FlexDeploy provides its own proprietary repository for managing security, including users, groups, and permissions. The implementation provides a fine-grained permission model so that groups can be configured to match the roles and responsibilities of any organization. FlexDeploy also supports LDAP and Active Directory integration for user authentication. Additionally, you can also enable Single Sign-On and Multi Factor Authentication using external service or corporate security solution.
Security administration is restricted to FlexDeploy Administrators only. |
See authentication and authorization summary details below for quick reference.
You can configure users in FlexDeploy internal realm or use external LDAP server.
In order to control access to various parts of FlexDeploy, you will be configuring permissions for FlexDeploy groups. FlexDeploy supports coarse and finer grained permissions, see below for details.
Permissions are mainly controlled using FlexDeploy Groups even when using external realm. When using external realm, you can map external directory groups to FlexDeploy groups. Group mapping allows for less security maintenance when new users start using FlexDeploy. |
Object Type | Permission | Notes | General Recommendation |
---|---|---|---|
Project1 | Read | Project read is allowed, i.e. project can be opened by user. | All Users |
Project1 | View Logs | Project execution and associated logs can be viewed. | All Users |
Project1 | Create Folder/Application/Project | Project, folder, application can be created. | Technical Leads |
Project1 | Configure Folder/Application/Project | Project, folder, application can be configured. | Technical Leads |
Project1 | Configure Files | Project files can be populated, updated and evaluated. | Developers, Technical Leads |
Project1 | Configure Commands | Deployment commands (EBS) can be updated. This should be restricted to admin users. | FD Administrators |
Project1 | Execute | Project build/deploy/test request can be submitted. Deployment environments are further controlled by Deployment Permissions. | Developers, Technical Leads |
Project | Page View | Allows access to Project menu. | All Users |
Approval Setup | Read | Approvals (outside of pipeline) can be read. | All Users |
Approval Setup | Create / Update | Approvals (outside of pipeline) can be created or updated. | Change Management/Operations |
Window Setup | Read | Schedule windows (outside of pipeline) can be read. | All Users |
Window Setup | Create / Update | Schedule windows (outside of pipeline) can be created or updated. | Change Management/Operations |
Notification Setup | Read | Configured notifications (email) can be read. | All Users |
Notification Setup | Create / Update | Additional notifications (email) can be created or updated. | All Users |
Notification Setup | Delete | Additional notifications (email) can be deleted. | All Users |
Workflow | Read | Workflow (build,deploy, test etc.) can be read. This contains execution code for build and deployment. | All Users |
Workflow | Create / Update | Workflow (build,deploy, test etc.) can be created or updated. This contains execution code for build and deployment. | FD Administrators |
Release2 | Read | Release (collection of projects for specific delivery) can be read. | All Users |
Release2 | Create/Update | Release (collection of projects for specific delivery) can be created or updated. | Change Management/Operations |
Release2 | Create Snapshot | Create snapshot is process of including build version in to release. Developer can be responsible for this as well. | Developers, Technical Leads |
Release2 | Configure Project List | Projects and packages can be added or removed from release. | Developers, Technical Leads |
Release2 | Configure Pipeline | Pipeline can be configured on release with this permission. Access to Override members on Teams tab is also controlled by this permission. | Change Management/Operations |
Release2 | Configure CMS | Change management system details can be configured on release with this permission. | Change Management/Operations |
Release2 | Manage Lifecycle | Release start, pause, end actions are allowed with this permission. | Change Management/Operations |
Release2 | Grant Permissions | Release permission can be changed with this permission, otherwise Administrator users can configure permissions. | FD Administrators |
Pipeline | Read | Pipeline can be read. Pipeline defined promotion process through various environments. | All Users |
Pipeline | Update | Pipeline can be created or updated. | FD Administrators |
Report | Read | Reports can be read. | All Users |
Environment Instance | Read | Topology object read permission. | All Users |
Environment Instance | Create / Update | Topology object update permission. Allows update to properties like folder, user, password etc. | FD Administrators |
Environment | Read | Topology object read permission. | All Users |
Environment | Create / Update | Topology environment can be created or updated. | FD Administrators |
Instance | Read | Topology object read permission. | All Users |
Instance | Create / Update | Deployment target (logical) can be created or updated. | FD Administrators |
Endpoint | Read | Endpoint (SSH configuration) to connect to target nodes can be read. | All Users |
Endpoint | Update | Endpoint (SSH configuration) to connect to target nodes can be created or updated. | FD Administrators |
Scheduled Task | Read | Scheduled task (deployment outside of pipeline waiting for schedule) can be read. | All Users |
Scheduled Task | Update | Scheduled task (deployment outside of pipeline waiting for schedule) can be overriden, allows immediate run of deployment. | Change Management/Operations |
Plugin | Read | Plugin details can be read. | All Users |
Plugin | Upload | Plugin can be uploaded and activated. Generally restricted to Administrators. | FD Administrators |
Property Set | Read | Configured property details (plugin or workflow based) can be read. Internal details. | All Users |
Template | Read | Templates can be read. Templates allow creation of projects using CSV input data. | All Users |
Template | Create / Update | Templates can created or updated. | FD Administrators |
Defaults | Read | Defaults can be read. Defaults allow some customizable defaults when new objects are created in FlexDeploy. | All Users |
Defaults | Update | Defaults configuration can be updated. | FD Administrators |
FlexField | Read | FlexField configurations can be read. FlexFields are custom inputs to build and deploy workflow requests. | All Users |
FlexField | Update | FlexFields can be configured (enalbed) | FD Administrators |
Test Type | Read | Test type names can be read. | All Users |
Test Type | Create / Update | Test type names can be created or updated. | FD Administrators |
Object Type | Read | Object Type customization details can be read. Customization is restricted to Administrator users. | All Users |
Testing Tool | Read | Testing tools configurations can be read. | All Users |
Testing Tool | Create / Update | Cutom testing tools configurations can be created or updated. | FD Administrators |
Issue Tracking System | Read | Issue tracking system configurations can be read. | All Users |
Issue Tracking System | Update | Global configurations for Issue Tracking Systems can be updated. | FD Administrators |
Change Management System | Read | Change management system configurations can be read. | All Users |
Change Management System | Update | Global configurations for change management systems can be updated. | FD Administrators |
Cloud Account | Read | Cloud Account details can be read. | All Users |
Cloud Account | Create / Update | Cloud Account can be created or updated. | FD Administrators |
Artifact Repository Account | Read | Artifact Repository Account details can be read. | All Users |
Artifact Repository Account | Create / Update | Artifact Repository Account can be created or updated. | FD Administrators |
CI Server Account | Read | CI Server Account details can be read. | All Users |
CI Server Account | Create / Update | CI Server Account can be created or updated. | All Users |
Analysis Tool Account | Read | Analysis Tool Account details can be read. | All Users |
Analysis Tool Account | Create / Update | Analysis Tool Account can be created or updated. | All Users |
Other Tools Account | Read | Other Tools Account details can be read. | FD Administrators, DBA, Middleware Administrators |
Other Tools Account | Create / Update | Other Tools Account can be created or updated. | FD Administrators, DBA, Middleware Administrators |
Account Provider | Read | Account providers for cloud accounts can be read. | All Users |
Account Provider | Create / Update | Account providers (custom) for cloud accounts can be created or updated. | All Users |
User | Read | User information can be read. Users management is restricted to Administrator users. | All Users |
Group | Read | Group information can be read. Group management is restricted to Administrator users. | All Users |
Realm | Read | Realm information can be read. Realm configuration is restricted to Administrator users. | All Users |
Credential | Read | Credential details can be read. Note that secret text like password can never be read in clear text, hence you can only see details necessary to request credential from store. | All Users |
Credential | Create / Update | Credential details including secret text like password can be be entered. | FD Administrators, DBA, Middleware Administrators |
Credential | Delete | Credential can be deleted if not used. | FD Administrators, DBA, Middleware Administrators |
Credential Store | Read | Credential store details can be read. Management of stores is restricted for Administrators. | All Users |
Credential Store Provider | Read | Credential store providers can be read. Management of store providers is restricted for Administrators. | All Users |
Webhook Functions | Read | Webhook functions can be read. | All Users |
Webhook Functions | Create / Update | Webhook functions can be created or updated. | Technical Leads, Developers |
Webhook Functions | Delete | Webhook functions can be deleted. | Technical Leads |
Webhook Providers | Read | Webhook providers can be viewed. | All Users |
Webhook Providers | Create / Update | Webhook providers can be created or updated. | Technical Leads, Developers |
Webhook Messages | Read - View Tracking | Webhook messages screen can be viewed. | All Users |
Webhook Messages | View Logs | Webhook message logs can be viewed. | Technical Leads, Developers |
Webhook Messages | View Content | Webhook message payload, query params and headers can be viewed. | Technical Leads, Developers |
Webhook Messages | Execute - Resubmit Message | Webhook message can be resubmitted. | Technical Leads, Developers |
Deployment Permissions | Allows control which environments user is allowed to perform deployment. |
1 - Project level permissions can be setup at individual project, folder or application (folder or application level setup will apply to child folder and projects unless overridden).
2 - Release level permissions can be setup for individual release.