Onboard
Introduction
Users
Teams
Introduction
IntroductionPromote an image in Amazon ECRRetrieve an object from Amazon S3Store an object on Amazon S3Copy Docker images with CraneDownload a file from JFrog ArtifactoryMove or copy an image from JFrog ArtifactoryUpload a file to JFrog ArtifactoryRegister a build artifactRegister a deployed environment artifact
IntroductionCreate or update a functionInvoke a function
IntroductionRun an AWS CodePipelineRun a Bamboo projectRun a Bitbucket pipelineRun a CloudBees CI jobRun a CircleCI workflowRun a GitHub Actions workflowRun a GitLab pipelineRun a Harness pipelineRun a Jenkins® jobRun a JFrog pipelineBuild and publish Docker images with KanikoRun a TeamCity project
Check out a Git repository
IntroductionAWS credentialsECR credentialsEKS credentialsGit global credentialsOCI credentials
IntroductionRun Ansible PlaybookDeploy with Argo WorkflowsDeploy with AWS CodeDeployDeploy a binary with Amazon EC2Deploy to ECSRender an Amazon ECS task definitionDeploy with AWS Elastic BeanstalkDeploy with HerokuDeploy with OctopusDeploy with OpenShiftDeploy with SpinnakerDeploy with Tosca
Publish evidence items
IntroductionHelm chart installHelm chart packageHelm chart publishHelm chart uninstall
IntroductionCreate a Kubernetes namespaceCreate/update a Kubernetes resourceDeploy to a Kubernetes cluster
IntroductionVerify with NewRelic
Execute remote commands via SSH
IntroductionAnchoreAquasecJFrog XraySnyk ContainerSonatype (Nexus) ContainerTrivy
IntroductionStackhawkZAP
IntroductionCheckmarxCheckovCoverity on PolarisFind Security BugsGitHub Security ScannerGosecGrypeMendNexus IQnjsscanSnykSonarQube bundledSonarQube
IntroductionBlack DuckMendSnyk
IntroductionGitleaksTruffleHog ContainerTruffleHog CodeTruffleHog S3
IntroductionCreate a change requestUpdate or close a change requestGet a change request current stateQuery a change request approval
Publish test results
Multi-workflows dispatch
Introduction
Manage workflows
Introductioncloudbees and other context objectsenvnameonjobs.<job_id>.delegates.<job_id>.env.<job_id>.environment.<job_id>.if.<job_id>.needs.<job_id>.outputs.<job_id>.permissionsjobs.<job_id>.uses.<job_id>.services.<job_id>.services.<service_id>.services.<service_id>.args.services.<service_id>.env.services.<service_id>.imagejobs.<job_id>.steps.<job_id>.steps[*].id.<job_id>.steps[*].env.<job_id>.steps[*].if.<job_id>.steps[*].name.<job_id>.steps[*].run.<job_id>.steps[*].shell.<job_id>.steps[*].uses.<job_id>.steps[*].with.<job_id>.steps[*].with.args.<job_id>.steps[*].with.entrypoint.<job_id>.steps[*].timeout-minutesjobs.<job_id>.timeout-minutes
An example workflow
Reusable workflows
Personal access tokens
Trigger a workflow using an API
IntroductionManual approval
Connect a repositoryCreate a workflowRun a scanPublish an image
CI insights for Jenkins
Introduction
Learn about feature management
Create flags in code
Create/manage flags in the UI
Namespaces and labels
Configure feature flags
Feature management custom roles
Audit history
Configuration as code
Flag impressions and activity status
Code references
Properties, custom properties, and target groups
Enabling secret mode
IntroductionAndroid / Android TV / Fire TVC/C++ (client-side)C/C++ (server-side)GoJavaJavaScript (browser) / Chromecast / TizenJavaScript SSR.NET/C#Node.jsiOS / tvOSPHPPythonReact NativeRuby
IntroductionClient-side AndroidClient-side C ClientClient-side C++ ClientClient-side JavaClient-side JavaScript (browser)Client-side .NET/C# clientClient-side Objective-CClient-side React NativeClient-side SwiftServer-side CServer-side C++Server-side GoServer-side JavaServer-side .NET/C#Server-side NodeJSServer-side PythonServer-side PHPServer-side RubyBoth client-side and server-side JavaScript SSR
IntroductionAngular appDjango appGin app.NET Core appReact appSpring Boot app

Role-based access control

6 minute read

In the CloudBees platform, all users and teams may be granted specific access permissions using role-based access control (RBAC). Roles may be either custom or predefined, and a user can have multiple roles in an organization.

A role can be granted to define permissions for a user at either the organization or component level.

You must have the Admin role to manage RBAC, including roles and permissions.

The access control list

Search in and filter the list of access roles for all users and teams in a given tenant organization.

The access control list displays the following:

  • Type: Either a user (User) or a team (Team).

  • Principal: The user email address or the team name.

  • Name: The account name or the team name.

  • Role: The associated roles for each principal.

To display access roles:

  1. Select Tenant settings  Access control from the upper right.

  2. (Optional) Search for a specific user or team name by entering all or part of the name into Search.

  3. (Optional) Select an option in Type to filter the list by either User or Team.

The access control list is displayed according to your search or filtering criteria.

Grant a role

You can grant both predefined and custom roles to any user or team. You can also grant multiple roles at once to a specific user or team.

For example, User-A has been granted the Admin role for Org-A, but they have limited access to Org-B:

  • User-A has the Approver role for two of the components in Org-B.

  • User-A has a custom role that allows them to use feature management in all components of Org-B, but provides no other permissions.

To grant one or more roles:

  1. Select Tenant settings  Access control.

  2. Select Grant role.

  3. Select a Principal (a specific user or team) from the options.

  4. Select a Resource type: Either an organization or a component.

  5. Select a Resource from the options:

    • If the selected Resource type is an organization, the Resource options consist of all sub-organizations in the selected organization and the selected organization itself.

    • If the selected Resource type is a component, the Resource options consist of all components within the current organization.

  6. Select a Role from the options.

  7. (Optional) Select Add another role to grant the same Principal another role. You may add unlimited roles.

  8. Select Save.

A role or roles for the defined resources are granted to the specified user or team.

Grant roles
Figure 1. Selecting resources and roles to grant to an example user.

A diagram of the resources and roles set in the above example follows.

Grant roles diagram
Figure 2. Roles with their associated resources granted to an example user.

Manage permissions

The CloudBees platform enables you to develop fine-grained permissions for custom roles.

Permission categories

Permissions in the CloudBees platform are grouped into the following categories, to assist in assigning specific permissions to a custom role.

  • Tenants

  • Components

  • Configurations

  • Analytics

  • Feature management

  • Other

Privilege levels

For each permission within the above categories, there are five levels of privilege.

Table 1. Privilege levels
Level Description

Read

Grants a user the ability to read an entity.

Create

Grants a user the ability to create an entity.

Update

Grants a user the ability to update an entity.

Delete

Grants a user the ability to delete an entity.

Execute

Grants a user the ability to execute an action.

Permission details

The following table details each permission, organized by category.

Table 2. Permission descriptions
Category Permission Description

Tenants

Teams

Team management and permissions.

User invite

Invite new users to the platform.

Users

User management and permissions.

Components

Artifact

Workflow and ASPM artifact management.

Log

Workflow log management.

Resource

Inheritance resource management.

Workflow automation

Workflow automation management.

Workflow event

Management of external workflow events reported by actions.

Configurations

Endpoint

Endpoint and integration management.

Environment

Environment management.

Extension

Actions catalog management.

Property

Workflow property management.

Analytics

CI insights

CI insights for Jenkins® management.

VSM

Value stream management and reporting.

Feature management

Flag

Feature flags management.

Custom property

Manage user-defined attributes for feature flag logic.

Target group

Manage groups of users for flag evaluation.

Continuous Security

Review risk accepted request

Review a transition request for a risk accepted finding.

Review false positive request

Review a transition request for a false positive finding.

SLA Configuration

Define the service-level agreement (SLA) for an organization.

Triage findings

Triage security findings.

View findings by triage status

View findings by their triage status.

Other

API tokens

API token management.

Account

Account management.

Audit log

Audit log management.

Authorization

User authorization.

Entitlement

Entitlement management for features.

Manual approvals

Manual approval management.

Role

Role management, including custom roles.

Secret and credential

Secrets and credentials management.

Security

Security management.

Predefined roles

The predefined role permissions are summarized in the table below.

Table 3. Predefined roles and permissions
Role Permissions

Admin

Has full administrative control over all functionality on the selected resource and its sub-resources.

Approver

Able to execute manual approval of a workflow in response to an approval request.

User

Has read-only access to all functionality on the selected resource and its sub-resources.

Manage custom roles

Create custom roles for specific users or teams to provide them with the least privileges necessary to perform their work. Delete any custom roles as necessary.

Create a custom role

A role in CloudBees platform grants a set of permissions to a specific user or team.

CloudBees recommends that you follow the principle of least privilege, and provide only the minimum level of access needed for a user to perform their job function.

To create a custom role:

  1. Select Tenant settings  Roles from the upper right.

  2. Select Create Role

  3. Select Pencil next to Custom Role, and then enter a name for the role.

  4. (Optional) Select Pencil next to Description to enter a description, such as a summary of permissions granted.

  5. (Optional) Select a category on the left pane to scroll to that category.

  6. Select permissions to be granted to your custom role by choosing one or more privilege levels next to the permission you want to grant.

  7. Select Save.

The custom role is created with the selected permissions and is displayed in Roles.

Create a new role
Figure 3. Selecting permissions to create a new role.

In the above permissions example, a user with this role has the ability to:

  • View and edit properties and environments, but not create or delete them.

  • View CI insights for Jenkins and VSM dashboards, but not connect a controller or configure analytics.

  • View, create, and update feature flags, but not delete them.

Update a custom role

Update the name, description, and permissions of a custom role. You must have the administrator role to make updates.

You cannot edit the predefined roles.

To update a custom role:

  1. Select Tenant settings  Roles from the upper right.

  2. Select Vertical ellipsis next to the role you want to update.

  3. Select Edit.

  4. Make any desired changes.

  5. Select Save.

The selected custom role is updated accordingly.

Delete a custom role

Delete any custom role as long as you have the administrator role. A deleted custom role is completely removed from the CloudBees platform, and deletion is irreversible.

You cannot delete predefined roles.

To delete a custom role:

  1. Select Tenant settings  Roles from the upper right.

  2. Select Vertical ellipsis next to the custom role you want to delete.

  3. Select Delete.

  4. Select Delete.

The selected custom role is deleted and removed from the roles list.

Create a feature management role

You can combine permission categories, privilege levels, and resource scopes to create a custom role specific to feature management in your organization.

For example, to create a user role that can fully manage feature flags, but only view target groups and custom properties:

  1. Navigate to Tenant settings  Roles.

  2. Select Create Role.

  3. Select Pencil next to Custom Role, and enter a name for the role.

  4. Select Pencil next to Description to enter a description, such as a summary of permissions granted.

  5. In the Feature management category:

    • For Flag, assign privileges: Read, Create, Update, Delete, Execute.

    • For Custom property, assign privilege: Read.

    • For Target group, assign privilege: Read.

  6. Select Save.

This custom role appears on the roles list, and can be assigned to a user or team through the access control panel.

Users can be granted roles with different scopes (such as organization or application) and separate permissions at each level.

In feature management, assign all read privileges for flags, target groups, and custom properties together to ensure feature flags evaluate and behave as expected.

The absence of read access may impact functionality, even if write permissions are not needed.
Multifactor authentication