Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

FlexDeploy provides its own proprietary repository for managing security, including users, groups, and permissions. The implementation provides a fine-grained permission model so that groups can be configured to match the roles and responsibilities of any organization. FlexDeploy also supports LDAP and Active Directory integration for user authentication. Additionally, you can also enable Single Sign-On and Multi Factor Authentication using external service or corporate security solution.

Security administration is restricted to FlexDeploy Administrators only.

Security Administration

See authentication and authorization summary details below for quick reference.

Authentication

You can configure users in FlexDeploy internal realm or use external LDAP server.

  • See Users to maintain users in FlexDeploy internal realm. If you use this option then you are not relying on external directory servers.

  • You can use Active Directory or other LDAP server for authentication and authorization, see Realms for reference. FlexDeploy user record will still be created when user from external LDAP server logs in for first time. See new user process on Realms page.

  • You can also use both internal as well external realm for users. Users will be first authenticated against external realms and if not successful internal realm will be used.

Authorization

In order to control access to various parts of FlexDeploy, you will be configuring permissions for FlexDeploy groups. FlexDeploy supports coarse and finer grained permissions, see below for details.

Permissions are mainly controlled using FlexDeploy Groups even when using external realm. When using external realm, you can map external directory groups to FlexDeploy groups. Group mapping allows for less security maintenance when new users start using FlexDeploy.

  • Use global permissions control access to various objects in FlexDeploy. Global permissions do not control access at individual item level but rather at entire object level, i.e. if you grant Create / Update access for Workflow to group, members of that group can create or update any workflow. See global permissions for FlexDeploy group.

  • Use deployment permissions to restrict available environments on deployment request form. See deployment permissions for FlexDeploy group. For example, if you want to restrict specific group of users from deploying environments other than development and test, then configure deployment permissions accordingly. Alternatively, you can allow for deployment to all environments and setup approvals using FlexDeploy approvals or external change management system approvals.

  • Finer grained permissions

    1. Project - control access (read, create, configure, execute etc.) to specific projects for FlexDeploy groups. You can configure this for a project or folder. Configurations at folder level apply to all projects contained in it. See Project Security. This model allows for restricting configuration edits of projects to specific groups and still allow others to view and execute build / deploy on projects.

    2. Release - control access (read, configure, execute etc.) to specific release for FlexDeploy groups. You can configure this using global permissions and override at specific release as necessary. See Release Security.

    3. Pipeline - control access (abort, replay, skip etc.) on pipeline execution. Pipeline allows for abstraction in to roles that are mapped to FlexDeploy group and/or users. For example, developers, leaders, managers, operators etc. are some examples of pipeline roles. You can define permissions on each pipeline role. See Pipeline team security.

Permission Matrix

Object Type

Permission

Notes

General Recommendation

Approval Setup

 Read

Approvals (outside of pipeline) can be read.

All Users

Approval Setup

 Create / Update

Approvals (outside of pipeline) can be created and updated.

Change Management/Operations

Window Setup

 Read

Schedule windows (outside of pipeline) can be read.

All Users

Window Setup

 Create / Update

Schedule windows (outside of pipeline) can be created and updated.

Change Management/Operations

Notification Setup

 Read

Configured notifications (email) can be read.

All Users

Notification Setup

 Create / Update

Additional notifications (email) can be created and updated.

All Users

Notification Setup

 Delete

Additional notifications (email) can be deleted.

All Users

Workflow

 Read

Workflow (build, deploy, test etc.) can be read. This contains execution code for build and deployment.

All Users

Workflow

 Create / Update

Workflow (build, deploy, test etc.) can be created or updated. This contains execution code for build and deployment.

FD Administrators

Release1

 Read

Release (collection of projects for specific delivery) can be read.

All Users

Release1

 Create/Update

Release (collection of projects for specific delivery) can be created and updated.

Change Management/Operations

Release1

 Create Snapshot

Create snapshot is process of including build version in to release. Developer can be responsible for this as well.

Developers, Technical Leads

Release1

 Configure Project List

Projects and packages can be added or removed from release. 

Developers, Technical Leads

Release1

 Configure Pipeline

Pipeline can be configured on release with this permission. Access to Override members on Teams tab is also controlled by this permission.

Change Management/Operations

Release1

 Manage Lifecycle

Release start, pause, end actions are allowed with this permission.

Change Management/Operations

Release1

 Grant Permissions

Release permission can be changed with this permission, otherwise Administrator users can configure permissions.

FD Administrators

Pipeline

 Read

Pipeline can be read. Pipeline defined promotion process through various environments.

All Users

Pipeline

 Update

Pipeline can be created or updated.

FD Administrators

Report

 Read

Reports can be read.

All Users

Environment Instance

 Read

Topology object read permission.

All Users

Environment Instance

 Create / Update

Topology object update permission. Allows update to properties like folder, user, password etc. 

FD Administrators

Environment

 Read

Topology object read permission.

All Users

Environment

 Create / Update

Topology environment can be created and updated.

FD Administrators

Instance

 Read

Topology object read permission.

All Users

Instance

 Create / Update

Deployment target (logical) can be created and updated.

FD Administrators

Endpoint

 Read

Endpoint (SSH configuration) to connect to target nodes can be read.

All Users

Endpoint

 Update

Endpoint (SSH configuration) to connect to target nodes can be created and updated.

FD Administrators

Scheduled Task

 Read

Scheduled task (deployment outside of pipeline waiting for schedule) can be read.

All Users

Scheduled Task

 Update

Scheduled task (deployment outside of pipeline waiting for schedule) can be overridden, allows immediate run of deployment.

Change Management/Operations

Plugin

 Read

Plugin details can be read.

All Users

Plugin

 Upload

Plugin can be uploaded and activated. Generally restricted to Administrators. 

FD Administrators

Defaults

 Read

Defaults can be read. Defaults allow some customizable defaults when new objects are created in FlexDeploy.

All Users

Defaults

 Update

Defaults configuration can be updated.

FD Administrators

FlexField

 Read

FlexField configurations can be read. FlexFields are custom inputs to build and deploy workflow requests.

All Users

FlexField

 Update

FlexFields can be configured (enabled)

FD Administrators

Test Type

 Read

Test type names can be read. 

All Users

Test Type

 Create / Update

Test type names can be created or updated.

FD Administrators

Object Type

 Read

Object Type customization details can be read. Customization is restricted to Administrator users.

All Users

Testing Tool

 Read

Testing tools configurations can be read. 

All Users

Testing Tool

 Create / Update

Custom testing tools configurations can be created and updated.

FD Administrators

Issue Tracking System

 Read

Issue tracking system configurations can be read.

All Users

Issue Tracking System

 Update

Global configurations for Issue Tracking Systems can be updated.

FD Administrators

Change Management System

 Read

Change management system configurations can be read.

All Users

Change Management System

 Update

Global configurations for change management systems can be updated. 

FD Administrators

Cloud Account

 Read

Cloud Account details can be read.

All Users

Cloud Account

 Create / Update

Cloud Account can be created and updated.

FD Administrators

Artifact Repository Account

 Read

Artifact Repository Account details can be read.

All Users

Artifact Repository Account

 Create / Update

Artifact Repository Account can be created and updated.

FD Administrators

CI Server Account

 Read

CI Server Account details can be read.

All Users

CI Server Account

 Create / Update

CI Server Account can be created and updated.

All Users

Analysis Tool Account

 Read

Analysis Tool Account details can be read.

All Users

Analysis Tool Account

 Create / Update

Analysis Tool Account can be created or updated.

All Users

Messaging Account

 Read

Messaging Account details can be read.

All Users

Messaging Account

 Create / Update

Messaging Account details can be created and updated.

All Users

Containers Account

Read

Containers Account details can be read.

All Users

Containers Account

Create / Update

Containers Account details can be created and updated.

All Users

Other Tools Account

 Read

Other Tools Account details can be read.

FD Administrators, DBA, Middleware Administrators

Other Tools Account

 Create / Update

Other Tools Account can be created and updated.

FD Administrators, DBA, Middleware Administrators

Account Provider

 Read

Account providers for cloud accounts can be read.

All Users

Account Provider

 Create / Update

Account providers (custom) for cloud accounts can be created or updated.

All Users

User

Read

User information can be read. Users management is restricted to Administrator users.

All Users

Group

Read

Group information can be read. Group management is restricted to Administrator users.

All Users

Realm

Read

Realm information can be read. Realm configuration is restricted to Administrator users.

All Users

Credential

Read

Credential details can be read. Note that secret text like password can never be read in clear text, hence you can only see details necessary to request credential from store.

All Users

Credential

Create / Update

Credential details including secret text like password can be be entered. 

FD Administrators, DBA, Middleware Administrators

Credential

Delete

Credential can be deleted if not used.

FD Administrators, DBA, Middleware Administrators

Credential Store

Read

Credential store details can be read. Management of stores is restricted for Administrators.

All Users

Credential Store Provider

Read

Credential store providers can be read. Management of store providers is restricted for Administrators. 

All Users

Webhook Functions

Read

Webhook functions can be read.

All Users

Webhook Functions

Create / Update

Webhook functions can be created and updated.

Technical Leads, Developers

Webhook Functions

Delete

Webhook functions can be deleted.

Technical Leads

Webhook Providers

Read

Webhook providers can be viewed.

All Users

Webhook Providers

Create / Update

Webhook providers can be created and updated.

Technical Leads, Developers

Webhook Messages

Read - View Tracking

Webhook messages screen can be viewed.

All Users

Webhook Messages

View Logs

Webhook message logs can be viewed.

Technical Leads, Developers

Webhook Messages

View Content

Webhook message payload, query params and headers can be viewed.

Technical Leads, Developers

Webhook Messages

Execute - Resubmit Message

Webhook message can be resubmitted.

Technical Leads, Developers

Monitor Containers

Read

Container Status can be read

All Users

Monitor Containers

Start/Stop

Containers can be started and stopped

FD Administrators, DBA, Technical Leads

Notification Templates

Read

Notification Templates can be read

All Users

Notification Templates

Create / Update

Custom Notification Templates can be created and updated

FD Administrators

Notification Templates

Delete

Custom Notification Templates can be deleted

FD Administrators

Deployment Permissions


Allows control over which environments the group is allowed to perform deployments to. 


1 - Release level permissions can be setup for individual release.

  • No labels