Access Control

3 minute read

Use this GUI page to view or modify access privileges for a specific CloudBees CD object. Depending on the object where you want to set permissions, you will see that object’s name as part of the page title (above the tables).

For example, if you clicked the Access Control link from a Project Details page , you will see the project name as part of the Access Control page title.

Reading and Using This Page

  • This page displays one or more access control lists. The top list contains entries for the object itself (specified in the page title) and also identifies the object.

    For example, if the heading for the top list reads "Privileges for Procedure: buildAndTestAll," you are viewing access privileges for a procedure named "buildAndTestAll". Click the object name to view the main page for that object.

  • Typically, you will see more than one list on the page. Each list below the first one contains privileges for an object that "contains" the objects above it.

    For example, a project contains all of its procedures and a procedure contains all of its steps. Privileges for the top-level object are determined by all the privileges in all of the displayed lists. The lists form an "inheritance chain" where it each object "inherits" permissions from the objects below it on the page.

  • When a user attempts a particular operation on the object, CloudBees CD examines the lists on this page from top to bottom. If there is an entry specifying "deny" for the user (or a group containing the user) in the top list, access is denied. Otherwise, if an entry specifies "allow" for the user (or a group containing the user) in the top list, access is allowed.

    If access is neither allowed nor denied by the top list, CloudBees CD proceeds to the next list and processes it in the same way.

    If access is neither allowed nor denied by any list, CloudBees CD denies access.
  • The inheritance mechanism makes it easy to control access for a large number of objects in a single place. For example, project access control entries automatically apply to new objects created within the project. Each new object in the project has an empty access control list, but will inherit from the project.

Use these links to add or increase Access Control for an object.

  • Add User —Use this link to add permissions for a specific user.

  • Add Group —Use this link to add permissions for a specific group, which means all users in that group would have the permissions allowed to the group.

  • Add Service Account —Use this link to add permissions for a specific service account. Service accounts are used with webhooks management.

  • Add Project —Use this link to set or redefine permissions for a project.

  • Break Inheritance —If you use the "Break Inheritance" action for any list, no additional inheritance occurs below that list and you no longer see other lists on this page. This action is useful if you want privileges for an object to be totally different than its containing object. If an object has no entries in its access control list and you break inheritance for that object, you make the object completely inaccessible— you will not even have the "Change Permissions" privilege, so you cannot restore inheritance. If this occurs, see your system administrator to restore inheritance.

    Be very careful if you break inheritance!
  • Actions:

  • Edit —Use this link to modify current permissions, but be careful if you modify permissions in an inherited access control list. Modifying inherited access control affects all other objects that inherit from the same list.

  • Delete —Deletes the current privileges granted for that user, group, or project.

Privilege Definitions

The following four privilege types (for each CloudBees CD object) can be assigned allow , deny , or inherit permission.

  • Read—Allows object contents to be viewed.

  • Modify—Allows object contents (but not its permissions) to be changed.

  • Execute—If an object is a procedure or it contains procedures (for example, a project), this privilege allows object procedures to be invoked as part of a job. For resource objects, this privilege determines who can use this resource in job steps.

  • Change Permissions—Allows object permissions to be modified.

For more information, see the main Access Control Help topic. This Help topic also contains two examples that illustrate how you might use Access Control to increase CloudBees CD security.