Each CloudBees CD/RO object, such as a project, pipeline, release, procedure, job, property sheet, workspace, schedule, or resource contains an access control list (ACL). Individual properties do not have their own access control, but instead use access control lists from their parent containers.
To view the ACL for an object, navigate to the object’s editor and select Access Control from its action menu on the right side of the page. An ACL contains any number of entries. Each entry names a particular user or group and indicates Allow, Deny, or is blank for each of the four privileges.
To determine whether a user can perform an operation on a particular object, CloudBees CD/RO determines which of the four privileges is required for that operation, then searches all access control entries for references to that user and groups containing that user. To be allowed access, at least one of the matching entries must specify Allow and none of the entries can be Deny. A Deny entry overrides an Allow entry in the same ACL.