...
| Tip |
|---|
Security administration is restricted to FlexDeploy Administrators only. |
Security Administration
| Child pages (Children Display) |
|---|
...
See Users to maintain users in FlexDeploy internal realm. If you use this option then you are not relying on external directory servers.
You can use Active Directory or other an LDAP server for authentication and authorization, see . See Realms for reference. A FlexDeploy user record will still be created when user users from your external LDAP server logs in login for the first time. See new user process on Realms page.
You can also use both internal as well external realm for users. Users will be first authenticated against external realms and if not successful internal realm will be usedauthenticated in the order defined on the Realms page.
Authorization
In order to control access to various parts of FlexDeploy, you will be configuring permissions for FlexDeploy groups. FlexDeploy supports coarse and finer grained permissions, see below for details.
| Tip |
|---|
Permissions are mainly controlled using FlexDeploy Groups even when using external realm. When using external realm, you can map external directory groups to FlexDeploy groups. Group mapping allows for less security maintenance when new users start using FlexDeploy. |
Use global permissions to control access to various objects in FlexDeploy. Global permissions do not control access at individual item level but rather at entire object level, i.e. if you grant Create / Update access for Workflow to group, members of that group can create or update any workflow. See Global Permissions for more information.
Use deploy permissions to restrict available environments on deployment request form. See Deploy Permissions. For example, if you want to restrict specific group of users from deploying environments other than development and test, then configure deployment permissions accordingly. Alternatively, you can allow for deployment to all environments and setup approvals using FlexDeploy approvals or external change management system approvals.
Finer grained permissions
Project - control access (read, create, configure, execute etc.) to specific projects for FlexDeploy groups. You can configure this for a project or folder. Configurations at folder level apply to all projects contained in it. See Project Security. This model allows for restricting configuration edits of projects to specific groups and still allow others to view and execute build / deploy on projects.
Release - control access (read, configure, execute etc.) to specific release for FlexDeploy groups. You can configure this using global permissions and override at specific release as necessary. See Release Security.
Pipeline - control access (abort, replay, skip etc.) on pipeline execution. Pipeline allows for abstraction in to roles that are mapped to FlexDeploy group and/or users. For example, developers, leaders, managers, operators etc. are some examples of pipeline roles. You can define permissions on each pipeline role. See Pipeline team security.
Some object types allow permissions to be granted for an individual instance of the object, for instance, you can give permission to update the EBS target group to the EBS lead, but not allow them to modify other target groups.
Permission Matrix
Object Type | Permission | Notes | General Recommendation | |||||
|---|---|---|---|---|---|---|---|---|
Approval Setup | Read | Approvals (outside of pipeline) can be read. | All Users | |||||
Approval Setup | Create / Update | Approvals (outside of pipeline) can be created and updated. | Change Management/Operations | |||||
Window SetupCredential | Read | Schedule windows (outside of pipeline) Read | Credential details can be read. | All Users | ||||
Window Setup | Create / Update | Schedule windows (outside of pipeline) can be created and updated. | Change Management/Operations | |||||
Notification Setup | Read | Configured notifications (email) can be readNote that secret text like password can never be read in clear text, hence you can only see details necessary to request credential from store. | All Users | |||||
Notification SetupCredential | Create Create / Update | Additional notifications (email) can be created and updated. | All Users | |||||
Notification Setup | Delete | Additional notifications (email) can be deleted. | All Users | |||||
Workflow | Read | Workflow (build, deploy, test etc.) can be read. This contains execution code for build and deployment. | All Users | |||||
Workflow | Create / Update | Workflow (build, deploy, test etc.) can be created or updated. This contains execution code for build and deployment. | FD Administrators | |||||
Release1 | Read | Release (collection of projects for specific delivery) can be read. | All Users | |||||
Release1 | Create/Update | Release (collection of projects for specific delivery) can be created and updated. | Change Management/Operations | |||||
Release1 | Create Snapshot | Create snapshot is process of including build version in to release. Developer can be responsible for this as well. | Developers, Technical Leads | |||||
Release1 | Configure Project List | Projects and packages can be added or removed from release. | Developers, Technical Leads | |||||
Release1 | Configure Pipeline | Pipeline can be configured on release with this permission. Access to Override members on Teams tab is also controlled by this permission. | Change Management/Operations | |||||
Release1 | Manage Lifecycle | Release start, pause, end actions are allowed with this permission. | Change Management/Operations | |||||
Release1 | Grant Permissions | Release permission can be changed with this permission, otherwise Administrator users can configure permissions. | FD Administrators | |||||
Pipeline | Read | Pipeline can be read. Pipeline defined promotion process through various environments. | All Users | |||||
Pipeline | Update | Pipeline can be created or updated. | FD Administrators | |||||
Report | Read | Reports can be read. | All Users | |||||
Environment Instance | Read | Topology object read permission. | All Users | |||||
Environment Instance | Create / Update | Topology object update permission. Allows update to properties like folder, user, password etc. | FD Administrators | |||||
Environment | Read | Topology object read permission. | All Users | |||||
Environment | Create / Update | Topology environment can be created and updated. | FD Administrators | |||||
Instance | Read | Topology object read permission. | All Users | |||||
Instance | Create / Update | Deployment target (logical) can be created and Credential details including secret text like password can be be entered. | FD Administrators, DBA, Middleware Administrators | |||||
Credential | Delete | Credential can be deleted if not used. | FD Administrators, DBA, Middleware Administrators | |||||
Credential Store | Read | Credential store details can be read. Management of stores is restricted for Administrators. | All Users | |||||
Credential Store Provider | Read | Credential store providers can be read. Management of store providers is restricted for Administrators. | All Users | |||||
Defaults | Read | Defaults can be read. Defaults allow some customizable defaults when new objects are created in FlexDeploy. | All Users | |||||
Defaults | Update | Defaults configuration can be updated. | FD Administrators | |||||
Endpoint | Read | Endpoint (SSH configuration) to connect to target nodes can be read. | All Users | |||||
Endpoint | Update | Endpoint (SSH configuration) to connect to target nodes can be created and updated. | FD Administrators | |||||
Scheduled TaskEnvironment | Read | Scheduled task (deployment outside of pipeline waiting for schedule) can be readTopology object read permission. | All Users | |||||
Scheduled Task | Update | Scheduled task (deployment outside of pipeline waiting for schedule) can be overridden, allows immediate run of deployment. | Change Management/Operations | |||||
Plugin | Read | Plugin details can be read. | All Users | |||||
Plugin | Upload | Plugin can be uploaded and activated. Generally restricted to Administrators. Environment | Create / Update | Topology environment can be created and updated. | FD Administrators | |||
DefaultsFile Type | Read | Defaults Read | File Type details (Match script, default scripts, etc.) can be read. Defaults allow some customizable defaults when new objects are created in FlexDeployFile Types apply to specific Package-based projects. | All Users | ||||
DefaultsFile Type | Update | Defaults configuration Update | File Type details can be updated. | FD Administrators | ||||
FlexField | Read | FlexField configurations can be read. FlexFields are custom inputs to build and deploy workflow requests. | All Users | |||||
FlexField | Update | FlexFields can be configured (enabled) | FD Administrators | |||||
Test TypeGroup | Read | Test type names Read | Group information can be read. | All Users | ||||
Test Type | Create / Update | Test type names can be created or updated. | FD Administrators | |||||
Object Type | Read | Object Type customization details can be read. Customization Group management is restricted to Administrator users. | All Users | |||||
Testing ToolIntegration Accounts | Read | Testing tools configurations Integration Accounts can be read. Integration Accounts are connection details for Source Repository, Change and Issue Management System, Cloud Providers, and more. | All Users | |||||
Testing ToolIntegration Accounts | Create / Update Custom testing tools configurations Delete | Integration Accounts can be created and , updated, or deleted. | FD Administrators | |||||
Issue Tracking System | Read | Issue tracking system configurations Integration Providers | Read | Integration Providers can be read. Integration Providers represent other DevOps tools useful in CI/CD process. | All Users | |||
Issue Tracking System | Update | Global configurations for Issue Tracking Systems can be updatedIntegration Providers | Create / Update Delete | Integration Providers can be created, updated, or deleted. | FD Administrators | |||
Change Management SystemNotification Setup | Read | Change management system configurations Configured notifications (email) can be read. | All Users | |||||
Change Management System | Update | Global configurations for change management systems can be updated. | FD Administrators | |||||
Cloud Account | Read | Cloud Account details can be read. | All Users | |||||
Cloud Account | Create / Update | Cloud Account Notification Setup | Create / Update | Additional notifications (email) can be created and updated. | All Users | |||
Notification Setup | Delete | Additional notifications (email) can be deleted. | All Users | |||||
Notification Templates | Read | Notification Templates can be read | All Users | |||||
Notification Templates | Create / Update | Custom Notification Templates can be created and updated. | FD Administrators | |||||
Artifact Repository AccountPipeline | Read | Artifact Repository Account details Pipeline can be read. Pipeline defined promotion process through various environments. | All Users | |||||
Artifact Repository Account | Create / Update | Artifact Repository Account Pipeline | Update | Pipeline can be created and or updated. | FD Administrators | |||
CI Server AccountPlugin | Read | CI Server Account Plugin details can be read. | All Users | |||||
CI Server Account | Create / Update | CI Server Account can be created and updated. | All Users | |||||
Analysis Tool Account | Read | Analysis Tool Account details can be readPlugin | Upload | Plugin can be uploaded and activated. Generally restricted to Administrators. | FD Administrators | |||
Realm | Read | Realm information can be read. Realm configuration is restricted to Administrator users. | All Users | |||||
Analysis Tool Account | Create / Update | Analysis Tool Account can be created or updated. | All Users | |||||
Messaging Account | Read | Messaging Account details can be readRelease1 | Read | Release (collection of projects for specific delivery) can be read. Release permissions can be overridden for individual Releases as well. | All Users | |||
Messaging AccountRelease1 | Create/Update | Messaging Account details Release (collection of projects for specific delivery) can be created and updated. | All Users | |||||
Containers Account | Read | Containers Account details can be read. | All Users | |||||
Containers Account | Create / Update | Containers Account details can be created and updated. | All Users | |||||
Other Tools Account | Read | Other Tools Account details can be read. | FD Administrators, DBA, Middleware Administrators | |||||
Other Tools Account | Create / Update | Other Tools Account can be created and updated. | FD Administrators, DBA, Middleware Administrators | |||||
Account Provider | Read | Account providers for cloud accounts Change Management/Operations | ||||||
Release1 | Create Snapshot | Create snapshot is process of including build version in to release. Developer can be responsible for this as well. | Developers, Technical Leads | |||||
Release1 | Configure Project List | Projects and packages can be added or removed from release. | Developers, Technical Leads | |||||
Release1 | Configure Pipeline | Pipeline can be configured on release with this permission. Access to Override members on Teams tab is also controlled by this permission. | Change Management/Operations | |||||
Release1 | Manage Lifecycle | Release start, pause, end actions are allowed with this permission. | Change Management/Operations | |||||
Release1 | Grant Permissions | Release permission can be changed with this permission, otherwise Administrator users can configure permissions. | FD Administrators | |||||
Report | Read | Reports can be read. | All Users | Account Provider | Create / Update | Account providers (custom) for cloud accounts can be created or updated | ||
Resource Type | ||||||||
Scheduled Task | Read | Scheduled task (deployment outside of pipeline waiting for schedule) can be read. | All Users | |||||
UserScheduled Task | Read | User information can be read. Users management is restricted to Administrator users. | All Users | Group | Read | Group information can be read. Group management is restricted to Administrator users Update | Scheduled task (deployment outside of pipeline waiting for schedule) can be overridden, allows immediate run of deployment. | Change Management/Operations |
Scheduled Window Setup | Read | Schedule Windows (for Project execution) can be read. Schedule Windows are setup on Folder and applies to all projects under it, unless overridden in folder hierarchy. | All Users | |||||
Realm | Read | Realm information can be read. Realm configuration is restricted to Administrator users. | All Users | |||||
Credential | Read | Credential details can be read. Note that secret text like password can never be read in clear text, hence you can only see details necessary to request credential from storeScheduled Window Setup | Create / Update Delete | Schedule Windows (for Project execution) can be created, updated, or deleted. | FD Administrators | |||
Target Group | Read | Target Group can be read. Read permission can be overridden for individual Target Groups as well. Target Group is set of similar technology systems that you will deploy to in various Environments. | All Users | |||||
Credential | Create / Update | Credential details including secret text like password can be be entered. | FD Administrators, DBA, Middleware Administrators | |||||
Credential | Delete | Credential can be deleted if not used. | FD Administrators, DBA, Middleware Administrators | |||||
Credential Store | Read | Credential store details can be read. Management of stores is restricted for Administrators. | All Users | |||||
Credential Store Provider | Read | Credential store providers can be read. Management of store providers is restricted for Administrators. Target Group | Create | Target Group can be created. | FD Administrators | |||
Target Group | Update / Delete | Target Group can be updated, or deleted. Update permission can be overridden for individual Target Groups as well. | FD Administrators Technical Leads for individual target groups | |||||
User | Read | User information can be read. Users management is restricted to Administrator users. | All Users | |||||
Webhook Functions | Read | Webhook functions can be read. | All Users | |||||
Webhook Functions | Create / Update | Webhook functions can be created and updated. | Technical Leads, Developers | |||||
Webhook Functions | Delete | Webhook functions can be deleted. | Technical Leads / FD Administrators | |||||
Webhook ProvidersListener | Read | Webhook providers Listener can be viewedread. | All Users | |||||
Webhook ProvidersListener | Create / Update | Webhook providers Listener can be created and or updated. | Technical Leads , Developers/ FD Administrators | |||||
Webhook Messages | Read - View Tracking | Webhook messages screen can be viewed. | All Users | |||||
Webhook Messages | View Logs | Webhook message logs can be viewed. | Technical Leads, Developers | |||||
Webhook Messages | View Content | Webhook message payload, query params and headers can be viewed. | Technical Leads, Developers | |||||
Webhook Messages | Execute - Resubmit Message | Webhook message can be resubmitted. | Technical Leads, Developers | |||||
Monitor ContainersWebhook Providers | Read | Container Status Webhook providers can be readviewed. | All Users | |||||
Monitor ContainersWebhook Providers | StartCreate / StopUpdate | Containers Webhook providers can be started and stopped | FD Administrators, DBA, Technical Leads | |||||
Notification Templates | Read | Notification Templates can be read | All Users | |||||
Notification Templates | Create / Update | Custom Notification Templates can be created and updated | FD Administrators | |||||
Notification Templates | Delete | Custom Notification Templates can be deleted | FD Administrators | |||||
Deployment Permissions | Allows control over which environments the group is allowed to perform deployments to. created and updated. | Technical Leads, Developers | ||||||
Work Item | Create / Modify Fields | Work Items can be created and fields can be modified, such as assignee, status, type etc. | Technical Leads, Developers | |||||
Work Item | Delete | Work Items can be deleted. | Technical Leads / FD Administrators | |||||
Work Item | Comments and Attachment Create | Fields cannot be modified but comments and attachments can be added. | All Users | |||||
Workflow | Read | Workflow (build, deploy, test etc.) can be read. This contains execution code for build and deployment. | All Users | |||||
Workflow | Create / Update | Workflow (build, deploy, test etc.) can be created or updated. This contains execution code for build and deployment. | FD Administrators |
1 - Release level permissions can be setup for individual release.