfaces, you define everything in YAML files and let the tool handle synchronization with the platform. It reads your role definitions, compares them against the current state in your Vendor Portal account, and makes the necessary changes to bring everything into alignment. This approach works particularly well for teams that want to version control their access policies or automate team management as part of their broader DevOps workflows.
ReplBAC v0.3.0
I’ve continued developing this tool and enhanced it to address the most critical gap from the original release: adding and removing team members. I’ve just released ReplBAC v0.3.0 with comprehensive member management capabilities.
This release extends role definitions to include a members field containing email addresses, creating a powerful bidirectional synchronization system between your local YAML files and the Replicated platform. The tool now automatically assigns members to their designated roles and can optionally invite new team members who don’t yet exist in your organization. The system handles edge cases through intelligent orphaned member detection. When users no longer appear in any role definition, ReplBAC identifies these situations and prompts for confirmation before removal, preventing accidental user deletion while maintaining a clean team roster that reflects your intended organizational state.
Enhanced member management in action
The new role definition format supports team member specification directly in your YAML files:
roles:
- name: "Support Team"
description: "Customer support representatives"
policies:
- "read"
- "support_bundle"
members:
- "alice@company.com"
- "bob@company.com"
- "charlie@company.com"
- name: "Engineering Leads"
description: "Senior engineering staff"
policies:
- "read"
- "write"
- "license"
members:
- "alice@company.com"
- "dev-lead@company.com"
When you run replbac sync, the tool compares your local definitions against the current Vendor Portal state and identifies exactly what needs to change. It adds members to roles they should have, removes them from roles they shouldn’t, and invites new team members who don’t yet exist in your organization.
Handle team changes gracefully
The most delicate aspect of automated team management involves dealing with people who leave the organization or change roles. ReplBAC addresses this through orphaned member detection. When someone appears in your Vendor Portal but doesn’t appear in any of your role definitions, ReplBAC flags them as orphaned and prompts you before taking action:
Found orphaned members (not assigned to any defined roles):
- former-employee@company.com
- contractor@external.com
Remove these members from the organization? [y/N]:
This approach prevents the tool from accidentally removing legitimate team members while keeping your team roster current. You maintain full control over membership changes while automating routine role assignments. For those who prefer automation without prompts, the --force flag lets your YAML definitions remain the definitive source of truth.
The bigger picture
ReplBAC’s infrastructure-as-code approach transforms the complex ClickOps of Vendor Portal policy and role management into something predictable and maintainable. Your team access policies live in version control alongside your application configurations. Code reviews catch permission changes before they affect production systems. New team members receive consistent access based on their role rather than whoever happened to set up their accounts.
The bidirectional synchronization means your YAML definitions can serve as the authoritative source while still accommodating changes made directly in the Vendor Portal when necessary. Whether you prefer pure automation or need flexibility for exceptional cases, ReplBAC adapts to your workflow rather than forcing you to adapt to the tool.