Chef Ideas

We believe that the best way to build software is to do it in close collaboration with the people who use it. We invite you to submit your ideas using the form below. Please be sure to include the problem for which you are solving and the benefits of implementing the idea.

We do our best to implement as many Ideas as we can. Our Product team will evaluate all submitted ideas in a timely manner and will disposition each into one of the following categories: will integrate into the product roadmap, further research is needed, unlikely to implement.

Thanks for collaborating with us!

IAM Granular Roles for Chef Infra Server Views

Currently when using Chef Infra Server views with Chef Automate, IAM allows the ability to set role actions with infra:infraServers:*

It would be helpful to allow for additional granularity beyond this for different access levels for read or write capabilities (similar to the access-list behavior that is possible for these objects via knife commands) for child objects of infraServers such as:

  • Cookbooks

  • Roles

  • Environments

  • DataBags

  • Clients

  • Policies(when available)

Being able to restrict read or write capability to these child objects would be helpful in organizations to allow certain teams or users access to view/modify specific components, such as run-lists, without being able to view or modify other data components, similar to access-list control with the knife utility on Chef Infra Server.


This would help with use-cases such as:

  • Allow specific application team access to modify data bag contents named foo but not be able to view or modify other data bag contents

  • Allow operations team to view cookbooks, run-lists, roles, environments, but disallow the ability to see all data bag content.


  • Collin McNeese
  • Jul 2 2021
  • Planned
Chef Automate
  • Attach files
  • +2

Related ideas