Access control for pipelines, releases, and procedures

6 minute readAutomation

This section contains access control scenarios for pipelines, releases, and procedures to show the behavior based on various authentication contexts.

  • For schedule-invoked pipelines or releases that include command tasks, access control is defined by the plugin project EC-Core-<version>. Hence, in order to deny the invocation, project EC-Core-<version> also needs to be given a deny permission on the pipeline or release being invoked.

  • Access control behavior in the tables below is applicable for CloudBees CD/RO v10.3.1+. Before migrating from an earlier release, review access control settings at your site for pipelines, releases, and procedures. Make appropriate changes in access control based on the v10.3.1+ behavior.

Of note:

  • The users referred to below are non-admin users.

  • The access control list (ACL) permissions specified for the principals in the scenarios below could be either directly defined or inherited.

  • The ACL permissions mentioned could be presented for all principals in the context or could be one of the principals with either Allow or Deny category. For example, a user could have an Allow via inheritance but Everyone group, or a project of pipelineA may not have any explicit ACLs defined.

  • Whenever a user has an ACL defined, either explicitly or via inheritance, it always takes precedence over other principals like Group or Project.

Make sure you are familiar with the access control system before making changes. Incorrectly setting ACLs can severely impact CloudBees CD/RO behavior.

Pipelines

  • Data in the table below assumes projectA with pipelineA calls a procedure, procedureB. Similar behavior exists when pipelineA calls the following:

    • A pipeline task, pipelineB, from projectB.

    • An application process task, applicationB-processB-environmentB, from projectB.

  • projectB contains:

    • procedureB

    • pipelineB

    • releaseB

    • applicationB

    • environmentB

  • The users userA, userB, and userC are defined. Users userA and userB belong to groupA.

Objects Execute permissions on projectB Run as Result

When all objects have allow permissions on projectB

projectA

allow

Run pipelineA from projectA using projectA (schedule)

procedureB is launched successfully by projectA

userA

allow

Run pipelineA from projectA as userA

procedureB is launched successfully by userA

groupA

allow

Run pipelineA from projectA as userB

procedureB is launched successfully by userB

Everyone group

allow

Run pipelineA from projectA as userC

procedureB is launched successfully by userC

When projectA has deny permission on projectB

projectA

deny

Run pipelineA from projectA using projectA (schedule)

procedureB cannot be launched by ProjectA

userA

allow

Run pipelineA from projectA as userA

procedureB is launched successfully by userA

groupA

allow

Run pipelineA from projectA as userB

procedureB is launched successfully by userB

Everyone group

allow

Run pipelineA from projectA as userC

procedureB is launched successfully by userC

When userA has deny permission on projectB

projectA

allow

Run pipelineA from projectA using projectA (schedule)

procedureB is launched successfully by projectA

userA

deny

Run pipelineA from projectA as userA

procedureB cannot be launched by userA

groupA

allow

Run pipelineA from projectA as userB

procedureB is launched successfully by userB

Everyone group

allow

Run pipelineA from projectA as userC

procedureB is launched successfully by userC

When groupA has deny permission on projectB

projectA

allow

Run pipelineA from projectA using projectA (schedule)

procedureB is launched successfully by projectA

userA

allow

Run pipelineA from projectA as userA

procedureB cannot be launched by userA

groupA

deny

Run pipelineA from projectA as userB

procedureB cannot be launched by userB

Everyone group

allow

Run pipelineA from projectA as userC

procedureB is launched successfully by userC

When Everyone group has deny permission on projectB

projectA

allow

Run pipelineA from projectA using projectA (schedule)

procedureB cannot be launched by ProjectA

userA

allow

Run pipelineA from projectA as userA

procedureB cannot be launched by userA

groupA

allow

Run pipelineA from projectA as userB

procedureB cannot be launched by userB

Everyone group

deny

Run pipelineA from projectA as userC

procedureB cannot be launched by userC

Releases

Data in the table below assumes projectA with releaseA calls a procedure task, procedureB. Similar behavior exists when releaseA calls:

  • A pipeline task, pipelineB, from projectB.

  • An application process task, applicationB-processB-environmentB, from projectB.

  • A release task, releaseB, from projectB.

  • projectB contains:

    • procedureB.

    • pipelineB.

    • releaseB.

    • applicationB.

    • environmentB.

  • The users userA, userB, and userC are defined. Users userA and userB belong to groupA.

Objects Permissions on projectB Run as Result

When all objects have allow permissions on projectB

projectA

allow

Run releaseA from projectA using projectA (schedule)

procedureB is launched successfully by projectA

userA

allow

Run releaseA from projectA as userA

procedureB is launched successfully by userA

groupA

allow

Run releaseA from projectA as userB

procedureB is launched successfully by userB

Everyone group

allow

Run releaseA from projectA as userC

procedureB is launched successfully by userC

When projectA has deny permission on projectB

projectA

deny

Run releaseA from projectA using projectA (schedule)

procedureB cannot be launched by ProjectA

userA

allow

Run releaseA from projectA as userA

procedureB is launched successfully by userA

groupA

allow

Run releaseA from projectA as userB

procedureB is launched successfully by userB

Everyone group

allow

Run releaseA from projectA as userC

procedureB is launched successfully by userC

When userA has deny permission on projectB

projectA

allow

Run releaseA from projectA using projectA (schedule)

procedureB is launched successfully by projectA

userA

deny

Run releaseA from projectA as userA

procedureB cannot be launched by userA

groupA

allow

Run releaseA from projectA as userB

procedureB is launched successfully by userB

Everyone group

allow

Run releaseA from projectA as userC

procedureB is launched successfully by userC

When groupA has deny permission on projectB

projectA

allow

Run releaseA from projectA using projectA (schedule)

procedureB is launched successfully by projectA

userA

allow

Run releaseA from projectA as userA

procedureB cannot be launched by userA

groupA

deny

Run releaseA from projectA as userB

procedureB cannot be launched by userB

Everyone group

allow

Run releaseA from projectA as userC

procedureB is launched successfully by userC

When Everyone group has deny permission on projectB

projectA

allow

Run releaseA from projectA using projectA (schedule)

procedureB cannot be launched by ProjectA

userA

allow

Run releaseA from projectA as userA

procedureB cannot be launched by userA

groupA

allow

Run releaseA from projectA as userB

procedureB cannot be launched by userB

Everyone group

deny

Run releaseA from projectA as userC

procedureB cannot be launched by userC

Procedures

  • Data in the table below assumes projectA with procedureA calls procedure step, procedureB. Similar behavior exists when procedureA calls:

    • A pipeline task,pipelineB, from projectB.

    • A release task, releaseB, from projectB.

    • An application process task, applicationB-processB-environmentB, from projectB.

  • projectB contains:

    • procedureB.

    • pipelineB.

    • releaseB.

    • applicationB.

    • environmentB.

  • The users, userA, userB, and userC are defined. userA and userB belong to groupA.

Objects Permissions on projectB Run as Result

When all objects have allow permissions on projectB

projectA

allow

Run procedureA from projectA using projectA (schedule)

procedureB is launched successfully by projectA

userA

allow

Run procedureA from projectA as userA

procedureB is launched successfully by userA

groupA

allow

Run procedureA from projectA as userB

procedureB is launched successfully by userB

Everyone group

allow

Run procedureA from projectA as userC

procedureB is launched successfully by userC

When projectA has deny permission on projectB

projectA

deny

Run procedureA from projectA using projectA (schedule)

procedureB cannot be launched by ProjectA

userA

allow

Run procedureA from projectA as userA

procedureB is launched successfully by userA

groupA

allow

Run procedureA from projectA as userB

procedureB is launched successfully by userB

Everyone group

allow

Run procedureA from projectA as userC

procedureB is launched successfully by userC

When userA has deny permission on projectB

projectA

allow

Run procedureA from projectA using projectA (schedule)

procedureB is launched successfully by projectA

userA

deny

Run procedureA from projectA as userA

procedureB cannot be launched by userA

groupA

allow

Run procedureA from projectA as userB

procedureB is launched successfully by userB

Everyone group

allow

Run procedureA from projectA as userC

procedureB is launched successfully by userC

When groupA has deny permission on projectB

projectA

allow

Run procedureA from projectA using projectA (schedule)

procedureB is launched successfully by projectA

userA

allow

Run procedureA from projectA as userA

procedureB cannot be launched by userA

groupA

deny

Run procedureA from projectA as userB

procedureB cannot be launched by userB

Everyone group

allow

Run procedureA from projectA as userC

procedureB is launched successfully by userC

When Everyone group has deny permission on projectB

projectA

allow

Run procedureA from projectA using projectA (schedule)

procedureB cannot be launched by ProjectA

userA

allow

Run procedureA from projectA as userA

procedureB cannot be launched by userA

groupA

allow

Run procedureA from projectA as userB

procedureB cannot be launched by userB

Everyone group

deny

Run procedureA from projectA as userC

procedureB cannot be launched by userC