Hi everyone, We are working on upgrading from GoCD 19.8.0 to the current version. One of the major changes we need to account for is the default permissions on pipeline groups.
In 19.8.0, pipelines are open by default, i.e., if there are no permissions explicitly defined for a pipeline group, all users can view and operate the pipelines it contains. In current versions, pipelines are secure by default; if there are no permissions explicitly defined for a pipeline group then only system administrators can view/operate them. Our current model is this: - All pipelines are stored in a single config repo. - Pipeline groups are used to represent an individual application. - A pipeline group generally consists of a build pipeline and several deployment pipelines. - Production pipelines are separated into their own pipeline group because they already have some requirements around restricting their operability. This presents a couple of challenges: 1. When moving from open-by-default to secure-by-default we will need to explicitly specify the permissions for ~230 pipeline groups, all of which have essentially the same permissions requirements. 2. Post upgrade, we cannot restrict system administration privileges because anyone who has access to create a new pipeline group via the config repo will need sysadmin access to set the pipeline group permissions after the pipelines are imported. Does GoCD have any mechanism for grouping pipeline groups for the purpose of standardizing permissions across them? Alternately, is there a way that we can define permissions in the config repo instead of having to put them into cruise-config.xml post-import? Any thoughts or suggestions are welcome. Regards, Jason -- You received this message because you are subscribed to the Google Groups "go-cd" group. To unsubscribe from this group and stop receiving emails from it, send an email to go-cd+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/go-cd/7a022c24-8d18-48dc-8909-2d6c5330e49bn%40googlegroups.com.