System access control objects

3 minute readAutomation

There are special system objects that contain access control lists (ACLs) related to the overall CloudBees CD/RO system administration. These ACLs are available from the Administration  System access control page.

You can use the search field to quickly locate object categories and descriptions.

The system objects are:

Table 1. CloudBees CD/RO system access control objects
System access control object Description

Administration

  • The Read permission allows access to the getStatus, getDatabaseConfiguration[s], getEmailConfig[s], and export (global) API functions.

  • The Modify permission allows access to the shutdown, setDatabaseConfiguration, createEmailConfig, deleteEmailConfig, modifyEmailConfig, and import (global) API functions.

  • For change tracking, the Read, Modify, and Execute permissions allow you to revert changes to a tracked object and its tracked contents in the UI or access the revert API function.

Artifact connectors

The Modify permission allows access to the createArchiveConnector, deleteArchiveConnector, getArchiveConnector, getArchiveConnectors, and modifyArchiveConnector API functions.

Artifacts

  • The Read permission allows access to the getArtifact API functions.

  • The Modify permissions allows access to createArtifact and deleteArtifact API functions.

CI Configurations

  • The Read permission allows access to the getCIConfiguration[s] API function.

  • The Modify permission allows access to the createCIConfiguration, modifyCIConfiguration, and deleteCIConfiguration API functions.

Data Retention Policies

The Modify permission allows access to the createDataRetentionPolicy, deleteDataRetentionPolicy, getDataRetentionPolicy, getDataRetentionPolicies, and modifyDataRetentionPolicy API functions.

DevOps Insight Server Configuration

The Modify permission allows access to the DevOps Insight Server Configuration settings.

Directory

  • The Read permission allows access to the getUsers, getGroups, and getDirectoryProviders API functions.

  • The Modify permission allows access to the createUser, createGroup, deleteUser, deleteGroup, createDirectoryProvider, modifyDirectoryProvider, deleteDirectoryProvider, testDirectoryProvider, and moveDirectoryProvider API functions.

DSL Client Files

The Execute permission allows access to the /queue/dsl.clientFiles queue, to store client files for evalDsl API functions.

Email Configurations

The Modify permission allows access to the createEmailConfig and deleteEmailConfig API functions.

Force Abort

The Execute permission allows access to the --force flag on the abortJob API function. By default, the ACL is created with the Everyone: Execute permission in addition to inheriting from the server. To force a job to abort, the user must have the Execute permission on the job and on the forceAbort ACL.

Licensing

  • The Read permission allows access to the getLicense[s] API functions.

  • The Modify permission allows access to the importLicenseData and deleteLicense API functions.

  • The Execute permission allows access to the getAdminLicense API function.

Logging

The Modify permission allows access to the logMessage API function.

Personas

The Modify permission allows access to the personas API functions.

Plugins

The Modify permission allows access to the createPlugin, deletePlugin, installPlugin, promotePlugin, and uninstallPlugin API functions.

  • The modifyPlugin API function requires the Modify permission on the target plugin.

  • The getPlugin API function requires the Read permission on the target plugin.

Priority

The Execute permission allows the user who launches a procedure using the runProcedure API function to raise the priority of the job.

Projects

The Modify permission allows access to the createProject and deleteProject API functions.

Report Object Types

The Modify permission allows access to the createReportObjectType, deleteReportObjectType, getReportObjectType, getReportObjectTypes, and modifyReportObjectType API functions.

Repositories

  • The Read permission allows access to the getRepository API function.

  • The Modify permission allows access to the createRepository, deleteRepository, modifyRepository, and moveRepository API functions.

Resources

The Modify permission allows access to the createReource and deleteResource API functions.

Search Filters

The Execute permission allows access to the SearchFilters settings.

Session

The Execute permission allows access to the login API function.

SSO Configuration

The Modify permission allows access to the Kerberos configuration settings.

Tags

The Execute permission allows access to the tags API function.

Workspaces

The Modify permission allows access to the createWorkspace and deleteWorkspace API functions.

Zone and gateways

The Modify permission allows access to the createZone and deleteZone API functions. It also allows access to the deleteResource API function when the resource belongs to a gateway.

To move a resource from one zone to another using the modifyResource API function, you must have Modify privileges on both the old and new zones and also on the resource you want to move.

Server access control

Server access control is a CloudBees CD/RO system top-level object. Every other object in the system is contained in the server object and inherits access control information from the server object unless inheritance is broken. Select Server access control to open the page to view and set privileges.