FlexDeploy provides its own proprietary repository for managing security, including users, groups, and permissions. The implementation provides a fine-grained permission model so that groups can be configured to match the roles and responsibilities of any organization. FlexDeploy also supports LDAP and Active Directory integration for user authentication.
Security administration is restricted to FlexDeploy Administrators only.
Security Administration
See authentication and authorization summary details below for quick reference.
Authentication
You can configure users in FlexDeploy internal realm or use external LDAP server.
- See Users to maintain users in FlexDeploy internal realm. If you use this option then you are not relying on external directory servers.
- You can use Active Directory or other LDAP server for authentication and authorization, see Realms for reference. FlexDeploy user record will still be created when user from external LDAP server logs in for first time. See new user process on Realms page.
- You can also use both internal as well external realm for users. Users will be first authenticated against external realms and if not successful internal realm will be used.
Authorization
In order to control access to various parts of FlexDeploy, you will be configuring permissions for FlexDeploy groups. FlexDeploy supports coarse and finer grained permissions, see below for details.
Permissions are mainly controlled using FlexDeploy Groups even when using external realm. When using external realm, you can map external directory groups to FlexDeploy groups. Group mapping allows for less security maintenance when new users start using FlexDeploy.
- Use global permissions control access to various objects in FlexDeploy. Global permissions do not control access at individual item level but rather at entire object level, i.e. if you grant Create / Update access for Workflow to group, members of that group can create or update any workflow. See global permissions for FlexDeploy group.
- Use deployment permissions to restrict available environments on deployment request form. See deployment permissions for FlexDeploy group. For example, if you want to restrict specific group of users from deploying environments other than development and test, then configure deployment permissions accordingly. Alternatively, you can allow for deployment to all environments and setup approvals using FlexDeploy approvals or external change management system approvals.
- Finer grained permissions
- Project - control access (read, create, configure, execute etc.) to specific projects for FlexDeploy groups. You can configure this for a project or folder. Configurations at folder level apply to all projects contained in it. See Project Security. This model allows for restricting configuration edits of projects to specific groups and still allow others to view and execute build / deploy on projects.
- Release - control access (read, configure, execute etc.) to specific release for FlexDeploy groups. You can configure this using global permissions and override at specific release as necessary. See Release Security.
- Pipeline - control access (abort, replay, skip etc.) on pipeline execution. Pipeline allows for abstraction in to roles that are mapped to FlexDeploy group and/or users. For example, developers, leaders, managers, operators etc. are some examples of pipeline roles. You can define permissions on each pipeline role. See Pipeline team security.
Permission Matrix
| Object Type | Permission | Notes |
|---|---|---|
| Project1 | Read | Project read is allowed, i.e. project can be opened by user. |
| Project1 | View Logs | Project execution and associated logs can be viewed. |
| Project1 | Create Folder/Application/Project | Project, folder, application can be created. |
| Project1 | Configure Folder/Application/Project | Project, folder, application can be configured. |
| Project1 | Configure Files | Project files can be populated and updated. |
| Project1 | Configure Commands | Deployment commands (EBS) can be updated. This should be restricted to admin users. |
| Project1 | Execute | Project build/deploy/test request can be submitted. Deployment environments are further controlled by Deployment Permissions. |
| Project | Page View | Allows access to Project menu. |
| Approval Setup | Read | Approvals (outside of pipeline) can be read. |
| Approval Setup | Create / Update | Approvals (outside of pipeline) can be created or updated. |
| Window Setup | Read | Schedule windows (outside of pipeline) can be read. |
| Window Setup | Create / Update | Schedule windows (outside of pipeline) can be created or updated. |
| Notification Setup | Read | Configured notifications (email) can be read. |
| Notification Setup | Create / Update | Additional notifications (email) can be created or updated. |
| Notification Setup | Delete | Additional notifications (email) can be deleted. |
| Workflow | Read | Workflow (build,deploy, test etc.) can be read. This contains execution code for build and deployment. |
| Workflow | Create / Update | Workflow (build,deploy, test etc.) can be created or updated. This contains execution code for build and deployment. |
| Release2 | Read | Release (collection of projects for specific delivery) can be read. |
| Release2 | Create/Update | Release (collection of projects for specific delivery) can be created or updated. |
| Release2 | Create Snapshot | Create snapshot is process of including build version in to release. Developer can be responsible for this as well. |
| Release2 | Configure Project List | Projects and packages can be added or removed from release. |
| Release2 | Configure Pipeline | Pipeline can be configured on release with this permission. |
| Release2 | Configure CMS | Change management system details can be configured on release with this permission. |
| Release2 | Manage Lifecycle | Release start, pause, end actions are allowed with this permission. |
| Release2 | Grant Permissions | Release permission can be changed with this permission, otherwise Administrator users can configure permissions. |
| Pipeline | Read | Pipeline can be read. Pipeline defined promotion process through various environments. |
| Pipeline | Update | Pipeline can be created or updated. |
| Report | Read | Reports can be read. |
| Environment Instance | Read | Topology object read permission. |
| Environment Instance | Create / Update | Topology object update permission. Allows update to properties like folder, user, password etc. |
| Environment | Read | Topology object read permission. |
| Environment | Create / Update | Topology environment can be created or updated. |
| Instance | Read | Topology object read permission. |
| Instance | Create / Update | Deployment target (logical) can be created or updated. |
| Endpoint | Read | Endpoint (SSH configuration) to connect to target nodes can be read. |
| Endpoint | Update | Endpoint (SSH configuration) to connect to target nodes can be created or updated. |
| Scheduled Task | Read | Scheduled task (deployment outside of pipeline waiting for schedule) can be read. |
| Scheduled Task | Update | Scheduled task (deployment outside of pipeline waiting for schedule) can be overriden, allows immediate run of deployment. |
| Plugin | Read | Plugin details can be read. |
| Plugin | Upload | Plugin can be uploaded and activated. Generally restricted to Administrators. |
| Property Set | Read | Configured property details (plugin or workflow based) can be read. Internal details. |
| Template | Read | Templates can be read. Templates allow creation of projects using CSV input data. |
| Template | Create / Update | Templates can created or updated. |
| Defaults | Read | Defaults can be read. Defaults allow some customizable defaults when new objects are created in FlexDeploy. |
| Defaults | Update | Defaults configuration can be updated. |
| FlexField | Read | FlexField configurations can be read. FlexFields are custom inputs to build and deploy workflow requests. |
| FlexField | Update | FlexFields can be configured (enalbed) |
| Test Type | Read | Test type names can be read. |
| Test Type | Create / Update | Test type names can be created or updated. |
| Object Type | Read | Object Type customization details can be read. Customization is restricted to Administrator users. |
| Testing Tool | Read | Testing tools configurations can be read. |
| Testing Tool | Create / Update | Cutom testing tools configurations can be created or updated. |
| Issue Tracking System | Read | Issue tracking system configurations can be read. |
| Issue Tracking System | Update | Global configurations for Issue Tracking Systems can be updated. |
| Change Management System | Read | Change management system configurations can be read. |
| Change Management System | Update | Global configurations for change management systems can be updated. |
| Cloud Account | Read | Cloud Account details can be read. |
| Cloud Account | Create / Update | Cloud Account can be created or updated. |
| Account Provider | Read | Account providers for cloud accounts can be read. |
| Account Provider | Create / Update | Account providers (custom) for cloud accounts can be created or updated. |
| User | Read | User information can be read. Users management is restricted to Administrator users. |
| Group | Read | Group information can be read. Group management is restricted to Administrator users. |
| Realm | Read | Realm information can be read. Realm configuration is restricted to Administrator users. |
| Credential | Read | Credential details can be read. Note that secret text like password can never be read in clear text, hence you can only see details necessary to request credential from store. |
| Credential | Create / Update | Credential details including secret text like password can be be entered. |
| Credential | Delete | Credential can be deleted if not used. |
| Credential Store | Read | Credential store details can be read. Management of stores is restricted for Administrators. |
| Credential Store Provider | Read | Credential store providers can be read. Management of store providers is restricted for Administrators. |
| Deployment Permissions | Allows control which environments user is allowed to perform deployment. |
1 - Project level permissions can be setup at individual project, folder or application (folder or application level setup will apply to child folder and projects unless overridden).
2 - Release level permissions can be setup for individual release.