...
| Tip |
|---|
Security administration is restricted to FlexDeploy Administrators only. |
Security Administration
| Child pages (Children Display) |
|---|
...
See Users to maintain users in FlexDeploy internal realm. If you use this option then you are not relying on external directory servers.
You can use Active Directory or other an LDAP server for authentication and authorization, see . See Realms for reference. A FlexDeploy user record will still be created when user users from your external LDAP server logs in login for the first time. See new user process on Realms page.
You can also use both internal as well external realm for users. Users will be first authenticated against external realms and if not successful internal realm will be usedauthenticated in the order defined on the Realms page.
Authorization
In order to control access to various parts of FlexDeploy, you will be configuring permissions for FlexDeploy groups. FlexDeploy supports coarse and finer grained permissions, see below for details.
| Tip |
|---|
Permissions are mainly controlled using FlexDeploy Groups even when using external realm. When using external realm, you can map external directory groups to FlexDeploy groups. Group mapping allows for less security maintenance when new users start using FlexDeploy. |
Use global permissions to control access to various objects in FlexDeploy. Global permissions do not control access at individual item level but rather at entire object level, i.e. if you grant Create / Update access for Workflow to group, members of that group can create or update any workflow. See Global Permissions for more information.
Use deploy permissions to restrict available environments on deployment request form. See Deploy Permissions. For example, if you want to restrict specific group of users from deploying environments other than development and test, then configure deployment permissions accordingly. Alternatively, you can allow for deployment to all environments and setup approvals using FlexDeploy approvals or external change management system approvals.
Finer grained permissions
Folder - control access (read, create, configure, etc.) to specific folders for FlexDeploy groups. Configurations from parent folders are inherited and can be overridden by all child folders. See Folder Security. This model allows for restricting configuration edits of folders to specific groups and still allow others to view and manage other folder. Only FD Administrators can modify Folder Security.
Project - control access (read, create, configure, execute etc.) to specific projects for FlexDeploy groups. You can configure this for a project or folder. Configurations at folder level apply to all projects contained in it. See Project Security. This model allows for restricting configuration edits of projects to specific groups and still allow others to view and execute build / deploy on projects. Only FD Administrators can modify Project Security.
Release - control access (read, create, configure, execute etc.) to specific release releases for FlexDeploy groups. You can configure this using global permissions and override at specific release as necessary. See Release Securityfor a release or folder. Configurations at folder level apply to all releases contained in it. See Release Security. This model allows for restricting configuration edits of releases to specific groups and still allow others to view and execute snapshots on releases. By default, only FD Administrators can modify Release Security unless a group is given Grant Permissions on a release.
Pipeline - control access (abort, replay, skip etc.) on pipeline execution. Pipeline allows for abstraction in to roles that are mapped to FlexDeploy group and/or users. For example, developers, leaders, managers, operators etc. are some examples of pipeline roles. You can define permissions on each pipeline role. See Pipeline team security.
Some object types allow permissions to be granted for an individual instance of the object, for instance, you can give permission to update the EBS target group to the EBS lead, but not allow them to modify other target groups. The same applies to Environments and Workflows.
Permission Matrix
| Panel | ||||||
|---|---|---|---|---|---|---|
| ||||||
Permission rows highlighted in red are only available to FD Administrators (Admin Group toggle on Group). |
Object Type | Permission | Notes | General Recommendation |
|---|---|---|---|
Admin Operations | Read / Modify | Various administration activities. Mostly used while working with Flexagon support team. Operations include Change Log Level, View and Download Logs, Run Groovy, Delete Temp Repositories, and Export Configurations. | |
Approval Setup |
Read | Approvals (outside of pipeline) can be read. | All Users |
Approval Setup |
Create / Update | Approvals (outside of pipeline) can be created and updated. | Change Management / Operations |
Blackout Window |
Read
Read | Blackout window details can be read. |
All Users
Window Setup
Create / Update
Schedule windows (outside of pipeline) can be created and updated.
Change Management/Operations
Notification Setup
Read
All users have access to reading blackout window details. | |||
Blackout Window | Create / Update / Delete | Blackout windows can be created, updated, and deleted. | |
Credential | Read | Credential details can be read. Note that secret text like password can never be read in clear text, hence you can only see details necessary to request credential from store. | All Users |
Credential |
Create / Update |
Additional notifications (email) can be created and updated.
All Users
Notification Setup
Delete
Additional notifications (email) can be deleted.
All Users
Workflow
Read
Workflow (build, deploy, test etc.) can be read. This contains execution code for build and deployment.
All Users
Workflow
Create / Update
Workflow (build, deploy, test etc.) can be created or updated. This contains execution code for build and deployment.
FD Administrators
Release1
Read
Credential details including secret text like password can be be entered. | FD Administrators / DBA / Middleware Administrators | ||
Credential | Delete | Credential can be deleted if not used. | FD Administrators / DBA /Middleware Administrators |
Credential Store | Read | Credential store details can be read. | All Users |
Credential Store | Create / Update / Delete | Credential stores can be created, updated, and deleted. | |
Credential Store Provider | Read | Credential store providers can be read. | All Users |
Release1
Credential Store Provider | Create / Update |
/ Delete | Credential store providers can be created |
Change Management/Operations
Release1
Create Snapshot
Create snapshot is process of including build version in to release. Developer can be responsible for this as well.
Developers, Technical Leads
Release1
Configure Project List
Projects and packages can be added or removed from release.
Developers, Technical Leads
Release1
Configure Pipeline
Pipeline can be configured on release with this permission. Access to Override members on Teams tab is also controlled by this permission.
Change Management/Operations
Release1
Manage Lifecycle
Release start, pause, end actions are allowed with this permission.
Change Management/Operations
Release1
Grant Permissions
Release permission can be changed with this permission, otherwise Administrator users can configure permissions.
FD Administrators
Pipeline
Read
Pipeline can be read. Pipeline defined promotion process through various environments.
All Users
Pipeline
Update
, updated, and deleted. | |||
Defaults | Read | Defaults can be read. Defaults allow some customizable defaults when new objects are created in FlexDeploy. | All Users |
Defaults | Update | Defaults configuration can be updated. | FD Administrators |
Endpoint | Read | Endpoint (SSH configuration) to connect to target nodes can be read. | All Users |
Endpoint | Create / Update / Delete | Endpoint (SSH configuration) to connect to target nodes can be created and updated. | FD Administrators |
Environment |
Read |
Topology environments can be read. This permission is inherited by each environment and can be overridden. | All Users |
Environment |
Create | Topology |
environments can be created. |
FD Administrators |
Environment |
Update / |
Delete | Topology |
environments can be updated and deleted. This permission is inherited by each environment and can be overridden. | FD Administrators |
File Type |
Read
Read | File Type details (Match script, default scripts, etc.) can be read. File Types apply to specific Package-based projects. | All Users |
File Type |
Update |
File Type details can be |
updated. | FD Administrators |
FlexField |
Read
Read | FlexField configurations can be read. FlexFields are custom inputs to build and deploy workflow requests. | All Users |
FlexField |
Update |
FlexFields can be configured (enabled) | FD Administrators |
Endpoint
Read
Endpoint (SSH configuration) to connect to target nodes can be read.
All Users
Endpoint
Update
Endpoint (SSH configuration) to connect to target nodes can be created and updated.
FD Administrators
Scheduled Task
Read
Scheduled task (deployment outside of pipeline waiting for schedule) can be read.
All Users
Scheduled Task
Update
Scheduled task (deployment outside of pipeline waiting for schedule) can be overridden, allows immediate run of deployment.
Change Management/Operations
Plugin
Read
Folder | Control access (read, create, configure, etc.) to specific folders for FlexDeploy groups. Configurations from parent folders are inherited and can be overridden by all child folders. See Folder Security. This model allows for restricting configuration edits of folders to specific groups and still allow others to view and manage other folder. | ||
Folder | Update Security | Security on the folder level can be updated. FlexDeploy groups can be mapped to permission for folders and the projects/releases in the folder. | |
Group | Read | Group information can be read. | All Users |
Group |
Create / Update |
Groups can be |
created and group information (name, users, etc.) can be updated. | FD Administrators |
Integration Instance |
Read |
Integration instances can be read. |
Integration Accounts are connection details for Source Repository, Change and Issue Management System, Cloud Providers, and more. | All Users |
Defaults
Update
Integration Instance | Create / Update / Delete | Integration instances can be created, updated, or deleted. | FD Administrators |
Integration Providers |
Read |
Integration providers can be read. |
Integration Providers represent other DevOps tools useful in CI/CD process. | All Users |
FlexField
Update
FlexFields can be configured (enabled)
FD Administrators
Test Type
Read
Integration Providers | Create / Update / Delete | Integration providers can be created, updated, or deleted. | FD Administrators |
License | Update | FlexDeploy product license can be updated. | |
Notification Setup | Read | Configured notifications (email) can be read. |
All Users |
Notification Setup |
Create / Update |
Additional notifications (email) can be created |
and updated. |
FD Administrators
Object Type
Read
All Users | |||
Notification Setup | Delete | Additional notifications (email) can be deleted. | All Users |
Notification Templates |
Read
Read | Notification Templates can be read |
All Users |
Notification Templates |
Create / Update | Custom |
Notification Templates can be created and updated |
FD Administrators |
Issue Tracking System
Read
Issue tracking system configurations can be read.
All Users
Issue Tracking System
Update
Global configurations for Issue Tracking Systems can be updated.
FD Administrators
Change Management System
Read
Notification Templates | Create / Update | Custom Notification Templates can be deleted | FD Administrators |
Patches | Read | FlexDeploy patches can be read. | |
Permissions | Read | Global and Deployment permissions can be read. User must have Group Read permission to have Permissions Read permission. | All Users |
Permissions |
Update | Global |
and Deployment permissions can be updated. |
Pipeline |
Cloud Account
Read
Read | Pipeline can be read. Pipeline defined promotion process through various environments. | All Users |
Pipeline |
Update |
Pipeline can be created |
or updated. | FD Administrators |
Plugin |
Read |
Plugin details can be read. | All Users |
Artifact Repository Account
Create / Update
Artifact Repository Account can be created and updated.
FD Administrators
CI Server Account
Read
Plugin | Upload | Plugin can be uploaded and activated. Generally restricted to Administrators. | FD Administrators |
Project | Control access (read, create, configure, execute etc.) to specific projects for FlexDeploy groups. You can configure this for a project or folder. Configurations at folder level apply to all projects contained in it. See Project Security. This model allows for restricting configuration edits of projects to specific groups and still allow others to view and execute build / deploy on projects. | ||
Project | Update Security | Security on the project level can be updated. FlexDeploy groups can be mapped to permissions for the project. | |
Realm | Read | Realm information can be read. | All Users |
Realm |
Create / Update / Delete |
Realms can be created, updated, and |
deleted. |
All Users
Analysis Tool Account
Read
Analysis Tool Account details can be read.
All Users
Analysis Tool Account
Create / Update
Analysis Tool Account can be created or updated.
All Users
Messaging Account
Read
Release | Control access (read, create, configure, execute etc.) to specific releases for FlexDeploy groups. You can configure this for a release or folder. Configurations at folder level apply to all releases contained in it. See Release Security. This model allows for restricting configuration edits of releases to specific groups and still allow others to view and execute snapshots on releases. | ||
Release | Update Security | Security on the release level can be updated. FlexDeploy groups can be mapped to permissions for the release. By default, only FD Administrators can modify Release Security unless a group is added to Grant Permissions on a release. | Technical Leads / FD Administrators |
Report | Read | Reports can be read. | All Users |
Resource Type | Read | Resource type details can be read. |
All Users
Messaging Account
Create / Update
Messaging Account details can be created and updated.
All Users
Containers Account
Read
@since 7.0.0.3 All users have access to reading resource type details. | |||
Resource Type | Create / Update / Delete | Resource types can be created, updated, or deleted. | FD Administrators |
Scheduled Event Function @since 7.0.0.3 | Read | Scheduled event functions can be read. | All Users |
Scheduled Event Function @since 7.0.0.3 | Create / Update |
Scheduled event functions can be created |
All Users
Other Tools Account
Read
Other Tools Account details can be read.
FD Administrators, DBA, Middleware Administrators
Other Tools Account
Create / Update
Other Tools Account can be created and updated.
FD Administrators, DBA, Middleware Administrators
Account Provider
Read
Account providers for cloud accounts can be read.
All Users
Account Provider
Create / Update
Account providers (custom) for cloud accounts can be created or updated.
All Users
User
Read
User information can be read. Users management is restricted to Administrator users.
All Users
Group
Read
Group information can be read. Group management is restricted to Administrator users.
All Users
Realm
Read
Realm information can be read. Realm configuration is restricted to Administrator users.
All Users
Credential
Read
Credential details can be read. Note that secret text like password can never be read in clear text, hence you can only see details necessary to request credential from store.
All Users
Credential
Create / Update
Credential details including secret text like password can be be entered.
FD Administrators, DBA, Middleware Administrators
Credential
Delete
Credential can be deleted if not used.
FD Administrators, DBA, Middleware Administrators
Credential Store
Read
Credential store details can be read. Management of stores is restricted for Administrators.
All Users
Credential Store Provider
Read
Credential store providers can be read. Management of store providers is restricted for Administrators.
All Users
or updated. | Technical Leads / FD Administrators | ||
Scheduled Event Message @since 7.0.0.3 | Read - View Tracking | Scheduled event messages screen can be viewed. | All Users |
Scheduled Event Message @since 7.0.0.3 | View Logs | Scheduled event message logs can be viewed. | Technical Leads / Developers |
Scheduled Event Message @since 7.0.0.3 | Execute - Resubmit Message | Scheduled event message can be resubmitted. | Technical Leads / Developers |
Scheduled Task | Read | Scheduled task (deployment outside of pipeline waiting for schedule) can be read. All users have access to reading scheduled tasks. | |
Scheduled Task | Update | Scheduled task (deployment outside of pipeline waiting for schedule) can be overridden, allows immediate run of deployment. | Change Management / Operations |
Scheduled Window Setup | Read | Schedule Windows (for Project execution) can be read. Schedule Windows are setup on Folder and applies to all projects under it, unless overridden in folder hierarchy. | All Users |
Scheduled Window Setup | Create / Update Delete | Schedule Windows (for Project execution) can be created, updated, or deleted. | FD Administrators |
Tag | Read | Tag details can be read. All users have access to reading tag details. | |
Tag | Create / Update | Tags can be created and updated. All users have access to create tags but can only update tags they created. | |
Tag | Delete | Tags can be deleted. | |
Target Group | Read | Topology target groups can be read. This permission is inherited by each target group and can be overridden. | All Users |
Target Group | Create | Topology target groups can be created. | FD Administrators |
Target Group | Update / Delete | Topology target groups can be updated and deleted. This permission is inherited by each target group and can be overridden. | FD Administrators |
System Settings | Read | System settings can be read. | |
System Settings | Update | System settings can be updated. | |
User | Read | User information can be read. | All Users |
User | Create / Update | Users can be created and user information (username, realm, group, email, etc.) can be updated. | FD Administrators |
Webhook Functions (Incoming) | Read | Webhook functions can be read. | All Users |
Webhook Functions (Incoming) | Create / Update | Webhook functions can be created and updated. | Technical Leads |
/ Developers | |||
Webhook Functions (Incoming) | Delete | Webhook functions can be deleted. | Technical Leads / FD Administrators |
Webhook |
Listener (Outgoing) | Read | Webhook |
Listener can be |
read. | All Users |
Webhook |
Listener (Outgoing) | Create / Update | Webhook |
Listener can be created |
or updated. | Technical Leads |
/ FD Administrators | |||
Webhook Messages (Incoming / Outgoing) | Read - View Tracking | Webhook messages screen can be viewed. | All Users |
Webhook Messages (Incoming / Outgoing) | View Logs | Webhook message logs can be viewed. | Technical Leads |
/ Developers | |||
Webhook Messages (Incoming / Outgoing) | View Content | Webhook message payload, query params and headers can be viewed. | Technical Leads |
/ Developers | |||
Webhook Messages (Incoming / Outgoing) | Execute - Resubmit Message | Webhook message can be resubmitted. | Technical Leads |
/ Developers |
Webhook Providers (Incoming) | Read |
Webhook providers can be |
viewed. | All Users |
Monitor Containers
Start/Stop
Containers can be started and stopped
FD Administrators, DBA, Technical Leads
Notification Templates
Read
Notification Templates can be read
All Users
Notification Templates
Create / Update
Custom Notification Templates can be created and updated
FD Administrators
Notification Templates
Delete
Custom Notification Templates can be deleted
FD Administrators
Deployment Permissions
Allows control over which environments the group is allowed to perform deployments to.
...
Webhook Providers (Incoming) | Create / Update | Webhook providers can be created and updated. | Technical Leads / Developers |
Work Item | Create / Modify Fields | Work Items can be created and fields can be modified, such as assignee, status, type etc. | Technical Leads / Developers |
Work Item | Delete | Work Items can be deleted. | Technical Leads / FD Administrators |
Work Item | Comments and Attachment Create | Fields cannot be modified but comments and attachments can be added. | All Users |
Work Item | Administration | Ability to view and configure administration options for Work Items such as custom fields and statuses. | FD Administrators |
Workflow | Read | Workflow (build, deploy, test etc.) can be read. This contains execution code for build and deployment. | All Users |
Workflow | Create / Update | Workflow (build, deploy, test etc.) can be created or updated. This contains execution code for build and deployment. | FD Administrators |