Security

FlexDeploy provides its own proprietary repository for managing security, including users, groups, and permissions. The implementation provides a fine-grained permission model so that groups can be configured to match the roles and responsibilities of any organization. FlexDeploy also supports LDAP and Active Directory integration for user authentication. Additionally, you can also enable Single Sign-On and Multi Factor Authentication using external service or corporate security solution.

Security administration is restricted to FlexDeploy Administrators.

Security Administration

See authentication and authorization summary details below for quick reference.

Authentication

You can configure users in FlexDeploy internal realm or use external LDAP server.

  • See Users to maintain users in FlexDeploy internal realm. If you use this option then you are not relying on external directory servers.

  • You can use an LDAP server for authentication and authorization. See Realms for reference. A FlexDeploy user record will still be created when users from your external LDAP server login for the first time. See new user process on Realms page.

  • You can use both internal as well external realm for users. Users will be authenticated in the order defined on the Realms page.

Authorization

In order to control access to various parts of FlexDeploy, you will be configuring permissions for FlexDeploy groups. FlexDeploy supports coarse and finer grained permissions, see below for details.

Permissions are controlled using FlexDeploy Groups even when using external realm. When using external realm, you can map external directory groups to FlexDeploy groups. Group mapping allows for less security maintenance when new users start using FlexDeploy.

  • Use global permissions to control access to various objects in FlexDeploy. Global permissions do not control access at individual item level but rather at entire object level, i.e. if you grant Create / Update access for Workflow to group, members of that group can create or update any workflow. See Global Permissions for more information.

  • Use deploy permissions to restrict available environments on deployment request form. See Deploy Permissions. For example, if you want to restrict specific group of users from deploying environments other than development and test, then configure deployment permissions accordingly. Alternatively, you can allow for deployment to all environments and setup approvals using FlexDeploy approvals or external change management system approvals.

  • Finer grained permissions

    1. Folder - control access (read, create, configure, etc.) to specific folders for FlexDeploy groups. Configurations from parent folders are inherited and can be overridden by all child folders. See Folder Security. This model allows for restricting configuration edits of folders to specific groups and still allow others to view and manage other folder. Only FD Administrators can modify Folder Security.

    2. Project - control access (read, create, configure, execute etc.) to specific projects for FlexDeploy groups. You can configure this for a project or folder. Configurations at folder level apply to all projects contained in it. See Project Security. This model allows for restricting configuration edits of projects to specific groups and still allow others to view and execute build / deploy on projects. Only FD Administrators can modify Project Security.

    3. Release - control access (read, create, configure, execute etc.) to specific releases for FlexDeploy groups. You can configure this for a release or folder. Configurations at folder level apply to all releases contained in it. See Release Security. This model allows for restricting configuration edits of releases to specific groups and still allow others to view and execute snapshots on releases. By default, only FD Administrators can modify Release Security unless a group is given Grant Permissions on a release.

    4. Pipeline - control access (abort, replay, skip etc.) on pipeline execution. Pipeline allows for abstraction in to roles that are mapped to FlexDeploy group and/or users. For example, developers, leaders, managers, operators etc. are some examples of pipeline roles. You can define permissions on each pipeline role. See Pipeline team security.

    5. Some object types (Environment, Target Group, Workflow) allow permissions to be granted for an individual object, for example, you can give permission to update the EBS target group to the EBS lead, but not allow them to modify other target groups. The same applies to Environments and Workflows.

Permission Matrix

Permission rows highlighted in red are only available to FD Administrators (Admin Group toggle on Group).

Object Type

Permission

Notes

General Recommendation

Object Type

Permission

Notes

General Recommendation

Admin Operations

Read / Modify

Various administration activities. Mostly used while working with Flexagon support team. Operations include Change Log Level, View and Download Logs, Run Groovy, Delete Temp Repositories, and Export Configurations.

 

Approval Setup

Read

Approvals (outside of pipeline) can be read.

All Users

Approval Setup

Create / Update

Approvals (outside of pipeline) can be created and updated.

Change Management / Operations

Blackout Window

Read

Blackout window details can be read. All users have access to reading blackout window details.

 

Blackout Window

Create / Update / Delete

Blackout windows can be created, updated, and deleted.

 

Credential

Read

Credential details can be read. Note that secret text like password can never be read in clear text, hence you can only see details necessary to request credential from store.

All Users

Credential

Create / Update

Credential details including secret text like password can be be entered. 

FD Administrators / DBA / Middleware Administrators

Credential

Delete

Credential can be deleted if not used.

FD Administrators / DBA /Middleware Administrators

Credential Store

Read

Credential store details can be read.

All Users

Credential Store

Create / Update / Delete

Credential stores can be created, updated, and deleted.

 

Credential Store Provider

Read

Credential store providers can be read.

All Users

Credential Store Provider

Create / Update / Delete

Credential store providers can be created, updated, and deleted.

 

Defaults

Read

Defaults can be read. Defaults allow some customizable defaults when new objects are created in FlexDeploy.

All Users

Defaults

Update

Defaults configuration can be updated.

FD Administrators

Endpoint

Read

Endpoint (SSH configuration) to connect to target nodes can be read.

All Users

Endpoint

Create / Update / Delete

Endpoint (SSH configuration) to connect to target nodes can be created and updated.

FD Administrators

Environment

Read

Topology environments can be read. This permission is inherited by each environment and can be overridden.

All Users

Environment

Create

Topology environments can be created.

FD Administrators

Environment

Update / Delete

Topology environments can be updated and deleted. This permission is inherited by each environment and can be overridden.

Update permission on specific Environment allows user to manage security of that specific Environment.

FD Administrators

FlexField

Read

FlexField configurations can be read. FlexFields are custom inputs to build and deploy workflow requests.

All Users

FlexField

Update

FlexFields can be configured (enabled)

FD Administrators

Folder

 

Control access (read, create, configure, etc.) to specific folders for FlexDeploy groups. Configurations from parent folders are inherited and can be overridden by all child folders. See Folder Security. This model allows for restricting configuration edits of folders to specific groups and still allow others to view and manage other folder.

 

Folder

Update Security

Security on the folder level can be updated. FlexDeploy groups can be mapped to permission for folders and the projects/releases in the folder.

 

Group

Read

Group information can be read.

All Users

Group

Create / Update

Groups can be created and group information (name, users, etc.) can be updated.

FD Administrators

Integration Instance

Read

Integration instances can be read. Integration Accounts are connection details for Source Repository, Change and Issue Management System, Cloud Providers, and more.

All Users

Integration Instance

Create / Update / Delete

Integration instances can be created, updated, or deleted.

FD Administrators

Integration Providers

Read

Integration providers can be read. Integration Providers represent other DevOps tools useful in CI/CD process.

All Users

Integration Providers

Create / Update / Delete

Integration providers can be created, updated, or deleted.

FD Administrators

License

Update

FlexDeploy product license can be updated.

 

Notification Setup

 Read

Configured notifications (email) can be read.

All Users

Notification Setup

Create / Update

Additional notifications (email) can be created and updated.

All Users

Notification Setup

Delete

Additional notifications (email) can be deleted.

All Users

Notification Templates

Read

Notification Templates can be read

All Users

Notification Templates

Create / Update

Custom Notification Templates can be created and updated

FD Administrators

Notification Templates

Create / Update

Custom Notification Templates can be deleted

FD Administrators

Patches

Read

FlexDeploy patches can be read.

 

Permissions

Read

Global and Deployment permissions can be read. User must have Group Read permission to have Permissions Read permission.

 All Users

Permissions

Update

Global and Deployment permissions can be updated.

 

Pipeline

Read

Pipeline can be read. Pipeline defined promotion process through various environments.

All Users

Pipeline

Update

Pipeline can be created or updated.

FD Administrators

Plugin

Read

Plugin details can be read.

All Users

Plugin

Upload

Plugin can be uploaded and activated. Generally restricted to Administrators. 

FD Administrators

Project

 

Control access (read, create, configure, execute etc.) to specific projects for FlexDeploy groups. You can configure this for a project or folder. Configurations at folder level apply to all projects contained in it. See Project Security. This model allows for restricting configuration edits of projects to specific groups and still allow others to view and execute build / deploy on projects.

 

Project

Update Security

Security on the project level can be updated. FlexDeploy groups can be mapped to permissions for the project.

 

Project Type

Read

Project type details (match script, default scripts, etc.) can be read. Project Types apply to specific Package-based projects.

All Users

Project Type

Update

Project types, file types, and file type attribute details can be updated.

FD Administrators

Realm

Read

Realm information can be read.

All Users

Realm

Create / Update / Delete

Realms can be created, updated, and deleted.

 

Release

 

Control access (read, create, configure, execute etc.) to specific releases for FlexDeploy groups. You can configure this for a release or folder. Configurations at folder level apply to all releases contained in it. See Release Security. This model allows for restricting configuration edits of releases to specific groups and still allow others to view and execute snapshots on releases.

 

Release

Update Security

Security on the release level can be updated. FlexDeploy groups can be mapped to permissions for the release. By default, only FD Administrators can modify Release Security unless a group is added to Grant Permissions on a release.

Technical Leads / FD Administrators

Report

Read

Reports can be read.

All Users

Resource Type

Read

Resource type details can be read.

All users have access to reading resource type details.

 

Resource Type

Create / Update / Delete

Resource types can be created, updated, or deleted.

FD Administrators

Scheduled Event Function

Read

Scheduled event functions can be read.

All Users

Scheduled Event Function

Create / Update

Scheduled event functions can be created or updated.

Technical Leads / FD Administrators

Scheduled Event Message

Read - View Tracking

Scheduled event messages screen can be viewed.

All Users

Scheduled Event Message

View Logs

Scheduled event message logs can be viewed.

Technical Leads / Developers

Scheduled Event Message

Execute - Resubmit Message

Scheduled event message can be resubmitted.

Technical Leads / Developers

Scheduled Task

Read

Scheduled task (deployment outside of pipeline waiting for schedule) can be read. All users have access to reading scheduled tasks.

 

Scheduled Task

Update

Scheduled task (deployment outside of pipeline waiting for schedule) can be overridden, allows immediate run of deployment.

Change Management / Operations

Scheduled Window Setup

Read

Schedule Windows (for Project execution) can be read. Schedule Windows are setup on Folder and applies to all projects under it, unless overridden in folder hierarchy.

All Users

Scheduled Window Setup

Create / Update Delete

Schedule Windows (for Project execution) can be created, updated, or deleted.

FD Administrators

Tag

Read

Tag details can be read. All users have access to reading tag details.

 

Tag

Create / Update

Tags can be created and updated. All users have access to create tags but can only update tags they created.

 

Tag

Delete

Tags can be deleted.

 

Target Group

Read

Topology target groups can be read. This permission is inherited by each target group and can be overridden.

All Users

Target Group

Create

Topology target groups can be created.

FD Administrators

Target Group

Update / Delete

Topology target groups can be updated and deleted. This permission is inherited by each target group and can be overridden.

Update permission on specific Target Group allows user to manage security of that specific Target Group.

FD Administrators

System Settings

Read

System settings can be read.

 

System Settings

Update

System settings can be updated.

 

User

Read

User information can be read.

All Users

User

Create / Update

Users can be created and user information (username, realm, group, email, etc.) can be updated.

FD Administrators

Webhook Functions (Incoming)

Read

Webhook functions can be read.

All Users

Webhook Functions (Incoming)

Create / Update

Webhook functions can be created and updated.

Technical Leads / Developers

Webhook Functions (Incoming)

Delete

Webhook functions can be deleted.

Technical Leads / FD Administrators

Webhook Listener (Outgoing)

Read

Webhook Listener can be read.

All Users

Webhook Listener (Outgoing)

Create / Update

Webhook Listener can be created or updated.

Technical Leads / FD Administrators

Webhook Messages (Incoming / Outgoing)

Read - View Tracking

Webhook messages screen can be viewed.

All Users

Webhook Messages (Incoming / Outgoing)

View Logs

Webhook message logs can be viewed.

Technical Leads / Developers

Webhook Messages (Incoming / Outgoing)

View Content

Webhook message payload, query parameters and headers can be viewed.

Technical Leads / Developers

Webhook Messages (Incoming / Outgoing)

Execute - Resubmit Message

Webhook message can be resubmitted.

Technical Leads / Developers

Webhook Providers (Incoming)

Read

Webhook providers can be viewed.

All Users

Webhook Providers (Incoming)

Create / Update

Webhook providers can be created and updated.

Technical Leads / Developers

Work Item

Create / Modify Fields

Work Items can be created and fields can be modified, such as assignee, status, type etc.

Technical Leads / Developers

Work Item

Delete

Work Items can be deleted.

Technical Leads / FD Administrators

Work Item

Comments and Attachment Create

Fields cannot be modified but comments and attachments can be added.

All Users

Work Item

Administration

Ability to view and configure administration options for Work Items such as custom fields and statuses.

FD Administrators

Workflow

Read

Workflows (build, deploy, test etc.) can be read. This contains execution code for build and deployment.

All Users

Workflow

Create

Workflows (build, deploy, test etc.) can be created. This contains execution code for build and deployment.

FD Administrators

Workflow

Update / Delete

Workflows (build, deploy, test etc.) can be updated and deleted. This contains execution code for build and deployment. This permission is inherited by each target group and can be overridden.

Update permission on specific Workflow allows user to manage security of that specific Workflow.

FD Administrators

 

The following macros are not currently supported in the footer:
  • style