In the CloudBees platform, all users and teams may be granted specific access permissions using role-based access control (RBAC). Roles may be either custom or predefined, and a user can have multiple roles in an organization.
A role can be granted to define permissions for a user at either the organization or component level.
You must have the Admin role to manage RBAC, including roles and permissions. |
The access control list
Search in and filter the list of access roles for all users and teams in a given tenant organization.
The access control list displays the following:
-
Type: Either a user (
) or a team (
).
-
Principal: The user email address or the team name.
-
Name: The account name or the team name.
-
Role: The associated roles for each principal.
To display access roles:
-
Select
from the upper right. -
(Optional) Search for a specific user or team name by entering all or part of the name into Search.
-
(Optional) Select an option in Type to filter the list by either User or Team.
The access control list is displayed according to your search or filtering criteria.
Grant a role
You can grant both predefined and custom roles to any user or team. You can also grant multiple roles at once to a specific user or team.
For example, User-A has been granted the Admin role for Org-A, but they have limited access to Org-B:
-
User-A has the Approver role for two of the components in Org-B.
-
User-A has a custom role that allows them to use feature management in all components of Org-B, but provides no other permissions.
To grant one or more roles:
-
Select
. -
Select Grant role.
-
Select a Principal (a specific user or team) from the options.
-
Select a Resource type: Either an organization or a component.
-
Select a Resource from the options:
-
If the selected Resource type is an organization, the Resource options consist of all sub-organizations in the selected organization and the selected organization itself.
-
If the selected Resource type is a component, the Resource options consist of all components within the current organization.
-
-
Select a Role from the options.
-
(Optional) Select Add another role to grant the same Principal another role. You may add unlimited roles.
-
Select Save.
A role or roles for the defined resources are granted to the specified user or team.

A diagram of the resources and roles set in the above example follows.

Manage permissions
The CloudBees platform enables you to develop fine-grained permissions for custom roles.
Permission categories
Permissions in the CloudBees platform are grouped into the following categories, to assist in assigning specific permissions to a custom role.
-
Tenants
-
Components
-
Configurations
-
Analytics
-
Feature management
-
Other
Privilege levels
For each permission within the above categories, there are five levels of privilege.
Level | Description |
---|---|
Read |
Grants a user the ability to read an entity. |
Create |
Grants a user the ability to create an entity. |
Update |
Grants a user the ability to update an entity. |
Delete |
Grants a user the ability to delete an entity. |
Execute |
Grants a user the ability to execute an action. |
Permission details
The following table details each permission, organized by category.
Category | Permission | Description |
---|---|---|
Tenants |
Teams |
Team management and permissions. |
User invite |
Invite new users to the platform. |
|
Users |
User management and permissions. |
|
Components |
Artifact |
Workflow and ASPM artifact management. |
Log |
Workflow log management. |
|
Resource |
Inheritance resource management. |
|
Workflow automation |
Workflow automation management. |
|
Workflow event |
Management of external workflow events reported by actions. |
|
Configurations |
Endpoint |
Endpoint and integration management. |
Environment |
Environment management. |
|
Extension |
Actions catalog management. |
|
Property |
Workflow property management. |
|
Analytics |
CI insights |
CI insights for Jenkins® management. |
VSM |
Value stream management and reporting. |
|
Feature management |
Flag |
Feature flags management. |
Custom property |
Manage user-defined attributes for feature flag logic. |
|
Target group |
Manage groups of users for flag evaluation. |
|
Continuous Security |
Review risk accepted request |
Review a transition request for a risk accepted finding. |
Review false positive request |
Review a transition request for a false positive finding. |
|
SLA Configuration |
Define the service-level agreement (SLA) for an organization. |
|
Triage findings |
Triage security findings. |
|
View findings by triage status |
View findings by their triage status. |
|
Other |
API tokens |
API token management. |
Account |
Account management. |
|
Audit log |
Audit log management. |
|
Authorization |
User authorization. |
|
Entitlement |
Entitlement management for features. |
|
Manual approvals |
Manual approval management. |
|
Role |
Role management, including custom roles. |
|
Secret and credential |
Secrets and credentials management. |
|
Security |
Security management. |
Predefined roles
The predefined role permissions are summarized in the table below.
Role | Permissions |
---|---|
Admin |
Has full administrative control over all functionality on the selected resource and its sub-resources. |
Approver |
Able to execute manual approval of a workflow in response to an approval request. |
User |
Has read-only access to all functionality on the selected resource and its sub-resources. |
Manage custom roles
Create custom roles for specific users or teams to provide them with the least privileges necessary to perform their work. Delete any custom roles as necessary.
Create a custom role
A role in CloudBees platform grants a set of permissions to a specific user or team.
CloudBees recommends that you follow the principle of least privilege, and provide only the minimum level of access needed for a user to perform their job function. |
To create a custom role:
-
Select
from the upper right. -
Select Create Role
-
Select
next to Custom Role, and then enter a name for the role.
-
(Optional) Select
next to Description to enter a description, such as a summary of permissions granted.
-
(Optional) Select a category on the left pane to scroll to that category.
-
Select permissions to be granted to your custom role by choosing one or more privilege levels next to the permission you want to grant.
-
Select Save.
The custom role is created with the selected permissions and is displayed in Roles.

In the above permissions example, a user with this role has the ability to:
-
View and edit properties and environments, but not create or delete them.
-
View CI insights for Jenkins and VSM dashboards, but not connect a controller or configure analytics.
-
View, create, and update feature flags, but not delete them.
Update a custom role
Update the name, description, and permissions of a custom role. You must have the administrator role to make updates.
You cannot edit the predefined roles. |
To update a custom role:
-
Select
from the upper right. -
Select
next to the role you want to update.
-
Select Edit.
-
Make any desired changes.
-
Select Save.
The selected custom role is updated accordingly.
Delete a custom role
Delete any custom role as long as you have the administrator role. A deleted custom role is completely removed from the CloudBees platform, and deletion is irreversible.
You cannot delete predefined roles. |
To delete a custom role:
-
Select
from the upper right. -
Select
next to the custom role you want to delete.
-
Select Delete.
-
Select Delete.
The selected custom role is deleted and removed from the roles list.
Create a feature management role
You can combine permission categories, privilege levels, and resource scopes to create a custom role specific to feature management in your organization.
For example, to create a user role that can fully manage feature flags, but only view target groups and custom properties:
-
Navigate to
. -
Select Create Role.
-
Select
next to Custom Role, and enter a name for the role.
-
Select
next to Description to enter a description, such as a summary of permissions granted.
-
In the Feature management category:
-
For
Flag
, assign privileges: Read, Create, Update, Delete, Execute. -
For
Custom property
, assign privilege: Read. -
For
Target group
, assign privilege: Read.
-
-
Select Save.
This custom role appears on the roles list, and can be assigned to a user or team through the access control panel.
Users can be granted roles with different scopes (such as organization or application) and separate permissions at each level. In feature management, assign all read privileges for flags, target groups, and custom properties together to ensure feature flags evaluate and behave as expected. The absence of read access may impact functionality, even if write permissions are not needed. |