Access control scenarios for pipelines, releases, and procedures

6 minute readAutomation

This section provides access control scenarios for pipelines, releases, and procedures that demonstrate the behavior based on various authentication contexts.

In the examples, there are two projects: projectA and projectB. These projects contain:

Table 1. projectA and projectB
projectA projectB

procedureA

procedureB

pipelineA

pipelineB

releaseA

releaseB

applicationA

applicationB

environmentA

environmentB

The following non-admin users are defined:

Table 2. Groups and users
Groups Users

groupA

userA

userB

Everyone group

userA

userB

userC

Of note:

  • The access control list (ACL) permissions specified for the principals in the scenarios below can either be directly defined or inherited.

  • The ACL permissions mentioned could be presented for all principals in the context or could be one of the principals with either an Allow or Deny category. For example, a user can have an Allow permission via inheritance but the Everyone group, or a project of pipelineA, may not have any explicit ACLs defined.

  • When a user has an ACL defined, either explicitly or via inheritance, it always takes precedence over other principals, such as Group or Project.

  • Ensure you are familiar with the access control system before making changes. Incorrectly setting ACLs can severely impact CloudBees CD/RO behavior.

  • For schedule-invoked pipelines or releases that include command tasks, access control is defined by the plugin project EC-Core-<version>. In order to deny the invocation, the EC-Core-<version> project also needs to be given a Deny permission on the pipeline or release being invoked.

  • Access control behavior in the tables below is applicable for CloudBees CD/RO v10.3.1 and later. Before migrating from an earlier release, review access control settings at your site for pipelines, releases, and procedures. Make appropriate changes in access control based on the v10.3.1 and later behavior.

Pipeline examples

The pipeline examples below assume that projectA with pipelineA calls a procedure, procedureB.

Similar behavior exists when pipelineA calls:

  • A pipeline task, named pipelineB, from projectB.

  • An application process task, named applicationB-processB-environmentB, from projectB.

Pipeline example: All objects have allow permissions on projectB

Table 3. All objects have Allow permissions on projectB
Objects Execute permissions on projectB Run as Result

projectA

allow

Run pipelineA from projectA using projectA (schedule)

procedureB is launched successfully by projectA

userA

allow

Run pipelineA from projectA as userA

procedureB is launched successfully by userA

groupA

allow

Run pipelineA from projectA as userB

procedureB is launched successfully by userB

Everyone group

allow

Run pipelineA from projectA as userC

procedureB is launched successfully by userC

Pipeline example: projectA has the deny permission on projectB

Table 4. projectA has the Deny permission on projectB
Objects Execute permissions on projectB Run as Result

projectA

deny

Run pipelineA from projectA using projectA (schedule)

procedureB cannot be launched by projectA

userA

allow

Run pipelineA from projectA as userA

procedureB is launched successfully by userA

groupA

allow

Run pipelineA from projectA as userB

procedureB is launched successfully by userB

Everyone group

allow

Run pipelineA from projectA as userC

procedureB is launched successfully by userC

Pipeline example: userA has the deny permission on projectB

Table 5. userA has the Deny permission on projectB
Objects Execute permissions on projectB Run as Result

projectA

allow

Run pipelineA from projectA using projectA (schedule)

procedureB is launched successfully by projectA

userA

deny

Run pipelineA from projectA as userA

procedureB cannot be launched by userA

groupA

allow

Run pipelineA from projectA as userB

procedureB is launched successfully by userB

Everyone group

allow

Run pipelineA from projectA as userC

procedureB is launched successfully by userC

Pipeline example: groupA has the deny permission on projectB

Table 6. groupA has Deny permission on projectB
Objects Execute permissions on projectB Run as Result

projectA

allow

Run pipelineA from projectA using projectA (schedule)

procedureB is launched successfully by projectA

userA

allow

Run pipelineA from projectA as userA

procedureB cannot be launched by userA

groupA

deny

Run pipelineA from projectA as userB

procedureB cannot be launched by userB

Everyone group

allow

Run pipelineA from projectA as userC

procedureB is launched successfully by userC

Pipeline example: The Everyone group has the deny permission on projectB

Table 7. The Everyone group has the Deny permission on projectB
Objects Execute permissions on projectB Run as Result

projectA

allow

Run pipelineA from projectA using projectA (schedule)

procedureB cannot be launched by projectA

userA

allow

Run pipelineA from projectA as userA

procedureB cannot be launched by userA

groupA

allow

Run pipelineA from projectA as userB

procedureB cannot be launched by userB

Everyone group

deny

Run pipelineA from projectA as userC

procedureB cannot be launched by userC

Release examples

The release examples below assume that projectA with releaseA calls a procedure task, procedureB.

Similar behavior exists when releaseA calls:

  • A pipeline task, pipelineB, from projectB.

  • An application process task, applicationB-processB-environmentB, from projectB.

  • A release task, releaseB, from projectB.

Release example: All objects have allow permissions on projectB

Table 8. All objects have Allow permissions on projectB
Objects Permissions on projectB Run as Result

projectA

allow

Run releaseA from projectA using projectA (schedule)

procedureB is launched successfully by projectA

userA

allow

Run releaseA from projectA as userA

procedureB is launched successfully by userA

groupA

allow

Run releaseA from projectA as userB

procedureB is launched successfully by userB

Everyone group

allow

Run releaseA from projectA as userC

procedureB is launched successfully by userC

Release example: projectA has the deny permission on projectB

Table 9. projectA has the Deny permission on projectB
Objects Permissions on projectB Run as Result

projectA

deny

Run releaseA from projectA using projectA (schedule)

procedureB cannot be launched by projectA

userA

allow

Run releaseA from projectA as userA

procedureB is launched successfully by userA

groupA

allow

Run releaseA from projectA as userB

procedureB is launched successfully by userB

Everyone group

allow

Run releaseA from projectA as userC

procedureB is launched successfully by userC

Release example: userA has the deny permission on projectB

Table 10. userA has the Deny permission on projectB
Objects Permissions on projectB Run as Result

projectA

allow

Run releaseA from projectA using projectA (schedule)

procedureB is launched successfully by projectA

userA

deny

Run releaseA from projectA as userA

procedureB cannot be launched by userA

groupA

allow

Run releaseA from projectA as userB

procedureB is launched successfully by userB

Everyone group

allow

Run releaseA from projectA as userC

procedureB is launched successfully by userC

Release example: groupA has the deny permission on projectB

Table 11. groupA has the Deny permission on projectB
Objects Permissions on projectB Run as Result

projectA

allow

Run releaseA from projectA using projectA (schedule)

procedureB is launched successfully by projectA

userA

allow

Run releaseA from projectA as userA

procedureB cannot be launched by userA

groupA

deny

Run releaseA from projectA as userB

procedureB cannot be launched by userB

Everyone group

allow

Run releaseA from projectA as userC

procedureB is launched successfully by userC

Release example: The Everyone group has the deny permission on projectB

Table 12. The Everyone group has the Deny permission on projectB
Objects Permissions on projectB Run as Result

projectA

allow

Run releaseA from projectA using projectA (schedule)

procedureB cannot be launched by projectA

userA

allow

Run releaseA from projectA as userA

procedureB cannot be launched by userA

groupA

allow

Run releaseA from projectA as userB

procedureB cannot be launched by userB

Everyone group

deny

Run releaseA from projectA as userC

procedureB cannot be launched by userC

Procedure examples

The procedure examples below assume that projectA with procedureA calls a procedure step, procedureB.

Similar behavior exists when procedureA calls:

  • A pipeline task,pipelineB, from projectB.

  • A release task, releaseB, from projectB.

  • An application process task, applicationB-processB-environmentB, from projectB.

Procedure example: All objects have allow permissions on projectB

Table 13. All objects have Allow permissions on projectB.
Objects Permissions on projectB Run as Result

projectA

allow

Run procedureA from projectA using projectA (schedule

procedureB is launched successfully by projectA]

userA

allow

Run procedureA from projectA as userA

procedureB is launched successfully by userA

groupA

allow

Run procedureA from projectA as userB

procedureB is launched successfully by userB

Everyone group

allow

Run procedureA from projectA as userC

procedureB is launched successfully by userC

Procedure example: projectA has the deny permission on projectB

Table 14. projectA has the Deny permission on projectB
Objects Permissions on projectB Run as Result

projectA

deny

Run procedureA from projectA using projectA (schedule)

procedureB cannot be launched by projectA

userA

allow

Run procedureA from projectA as userA

procedureB is launched successfully by userA

groupA

allow

Run procedureA from projectA as userB

procedureB is launched successfully by userB

Everyone group

allow

Run procedureA from projectA as userC

procedureB is launched successfully by userC

Procedure example: userA has the deny permission on projectB

Table 15. userA has the Deny permission on projectB
Objects Permissions on projectB Run as Result

projectA

allow

Run procedureA from projectA using projectA (schedule)

procedureB is launched successfully by projectA

userA

deny

Run procedureA from projectA as userA

procedureB cannot be launched by userA

groupA

allow

Run procedureA from projectA as userB

procedureB is launched successfully by userB

Everyone group

allow

Run procedureA from projectA as userC

procedureB is launched successfully by userC

Procedure example: groupA has the deny permission on projectB

Table 16. groupA has the Deny permission on projectB
Objects Permissions on projectB Run as Result

projectA

allow

Run procedureA from projectA using projectA (schedule)

procedureB is launched successfully by projectA

userA

allow

Run procedureA from projectA as userA

procedureB cannot be launched by userA

groupA

deny

Run procedureA from projectA as userB

procedureB cannot be launched by userB

Everyone group

allow

Run procedureA from projectA as userC

procedureB is launched successfully by userC

Procedure example: The Everyone group has the deny permission on projectB

Table 17. The Everyone group has the Deny permission on projectB
Objects Permissions on projectB Run as Result

projectA

allow

Run procedureA from projectA using projectA (schedule)

procedureB cannot be launched by projectA

userA

allow

Run procedureA from projectA as userA

procedureB cannot be launched by userA

groupA

allow

Run procedureA from projectA as userB

procedureB cannot be launched by userB

Everyone group

deny

Run procedureA from projectA as userC

procedureB cannot be launched by userC