FlexDeploy provides its own proprietary repository for managing security, including users, groups, and permissions. The implementation provides a fine-grained permission model so that groups can be configured to match the roles and responsibilities of any organization. FlexDeploy also supports LDAP and Active Directory integration for user authentication. Additionally, you can also enable Single Sign-On and Multi Factor Authentication using external service or corporate security solution.

Security administration is restricted to FlexDeploy Administrators only.

Security Administration

See authentication and authorization summary details below for quick reference.

Authentication

You can configure users in FlexDeploy internal realm or use external LDAP server.

See Users to maintain users in FlexDeploy internal realm. If you use this option then you are not relying on external directory servers.
You can use Active Directory or other LDAP server for authentication and authorization, see Realms for reference. FlexDeploy user record will still be created when user from external LDAP server logs in for first time. See new user process on Realms page.
You can also use both internal as well external realm for users. Users will be first authenticated against external realms and if not successful internal realm will be used.

Authorization

In order to control access to various parts of FlexDeploy, you will be configuring permissions for FlexDeploy groups. FlexDeploy supports coarse and finer grained permissions, see below for details.

Permissions are mainly controlled using FlexDeploy Groups even when using external realm. When using external realm, you can map external directory groups to FlexDeploy groups. Group mapping allows for less security maintenance when new users start using FlexDeploy.

Use global permissions control access to various objects in FlexDeploy. Global permissions do not control access at individual item level but rather at entire object level, i.e. if you grant Create / Update access for Workflow to group, members of that group can create or update any workflow. See global permissions for FlexDeploy group.
Use deployment permissions to restrict available environments on deployment request form. See deployment permissions for FlexDeploy group. For example, if you want to restrict specific group of users from deploying environments other than development and test, then configure deployment permissions accordingly. Alternatively, you can allow for deployment to all environments and setup approvals using FlexDeploy approvals or external change management system approvals.
Finer grained permissions
1. Project - control access (read, create, configure, execute etc.) to specific projects for FlexDeploy groups. You can configure this for a project or folder. Configurations at folder level apply to all projects contained in it. See Project Security. This model allows for restricting configuration edits of projects to specific groups and still allow others to view and execute build / deploy on projects.
2. Release - control access (read, configure, execute etc.) to specific release for FlexDeploy groups. You can configure this using global permissions and override at specific release as necessary. See Release Security.
3. Pipeline - control access (abort, replay, skip etc.) on pipeline execution. Pipeline allows for abstraction in to roles that are mapped to FlexDeploy group and/or users. For example, developers, leaders, managers, operators etc. are some examples of pipeline roles. You can define permissions on each pipeline role. See Pipeline team security.

Permission Matrix

Object Type	Permission	Notes	General Recommendation
Project¹	Read	Project read is allowed, i.e. project can be opened by user.	All Users
Project¹	View Logs	Project execution and associated logs can be viewed.	All Users
Project¹	Create Folder/Application/Project	Project, folder, application can be created.	Technical Leads
Project¹	Configure Folder/Application/Project	Project, folder, application can be configured.	Technical Leads
Project¹	Configure Files	Project files can be populated, updated and evaluated.	Developers, Technical Leads
Project¹	Configure Commands	Deployment commands (EBS) can be updated. This should be restricted to admin users.	FD Administrators
Project¹	Execute	Project build/deploy/test request can be submitted. Deployment environments are further controlled by Deployment Permissions.	Developers, Technical Leads
Project	Page View	Allows access to Project menu.	All Users
Approval Setup	Read	Approvals (outside of pipeline) can be read.	All Users
Approval Setup	Create / Update	Approvals (outside of pipeline) can be created or updated.	Change Management/Operations
Window Setup	Read	Schedule windows (outside of pipeline) can be read.	All Users
Window Setup	Create / Update	Schedule windows (outside of pipeline) can be created or updated.	Change Management/Operations
Notification Setup	Read	Configured notifications (email) can be read.	All Users
Notification Setup	Create / Update	Additional notifications (email) can be created or updated.	All Users
Notification Setup	Delete	Additional notifications (email) can be deleted.	All Users
Workflow	Read	Workflow (build,deploy, test etc.) can be read. This contains execution code for build and deployment.	All Users
Workflow	Create / Update	Workflow (build,deploy, test etc.) can be created or updated. This contains execution code for build and deployment.	FD Administrators
Release²	Read	Release (collection of projects for specific delivery) can be read.	All Users
Release²	Create/Update	Release (collection of projects for specific delivery) can be created or updated.	Change Management/Operations
Release²	Create Snapshot	Create snapshot is process of including build version in to release. Developer can be responsible for this as well.	Developers, Technical Leads
Release²	Configure Project List	Projects and packages can be added or removed from release.	Developers, Technical Leads
Release²	Configure Pipeline	Pipeline can be configured on release with this permission. Access to Override members on Teams tab is also controlled by this permission.	Change Management/Operations
Release²	Configure CMS	Change management system details can be configured on release with this permission.	Change Management/Operations
Release²	Manage Lifecycle	Release start, pause, end actions are allowed with this permission.	Change Management/Operations
Release²	Grant Permissions	Release permission can be changed with this permission, otherwise Administrator users can configure permissions.	FD Administrators
Pipeline	Read	Pipeline can be read. Pipeline defined promotion process through various environments.	All Users
Pipeline	Update	Pipeline can be created or updated.	FD Administrators
Report	Read	Reports can be read.	All Users
Environment Instance	Read	Topology object read permission.	All Users
Environment Instance	Create / Update	Topology object update permission. Allows update to properties like folder, user, password etc.	FD Administrators
Environment	Read	Topology object read permission.	All Users
Environment	Create / Update	Topology environment can be created or updated.	FD Administrators
Instance	Read	Topology object read permission.	All Users
Instance	Create / Update	Deployment target (logical) can be created or updated.	FD Administrators
Endpoint	Read	Endpoint (SSH configuration) to connect to target nodes can be read.	All Users
Endpoint	Update	Endpoint (SSH configuration) to connect to target nodes can be created or updated.	FD Administrators
Scheduled Task	Read	Scheduled task (deployment outside of pipeline waiting for schedule) can be read.	All Users
Scheduled Task	Update	Scheduled task (deployment outside of pipeline waiting for schedule) can be overriden, allows immediate run of deployment.	Change Management/Operations
Plugin	Read	Plugin details can be read.	All Users
Plugin	Upload	Plugin can be uploaded and activated. Generally restricted to Administrators.	FD Administrators
Property Set	Read	Configured property details (plugin or workflow based) can be read. Internal details.	All Users
Template	Read	Templates can be read. Templates allow creation of projects using CSV input data.	All Users
Template	Create / Update	Templates can created or updated.	FD Administrators
Defaults	Read	Defaults can be read. Defaults allow some customizable defaults when new objects are created in FlexDeploy.	All Users
Defaults	Update	Defaults configuration can be updated.	FD Administrators
FlexField	Read	FlexField configurations can be read. FlexFields are custom inputs to build and deploy workflow requests.	All Users
FlexField	Update	FlexFields can be configured (enalbed)	FD Administrators
Test Type	Read	Test type names can be read.	All Users
Test Type	Create / Update	Test type names can be created or updated.	FD Administrators
Object Type	Read	Object Type customization details can be read. Customization is restricted to Administrator users.	All Users
Testing Tool	Read	Testing tools configurations can be read.	All Users
Testing Tool	Create / Update	Cutom testing tools configurations can be created or updated.	FD Administrators
Issue Tracking System	Read	Issue tracking system configurations can be read.	All Users
Issue Tracking System	Update	Global configurations for Issue Tracking Systems can be updated.	FD Administrators
Change Management System	Read	Change management system configurations can be read.	All Users
Change Management System	Update	Global configurations for change management systems can be updated.	FD Administrators
Cloud Account	Read	Cloud Account details can be read.	All Users
Cloud Account	Create / Update	Cloud Account can be created or updated.	FD Administrators
Artifact Repository Account	Read	Artifact Repository Account details can be read.	All Users
Artifact Repository Account	Create / Update	Artifact Repository Account can be created or updated.	FD Administrators
CI Server Account	Read	CI Server Account details can be read.	All Users
CI Server Account	Create / Update	CI Server Account can be created or updated.	All Users
Analysis Tool Account	Read	Analysis Tool Account details can be read.	All Users
Analysis Tool Account	Create / Update	Analysis Tool Account can be created or updated.	All Users
Other Tools Account	Read	Other Tools Account details can be read.	FD Administrators, DBA, Middleware Administrators
Other Tools Account	Create / Update	Other Tools Account can be created or updated.	FD Administrators, DBA, Middleware Administrators
Account Provider	Read	Account providers for cloud accounts can be read.	All Users
Account Provider	Create / Update	Account providers (custom) for cloud accounts can be created or updated.	All Users
User	Read	User information can be read. Users management is restricted to Administrator users.	All Users
Group	Read	Group information can be read. Group management is restricted to Administrator users.	All Users
Realm	Read	Realm information can be read. Realm configuration is restricted to Administrator users.	All Users
Credential	Read	Credential details can be read. Note that secret text like password can never be read in clear text, hence you can only see details necessary to request credential from store.	All Users
Credential	Create / Update	Credential details including secret text like password can be be entered.	FD Administrators, DBA, Middleware Administrators
Credential	Delete	Credential can be deleted if not used.	FD Administrators, DBA, Middleware Administrators
Credential Store	Read	Credential store details can be read. Management of stores is restricted for Administrators.	All Users
Credential Store Provider	Read	Credential store providers can be read. Management of store providers is restricted for Administrators.	All Users
Webhook Functions	Read	Webhook functions can be read.	All Users
Webhook Functions	Create / Update	Webhook functions can be created or updated.	Technical Leads, Developers
Webhook Functions	Delete	Webhook functions can be deleted.	Technical Leads
Webhook Providers	Read	Webhook providers can be viewed.	All Users
Webhook Providers	Create / Update	Webhook providers can be created or updated.	Technical Leads, Developers
Webhook Messages	Read - View Tracking	Webhook messages screen can be viewed.	All Users
Webhook Messages	View Logs	Webhook message logs can be viewed.	Technical Leads, Developers
Webhook Messages	View Content	Webhook message payload, query params and headers can be viewed.	Technical Leads, Developers
Webhook Messages	Execute - Resubmit Message	Webhook message can be resubmitted.	Technical Leads, Developers
Deployment Permissions		Allows control which environments user is allowed to perform deployment.

1 - Project level permissions can be setup at individual project, folder or application (folder or application level setup will apply to child folder and projects unless overridden).

2 - Release level permissions can be setup for individual release.