Onboard
Introduction
Users
Teams
Introduction
IntroductionPromote an image in Amazon ECRRetrieve an object from Amazon S3Store an object on Amazon S3Copy Docker images with CraneDownload a file from JFrog ArtifactoryMove or copy an image from JFrog ArtifactoryUpload a file to JFrog ArtifactoryGet artifact detailsRegister a build artifactRegister a deployed environment artifact
IntroductionCreate or update a functionInvoke a function
IntroductionRun an AWS CodePipelineRun a Bamboo projectRun a Bitbucket pipelineRun a CloudBees CI jobRun a CircleCI workflowRun a GitHub Actions workflowRun a GitLab pipelineRun a Harness pipelineRun a Jenkins® jobRun a JFrog pipelineBuild and publish Docker images with KanikoRun a TeamCity project
Check out a Git repository
IntroductionAWS credentialsECR credentialsEKS credentialsGit global credentialsOCI credentials
IntroductionRun Ansible PlaybookDeploy with Argo WorkflowsDeploy with AWS CodeDeployDeploy a binary with Amazon EC2Deploy to ECSRender an Amazon ECS task definitionDeploy with AWS Elastic BeanstalkDeploy with HerokuDeploy with OctopusDeploy with OpenShiftDeploy with SpinnakerDeploy with Tosca
Publish evidence items
Fetch secrets from CyberArk Conjur
IntroductionHelm chart installHelm chart packageHelm chart publishHelm chart uninstall
IntroductionCreate a Kubernetes namespaceCreate/update a Kubernetes resourceDeploy to a Kubernetes cluster
IntroductionVerify with NewRelic
Execute remote commands via SSH
IntroductionAnchoreAquasecJFrog XraySnyk ContainerSonatype (Nexus) ContainerTrivy
IntroductionStackhawkZAP
IntroductionCheckmarxCheckovCoverity on PolarisFind Security BugsGitHub Security ScannerGosecGrypeMendNexus IQnjsscanSnykSonarQube bundledSonarQube
IntroductionBlack DuckMendSnyk
IntroductionGitleaksTruffleHog ContainerTruffleHog CodeTruffleHog S3
IntroductionCreate a change requestUpdate or close a change requestGet a change request current stateQuery a change request approval
Publish test results
Multi-workflows dispatch
Introduction
Manage workflows
Introductioncloudbees and other context objectsenvnameonpermissionsjobs.<job_id>.<job_id>.delegates.<job_id>.env.<job_id>.vars.<job_id>.secrets.<job_id>.environment.<job_id>.if.<job_id>.needs.<job_id>.outputs.<job_id>.permissionsjobs.<job_id>.uses.<job_id>.services.<job_id>.services.<service_id>.services.<service_id>.args.services.<service_id>.env.services.<service_id>.imagejobs.<job_id>.steps.<job_id>.steps[*].id.<job_id>.steps[*].env.<job_id>.steps[*].if.<job_id>.steps[*].name.<job_id>.steps[*].run.<job_id>.steps[*].shell.<job_id>.steps[*].uses.<job_id>.steps[*].with.<job_id>.steps[*].with.args.<job_id>.steps[*].with.entrypoint.<job_id>.steps[*].timeout-minutesjobs.<job_id>.timeout-minutes
An example workflow
Reusable workflows
Personal access tokens
Trigger a workflow using an API
IntroductionManual approval
Connect a repositoryCreate a workflowRun a scanPublish an image
Introduction
Learn about feature management
Create flags in code
Manage multiple SDK keys in your application
Create/manage flags in the UI
Namespaces and labels
Configure feature flags
Feature management custom roles
Flag approval requests and reviews
Audit history
Configuration as code
Flag impressions and activity status
Code references
Properties and custom properties
Target groups
Enabling secret mode
IntroductionAndroid / Android TV / Fire TVC/C++ (client-side)C/C++ (server-side)GoJavaJavaScript (browser) / Chromecast / TizenJavaScript SSR.NET/C#Node.jsiOS / tvOSPHPPythonReact NativeRuby
IntroductionClient-side AndroidClient-side C ClientClient-side C++ ClientClient-side JavaClient-side JavaScript (browser)Client-side .NET/C# clientClient-side Objective-CClient-side React NativeClient-side SwiftServer-side CServer-side C++Server-side GoServer-side JavaServer-side .NET/C#Server-side NodeJSServer-side PythonServer-side PHPServer-side RubyBoth client-side and server-side JavaScript SSR
IntroductionAndroid appAngular appDjango appGin appJava Spring Boot app.NET Core appReact appSwift iOS app

Early access: feature management permissions

6 minute read

This content is available to customers with early access.

Use CloudBees platform role-based access control (RBAC) to define custom roles for managing feature flags, target groups, and custom properties. Permissions are evaluated at both the application and environment levels. To create, edit, approve, or deploy a flag or custom property, users must have the required permission for the application and environment.

Target groups are managed at the application level; however, applying a target group to a flag or rule in an environment, or updating a group that is referenced by a flag, requires the corresponding flag permissions in each affected environment.

Feature management permissions

Feature management actions, such as creating flags, managing target groups, or submitting approval requests, are controlled with specific permissions grouped into four categories. Depending on the action, required permissions may apply at the application level, the environment level, or both.

Approval request

  • Create, Update (approve), and Delete (reject or delete approval requests). Requires permissions at both the application and environment levels.

Custom property

  • Create, Update, and Delete to manage custom properties used in targeting rules. Requires permissions at both the application and environment levels.

Flag

  • Create, Update, and Delete to manage feature flags. Requires permissions at both the application and environment levels.

Target group

  • Create, Update, and Delete at the application level. There is no environment-level Target group permission.

  • If a target group is referenced by a flag configuration in one or more environments, updating or deleting that group may change flag behavior. In that case, the user must also have Flag: Update permission at both the application and each affected environment. Applying or removing a target group in a flag rule also requires Flag: Update in that environment.

New to role-based access control in CloudBees platform? Refer to Role-based access control for an overview of roles, permission levels, and scopes across the platform.

Permission evaluation

When a user attempts a feature management action, CloudBees platform evaluates:

  • Assigned roles.

  • Permission levels within the relevant categories.

  • Role scopes at both the application and environment levels.

To successfully perform an action, the user must have the required permission at both scopes. If a permission is missing at either level, the action is denied.

For example, when a target group is referenced by a flag in an environment, updating that group requires the following:

  • Target groups: Update at the application level.

  • Flags: Update at the application level and in each environment where the flag uses that group.

Assign feature management permissions

The following steps explain how to assign permissions to a custom role from the Roles screen in the UI.

  1. Navigate to Admin settings, Tenant settings  Roles.

  2. Select Create role.

  3. Name the role (for example, FM Admin).

    1. Select Pencil next to Custom role, and then enter the role name.

    2. Select Pencil next to Description to enter a short summary of granted permissions.

  4. Select: Feature management.

permission level categories
Figure 1. Example custom role: Feature management administrator

Permission levels for feature management

Permissions for feature management are assigned at the category level, using one or more permission levels.

Table 1. Permission levels for feature management
Level Description

Read

Grants read access to feature management entities (flags, target groups, and custom properties). Granted to all users by default.

Create

Allows users to create new flags, target groups, approval requests, or custom properties.

Update

Allows users to edit an entity. For example, to update a flag’s configuration or target group conditions.

For approval requests, Update is required to approve a request. To reject or delete a request, use Delete.

Delete

Permits users to delete a flag, target group, or custom property. Also required to reject or delete an approval request.

Execute

While Execute can be selected in the UI, it is not used in feature management.
View feature management permission categories and associated actions.
Table 2. Permission categories and actions
Category Possible permissions What the permission allows

Approval requests

Create, Update, Delete

Submit, approve, or reject feature flag approval requests.

Custom property

Create, Update, Delete

Define and manage custom properties used in flag targeting rules.

Flags

Create, Update, Delete

Manage feature flags, including creating, updating, and deleting.

Target groups

Create, Update, Delete

Manage target groups at the application level.

No environment-level target group permission exists. However, if a target group is used in flags, Flag: Update is required on the application and in each environment where the group is used.

Custom role examples for for common feature management use cases

Next, using the permission information from above, the examples that follow illustrate how to create custom roles for common feature management use cases.

Create an admin role

Use this example to set up a custom role for organization administrators who need full permissions for feature management capabilities. This custom role grants full control across all feature management categories, including approval requests, feature flags, target groups, and custom properties.

  1. Follow the same [process_above], except for the permissions.

  2. Apply the required permissions as shown in this example:

    • Approval request:

      • Create to propose a request.

      • Update to approve a request.

      • Delete to reject or delete a request.

    • Flags:

      • Create, Update, and Delete to create, update, and manage flag settings.

    • Target group:

      • Create, Update, and Delete to manage audience targeting groups.

    • Custom property:

      • Create, Update, and Delete to manage flag rule conditions and context-based targeting.

Feature management admin
Figure 2. Example custom role: Feature management administrator

  1. Select Save.

  2. To grant the role, go to Admin settings, Tenant settings  Access control.

Create a target group admin role

Use this role to grant permissions to a user or team responsible for managing audience targeting and rollout strategies.

  1. Follow the same [process_above], except for the permissions.

  2. Assign the following permissions:

    • Read may be selected in the UI, but it is not required because all users are granted read access by default.

    • Target group: Create, Update, and Delete to manage targeting groups.

Feature management target group admin
Figure 3. Example custom role: Feature management target group admin

  1. Select Save.

  2. To grant the role, go to Admin settings, Tenant settings  Access control.

Adjusting target group permissions for environments

When target groups are referenced by flags in one or more environments, updating a target group may change flag behavior. To ensure proper functionality, the user must also have Flag permissions, typically Update or higher, at the application level and in each affected environment.

Feature management target group admin
Figure 4. Example custom role: Feature management target group admin, with environment-level Flag permissions

Create a flag owner role

Use this role for users who are responsible for creating, managing, and deploying feature flags, but who do not need full access to approval requests, target groups, or custom properties.

  1. Follow the same [process_above], except for the permissions.

  2. Assign the following permissions:

    • Approval request: Read

    • Custom property: Read

    • Flag: Read, Create, Update, and Delete

    • Target group: Read

Feature management flag owner
Figure 5. Example custom role: Feature management flag owner

  1. Select Save.

  2. To grant the role, go to Admin settings, Tenant settings  Access control.

Create a flag contributor role (no save)

Use this role if you want users to draft feature flag changes without the ability to save them directly. This is useful for developers or team members who need to suggest flag edits but should not have permission to apply changes.

Table 3. Make a change to a flag, but cannot save
Role Feature management, Role permissions Can propose approval? Can approve/reject? Can edit flag configuration?

Flag change requester

Approval request: Read, Create
Flag: Read, Create

  1. Follow the same [process_above], except for the permissions.

  2. Assign the following permissions:

    • Approval request: Read, Create

    • Custom property: N/A

    • Flag: Read, Create

    • Target group: N/A

Approval request permissions
Figure 6. Example custom role: Flag contributor (no save)

  1. Select Save.

  2. To grant the role, go to Admin settings, Tenant settings  Access control.

Create an approver role

Use this role to allow users to review flag changes and approve or reject them—but not modify flag configurations directly. This role is useful for team leads, product owners, or QA specialists who serve as reviewers during rollout.

Table 4. Flag approver role permissions
Role Feature management, Role permissions Can propose approval? Can approve/reject? Can edit flag configuration?

Flag approver

Approval request: Read, Create, Update, and Delete
Flag: Read

  1. Follow the same [process_above], except for the permissions.

  2. Assign the following permissions:

    • Approval request: Read, Create, Update, and Delete

    • Custom property: Read

    • Flag: Read

    • Target group: Read

Approval request permissions
Figure 7. Example custom role: Flag approver role

  1. Select Save.

  2. To grant the role, go to Admin settings, Tenant settings  Access control.

    For minimum permissions:

    • Update is required to approve a request.

    • Delete is required to reject or delete a request.

    CloudBees recommends assigning only the minimal permissions necessary for each user’s responsibility.

Assign roles at the application and environment scopes

The following examples illustrate how to assign roles across different scopes—organization, application, and environment.

Admin example

  • Flag name: ImpressionsFlagAdmins

  • Role: fm_admin with full feature management permissions

  • Scope assignments:

    • Application: fm-impressions-dev

    • Environments associated with that application: Development and Local

Developer example

  • Flag name: ImpressionsFlagsDevs

  • Roles: fm_admin and an organization-level role for general access

  • Scope assignments:

    • Application: fm-impressions-dev

    • Environment: Local

These examples demonstrate that users typically need both application, and environment-scoped role assignments to perform actions that impact features or behavior in a target environment.

Target groups are managed at the application level, but applying a target group to a flag or updating one that is referenced by a flag requires the appropriate Flag permission, specifically, Update, at the environment level.

Related documentation