CasC permissions

3 minute readScalabilityAutomation

CloudBees CI administrators can grant CasC-specific role permissions to users or groups so that they can perfom different tasks with CasC bundles.

The CasC-specific permissions include:

  • Administer: This role permission grants overall CasC permissions to a user or group without granting them overall cluster permissions. Users and groups with this permission can perform actions such as:

    • view the update log

    • view which branch or bundle is in use

    • export the bundle

  • Checkout: This permission grants users the ability to checkout bundles.

  • Item: This permission grants users the ability to perform certain actions on a controller such as:

    • create an item using the endpoint/CLI

    • create a group that is attached to an item

    • Manage RBAC for an item

  • Read: This permissions grants users the ability to see which branch or bundle is in use in the operations center or in a controller.

  • ReadCheckout: This permission grants users the ability to see which bundle was checked out by the operations center.

Administering CasC role permissions require the following:

  • Install the CloudBees CasC Shared plugin on your CloudBees CI cluster.

  • Enable the MANAGE or SYSTEM_READ permissions so that the CasC Administer and Read role permissions display in the UI. Set these permissions via the jenkins.security.ManagePermission or jenkins.security.SystemReadPermission system properties as shown in the examples below.

    • -Djenkins.security.ManagePermission=true

    • -Djenkins.security.SystemReadPermission=true

The MANAGE permission is a Preview feature currently in Beta stage. In addition to enabling this permission via the the jenkins.security.ManagePermission system property, you can also enable it by installing the Overall/Manage permission enabler plugin (manage-permission).
A Preview feature:
  • Has not undergone end-to-end testing with CloudBees products.

  • Is provided without service-level agreements (SLA), and therefore does not include CloudBees' commitment to functionality or performance.

  • May impact other stable areas of the product when used.

  • May have limited documentation.

  • May not be feature-complete during the Preview period.

  • May graduate from Preview to a supported feature or be removed from the product.

  • May introduce breaking changes that prevent upgrades due to incompatibility with future development.

Product features and documentation are frequently updated. If you find an issue or have a suggestion, please contact CloudBees Support.

Grant CasC permissions to a user or group

The following steps describe how to grant CasC Administer permissions to a user. Use these same steps when granting other CasC permissions to a user.

  1. Create a new role (if the role has not been created).

    1. From the Dashboard, navigate to Manage Jenkins  Manage Roles.

    2. In the Role to add field, add a new role. In this example, CasC Admin.

    3. Navigate to CloudBees CasC Permissions and select the necessary permissions for this role. For the CasC Admin role created in the previous step select Administer.

      assign CasC role permissions
      Figure 1. Assign CasC role permission
  2. Select Save.

  3. Assign the role to a group.

    1. On the left navigation pane, select Groups and then select New Group.

    2. Enter the Group name (CasC Admins) and select OK. The group configuration page displays.

    3. Under Roles, select the Granted checkbox next to CasC Admins to grant the Administer permissions to the group.

      grant administer permissions to group
      Figure 2. Grant CasC administer permissions to the group
    4. To save the permissions assigned to the group, select Save.

    5. On the left navigation pane, select Add user and enter the user ID.

    6. Select OK. The group configuration page displays roles, members, and permissions for the group.

      CasC administrators page
      Figure 3. CasC administrators group page