Security overview

2 minute read

CloudBees Flow provides security by assigning roles and privileges to specific users and groups on:

  • System objects including applications, microservices, environments, projects, jobs, and schedules.

  • Actions performed on deployment models.

CloudBees Flow uses access control, project-level security, and credentials and impersonation to enforce roles and privileges when executing deployment steps. For an example of how to define roles and privileges when a specific user is allowed to deploy an application or microservice only to a specific environment, see Use Case: Attaching Credentials in Deployment Automation.

Access Control

CloudBees Flow uses access control to provide security for all system objects. This mechanism controls how users and groups use the system. Users must log in to view information or to perform operations (actions). After users log in, their system access is limited based on:

  • The user name

  • The groups to which the user belongs

  • The permissions specified for various CloudBees Flow objects

Go to Access Control for more information about how CloudBees Flow enforces access control and for security examples using access control. For instructions on how to set up access control, go to these topics:

Project-Level Security

Multiple Project support is available on applications or microservices, pipelines, releases, environments, Master Components, resources, and environment templates as well as platform objects (such as artifacts, procedures, jobs, schedules, and workflows) These objects, as well as the objects belonging to them, can be in any project within CloudBees Flow.

This significantly improves object management at scale by allowing:

  • ACL inheritance—All objects in a project inherit the access control settings from the project, providing better security for all the objects. Objects such as applications or microservices, environments, pipelines, and releases can be managed in their own projects and will inherit the ACLs setup at the project level. This significantly simplifies permissions management.

  • Logical grouping—This allows users to better manage deploy and release objects under various projects that are logically mapped by users, roles, geography, department, and so on, resulting in easier maintenance.

For an example of how to select a project for an application or microservice, see Example: Modeling and Deploying Applications or Microservices . You can also use API commands to do this:

  • Use the createApplication API command to create a new application for a specific project.

  • Use the createService API command to create a new microservice for a specific project.

  • Use the createProcess command to create an application, microservice, or component process for a specific project.

For details about these commands, see CloudBees Flow Perl API Commands Overview. For details about authoring and deploying an application or microservice, see Example: Modeling and Deploying Applications or Microservices . For an example of how to select a project for a Release, see Release Definition . You can also use the createRelease API command to define a Release for a specific project.