This section contains access control scenarios for pipelines, releases, and procedures to show the behavior based on various authentication contexts.
|
Of note:
-
The users referred to below are non-admin users.
-
The access control list (ACL) permissions specified for the principals in the scenarios below could be either directly defined or inherited.
-
The ACL permissions mentioned could be presented for all principals in the context or could be one of the principals with either
Allow
orDeny
category. For example, a user could have anAllow
via inheritance butEveryone
group, or a project ofpipelineA
may not have any explicit ACLs defined. -
Whenever a user has an ACL defined, either explicitly or via inheritance, it always takes precedence over other principals like Group or Project.
Make sure you are familiar with the access control system before making changes. Incorrectly setting ACLs can severely impact CloudBees CD/RO behavior. |
Pipelines
-
Data in the table below assumes
projectA
withpipelineA
calls a procedure,procedureB
. Similar behavior exists whenpipelineA
calls the following:-
A pipeline task,
pipelineB
, fromprojectB
. -
An application process task,
applicationB-processB-environmentB
, fromprojectB
.
-
-
projectB
contains:-
procedureB
-
pipelineB
-
releaseB
-
applicationB
-
environmentB
-
-
The users
userA
,userB
, anduserC
are defined. UsersuserA
anduserB
belong togroupA
.
Objects | Execute permissions on projectB |
Run as | Result |
---|---|---|---|
When all objects have allow permissions on |
|||
|
allow |
Run |
|
|
allow |
Run |
|
|
allow |
Run |
|
|
allow |
Run |
|
When |
|||
|
deny |
Run |
|
|
allow |
Run |
|
|
allow |
Run |
|
|
allow |
Run |
|
When |
|||
|
allow |
Run |
|
|
deny |
Run |
|
|
allow |
Run |
|
|
allow |
Run |
|
When |
|||
|
allow |
Run |
|
|
allow |
Run |
|
|
deny |
Run |
|
|
allow |
Run |
|
When |
|||
|
allow |
Run |
|
|
allow |
Run |
|
|
allow |
Run |
|
|
deny |
Run |
|
Releases
Data in the table below assumes projectA
with releaseA
calls a procedure task, procedureB
. Similar behavior exists when releaseA
calls:
-
A pipeline task,
pipelineB
, fromprojectB
. -
An application process task,
applicationB-processB-environmentB
, fromprojectB
. -
A release task,
releaseB
, fromprojectB
. -
projectB
contains:-
procedureB
. -
pipelineB
. -
releaseB
. -
applicationB
. -
environmentB
.
-
-
The users
userA
,userB
, anduserC
are defined. UsersuserA
anduserB
belong togroupA
.
Objects | Permissions on projectB |
Run as | Result |
---|---|---|---|
When all objects have allow permissions on |
|||
|
allow |
Run |
|
|
allow |
Run |
|
|
allow |
Run |
|
|
allow |
Run |
|
When |
|||
|
deny |
Run |
|
|
allow |
Run |
|
|
allow |
Run |
|
|
allow |
Run |
|
When |
|||
|
allow |
Run |
|
|
deny |
Run |
|
|
allow |
Run |
|
|
allow |
Run |
|
When |
|||
|
allow |
Run |
|
|
allow |
Run |
|
|
deny |
Run |
|
|
allow |
Run |
|
When |
|||
|
allow |
Run |
|
|
allow |
Run |
|
|
allow |
Run |
|
|
deny |
Run |
|
Procedures
-
Data in the table below assumes
projectA
withprocedureA
calls procedure step,procedureB
. Similar behavior exists whenprocedureA
calls:-
A pipeline task,
pipelineB
, fromprojectB
. -
A release task,
releaseB
, fromprojectB
. -
An application process task,
applicationB-processB-environmentB
, fromprojectB
.
-
-
projectB
contains:-
procedureB
. -
pipelineB
. -
releaseB
. -
applicationB
. -
environmentB
.
-
-
The users,
userA
,userB
, anduserC
are defined.userA
anduserB
belong togroupA
.
Objects | Permissions on projectB |
Run as | Result |
---|---|---|---|
When all objects have allow permissions on |
|||
|
allow |
Run |
|
|
allow |
Run |
|
|
allow |
Run |
|
|
allow |
Run |
|
When |
|||
|
deny |
Run |
|
|
allow |
Run |
|
|
allow |
Run |
|
|
allow |
Run |
|
When |
|||
|
allow |
Run |
|
|
deny |
Run |
|
|
allow |
Run |
|
|
allow |
Run |
|
When |
|||
|
allow |
Run |
|
|
allow |
Run |
|
|
deny |
Run |
|
|
allow |
Run |
|
When |
|||
|
allow |
Run |
|
|
allow |
Run |
|
|
allow |
Run |
|
|
deny |
Run |
|