Introduction
Architecture
Onboard
Introduction
Teams
Users
Introduction
IntroductionPromote an image in Amazon ECRDownload a file from JFrog ArtifactoryMove or copy an image from JFrog ArtifactoryUpload a file to JFrog ArtifactoryStore an object on Amazon S3Retrieve an object from Amazon S3
IntroductionCreate or update a functionInvoke a function
IntroductionRun an AWS CodePipelineRun a Bamboo projectRun a Bitbucket pipelineRun a CloudBees CI jobRun a CircleCI workflowRun a GitHub Actions workflowRun a GitLab pipelineRun a Harness pipelineRun a Jenkins® jobRun a JFrog pipelineRun a TeamCity project
Check out a Git repository
IntroductionAWS credentialsECR credentialsEKS credentialsGit global credentialsOCI credentials
IntroductionRun Argo WorkflowsCopy a remote image with CraneDeploy a binary with EC2Deploy to ECSRender an ECS task definitionBuild a container image with KanikoDeploy with OctopusDeploy with SpinnakerRun Ansible Playbook
Publish evidence items
IntroductionHelm chart installHelm chart packageHelm chart publishHelm chart uninstall
IntroductionCreate a Kubernetes namespaceCreate/update a Kubernetes resourceDeploy to a Kubernetes cluster
IntroductionVerify with NewRelic
Execute remote commands via SSH
IntroductionAnchoreAquasecJFrog XraySnyk ContainerSonatype (Nexus) ContainerTrivy
IntroductionStackhawkZAP
IntroductionCheckmarxFind Security BugsGitHub Security ScannerGosecMendNexus IQSnykSonarQube bundledSonarQube
IntroductionMendSnyk
IntroductionTruffleHog ContainerTruffleHog CodeTruffleHog S3
Publish test results
CI insights for Jenkins

Role-based access control

5 minute read

In the CloudBees platform, all users and teams may be granted specific access permissions using role-based access control (RBAC). Roles may be either custom or predefined, and a user can have multiple roles in an organization (org).

A role can be granted to define permissions for a user at either the org or component level.

You must have the Admin role to manage RBAC, including roles and permissions.

The access control list

Search in and filter the list of access roles for all users and teams in a given tenant org.

The access control list displays the following:

  • Type: Either a user (User) or a team (Team).

  • Principal: The user email address or the team name.

  • Name: The account name or the team name.

  • Role: The associated roles for each principal.

To display access roles:

  1. Select Admin settings  Access control on the upper right by your account name.

  2. (Optional) Search for a specific user or team name by entering all or part of the name into Search.

  3. (Optional) Select an option in Type to filter the list by either User or Team.

The access control list is displayed according to your search or filtering criteria.

Grant a role

You can grant both predefined and custom roles to any user or team. You can also grant multiple roles at once to a specific user or team.

For example, User-A has been granted the Admin role for Org-A, but they have limited access to Org-B:

  • User-A has the Approver role for two of the components in Org-B.

  • User-A has a custom role that allows them to use feature management in all components of Org-B, but provides no other permissions.

To grant one or more roles:

  1. Select Admin settings  Access control.

  2. Select Grant role.

  3. Select a Principal (a specific user or team) from the options.

  4. Select a Resource type: Either an org or a component.

  5. Select a Resource from the options:

    • If the selected Resource type is an org, the Resource options consist of all sub-orgs in the selected org and the selected org itself.

    • If the selected Resource type is a component, the Resource options consist of all components within the current org.

  6. Select a Role from the options.

  7. (Optional) Select Add another role to grant the same Principal another role. You may add unlimited roles.

  8. Select Save.

A role or roles for the defined resources are granted to the specified user or team.

Grant roles
Figure 1. Selecting resources and roles to grant to an example user.

A diagram of the resources and roles set in the above example follows.

Grant roles diagram
Figure 2. Roles with their associated resources granted to an example user.

Manage permissions

The CloudBees platform enables you to develop fine-grained permissions for custom roles.

Permission categories

Permissions in the CloudBees platform are grouped into the following categories, to assist in assigning specific permissions to a custom role.

  • Tenants

  • Components

  • Configurations

  • Analytics

  • Feature management

  • Other

Privilege levels

For each permission within the above categories, there are five levels of privilege.

Table 1. Privilege levels
Level Description

Read

Grants a user the ability to read an entity.

Create

Grants a user the ability to create an entity.

Update

Grants a user the ability to update an entity.

Delete

Grants a user the ability to delete an entity.

Execute

Grants a user the ability to execute an action.

Permission details

The following table details each permission, organized by category.

Table 2. Permission descriptions
Category Permission Description

Tenants

Users

User management and permissions.

Teams

Team management and permissions.

User invite

Invite new users to the platform.

Components

Workflow automation

Workflow automation management.

Resource

Inheritance resource management.

Artifact

Workflow and ASPM artifact management.

Workflow event

Management of external workflow events reported by actions.

Log

Workflow log management.

Configurations

Endpoint

Endpoint and integration management.

Extension

Actions catalog management.

Property

Workflow property management.

Environment

Environment management.

Analytics

CI insights

CI insights for Jenkins® management.

VSM

Value stream management and reporting.

Feature management

Flag

Feature flags management.

Other

Authorization

User authorization.

Account

Account management.

Entitlement

Entitlement management for features.

Secret and credential

Secrets and credentials management.

Audit log

Audit log management.

Security

Security management.

Manual approvals

Manual approval management.

Role

Role management, including custom roles.

API tokens

API token management.

Predefined roles

The predefined role permissions are summarized in the table below.

Table 3. Predefined roles and permissions
Role Permissions

Admin

Has full administrative control over all functionality on the selected resource and its sub-resources.

Approver

Able to execute manual approval of a workflow in response to an approval request.

User

Has read-only access to all functionality on the selected resource and its sub-resources.

Manage custom roles

Create custom roles for specific users or teams to provide them with the least privileges necessary to perform their work. Delete any custom roles as necessary.

Create a custom role

A role in CloudBees platform grants a set of permissions to a specific user or team.

CloudBees recommends that you follow the principle of least privilege, and provide only the minimum level of access needed for a user to perform their job function.

To create a custom role:

  1. Select Admin settings  Roles on the upper right by your account name.

  2. Select Pencil next to Custom Role.

  3. Highlight Custom Role to enter a Role name (alternatively, you may keep the default Custom Role name).

  4. (Optional) Select Pencil next to Description to enter a description, such as a summary of permissions granted.

  5. (Optional) Select a category on the left pane to scroll to that category.

  6. Select permissions to be granted to your custom role by choosing one or more privilege levels next to the permission you want to grant.

  7. Select Save.

The custom role is created with the selected permissions and is displayed in Roles.

Create a new role
Figure 3. Selecting permissions to create a new role.

In the above permissions example, a user with this role has the ability to:

  • View and edit properties and environments, but not create or delete them.

  • View CI insights for Jenkins and VSM dashboards, but not connect a controller or configure analytics.

  • View, create, and update feature flags, but not delete them.

Update a custom role

Update the name, description, and permissions of a custom role. You must have the administrator role to make updates.

You cannot edit the predefined roles.

To update a custom role:

  1. Select Admin settings  Roles on the upper right by your account name.

  2. Select Vertical ellipsis next to the role you want to update.

  3. Select Edit.

  4. Make any desired changes.

  5. Select Save.

The selected custom role is updated accordingly.

Delete a custom role

Delete any custom role as long as you have the administrator role. A deleted custom role is completely removed from the CloudBees platform, and deletion is irreversible.

You cannot delete predefined roles.

To delete a custom role:

  1. Select Admin settings  Roles on the upper right by your account name.

  2. Select Vertical ellipsis next to the custom role you want to delete.

  3. Select Delete.

  4. Select Delete.

The selected custom role is deleted and removed from the roles list.

Multifactor authentication