Access Control

3 minute readAutomation

Use this UI page to view or modify access privileges for a specific CloudBees CD/RO object. Depending on the object where you want to set permissions, you can view that object’s name as part of the page title, above the tables. For example, if you select Access Control from a Project Details page, the project name is included as part of the access control page title.

Reading and using this page

  • This page displays one or more access control lists (ACLs). The top list contains entries for the object itself, specified in the page title, and also identifies the object.

    For example, if the heading for the top list reads Privileges for Procedure: buildAndTestAll, you are viewing access privileges for a procedure named buildAndTestAll. Select the object name to view the main page for that object.

  • Typically, more than one ACL is available on the page. Each list below the first one contains privileges for an object that "contains" the objects above it.

    For example, a project contains all of its procedures and a procedure contains all of its steps. Privileges for the top-level object are determined by all the privileges in all displayed lists. The lists form an inheritance chain, where each object inherits permissions from the objects below it on the page.

  • When a user attempts a particular operation on the object, CloudBees CD/RO examines the lists on this page from top to bottom. If an entry in the top list specifies deny for the user or a group containing the user, access is denied. Otherwise, if an entry in the top list specifies allow for the user, or a group containing the user, access is allowed.

    If access is neither allowed nor denied by the top list, CloudBees CD/RO proceeds to the next list and processes it in the same way.

    If access is neither allowed nor denied by any list, CloudBees CD/RO denies access.
  • The inheritance mechanism makes it easy to control access for a large number of objects in a single location. For example, project access control entries automatically apply to new objects created within the project. Each new object in the project has an empty ACL, but inherits access control entries from the project.

Access control options

Use these options to add or increase access control for an object.

  • Add User: Add permissions for a specific user.

  • Add Group: Add permissions for a specific group. In this scenario, all users in the group have the permissions allowed for the group.

  • Add Service Account: Add permissions for a specific service account. Service accounts are used with webhook management.

  • Add Project: Set or redefine permissions for a project.

  • Break Inheritance: If you use the Break Inheritance action for any list, no additional inheritance occurs below that list and other lists are no longer visible on the page. This action is useful if you want privileges for an object to be totally different from its containing object.

    If you break inheritance on an object with an empty ACL, the object becomes completely inaccessible. You are not able to restore inheritance because you no longer have the right to change permissions on that object. If this happens, you must contact your system administrator to restore inheritance.
  • Actions:

    • Edit: Modify the current permissions. However, be careful if you modify permissions in an inherited ACL. Modifying inherited access control affects all other objects that inherit from the same list.

    • Delete: Delete the current privileges granted for that user, group, or project.

Privilege definitions

The following four privilege types can be assigned allow, deny, or inherit permissions for each CloudBees CD/RO object.

  • Read: Allows object contents to be viewed.

  • Modify: Allows object contents, but not its permissions, to be changed.

  • Execute: If an object is a procedure, or it contains procedures (for example, a project), this privilege allows object procedures to be invoked as part of a job. For resource objects, this privilege determines who can use this resource in job steps.

  • Change Permissions: Allows object permissions to be modified.

For more information and examples on using access control to increase CloudBees CD/RO security, refer to Access control.