Tricky. Yes, there is no mechanism I'm aware of to set default permissions for new pipeline groups. :(
For the existing groups and your upcoming upgrade, I would suggest making the implicit permission explicit, by adding a role permission to the 230 pipeline groups, and then giving that role view and operate permissions. Of course, there are still two issues: 1. How to make sure every user is in the role? [If you use the LDAP authorisation plugin, then you'd be able to set up a role which includes everyone in an AD group] 2. How to make sure every new pipeline group created has that default role [No great idea I can think of here, apart from having a script which uses the GoCD APIs to do that -- and only that -- and allowing everyone to run that. Maybe in a pipeline. :)] Cheers, Aravind On Fri, 31 May 2024 at 21:51, Jason Smyth <jsm...@taqauto.com> wrote: > Hi everyone, > > We are working on upgrading from GoCD 19.8.0 to the current version. One > of the major changes we need to account for is the default permissions on > pipeline groups. > > In 19.8.0, pipelines are open by default, i.e., if there are no > permissions explicitly defined for a pipeline group, all users can view and > operate the pipelines it contains. In current versions, pipelines are > secure by default; if there are no permissions explicitly defined for a > pipeline group then only system administrators can view/operate them. > > Our current model is this: > > - All pipelines are stored in a single config repo. > - Pipeline groups are used to represent an individual application. > - A pipeline group generally consists of a build pipeline and several > deployment pipelines. > - Production pipelines are separated into their own pipeline group > because they already have some requirements around restricting their > operability. > > > This presents a couple of challenges: > > 1. When moving from open-by-default to secure-by-default we will need > to explicitly specify the permissions for ~230 pipeline groups, all of > which have essentially the same permissions requirements. > 2. Post upgrade, we cannot restrict system administration privileges > because anyone who has access to create a new pipeline group via the config > repo will need sysadmin access to set the pipeline group permissions after > the pipelines are imported. > > Does GoCD have any mechanism for grouping pipeline groups for the purpose > of standardizing permissions across them? Alternately, is there a way that > we can define permissions in the config repo instead of having to put them > into cruise-config.xml post-import? > > Any thoughts or suggestions are welcome. > > Regards, > Jason > > -- > You received this message because you are subscribed to the Google Groups > "go-cd" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to go-cd+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/go-cd/7a022c24-8d18-48dc-8909-2d6c5330e49bn%40googlegroups.com > <https://groups.google.com/d/msgid/go-cd/7a022c24-8d18-48dc-8909-2d6c5330e49bn%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "go-cd" group. To unsubscribe from this group and stop receiving emails from it, send an email to go-cd+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/go-cd/CACxychHfBx35npprPKZwutE%3DbUWoB2U5WOVH37ygX3wGmyyftw%40mail.gmail.com.
