[go-cd] Re: Policies and Roles Issues

2023-03-21 Thread Funkycybermonk
Making progress! I found a link in the console that explained attaching 
roles to pipelines which works, but I'd like to be able to say that I want 
a user to have permissions on a pipeline group through a role, but I only 
want them to run pipelines with TEST in the name and not and PROD 
pipelines. In the role I've tried adding deny to administer * *  but the 
role permission on the pipeline group doesn't get modified. 

Is this just a fringe case we've put ourselves into and its not possible to 
manage things in this way? We've been using pipeline groups to contain all 
pipelines using a particular template type so PROD and TEST both are in the 
same pipeline group. If this isn't possible we can probably just split our 
groups out into 2x with a prod and dev/test group separately. 

I'm just confused on what I can and can't do with roles since its not a 
centrally managed feature but the roles can be reused for membership.

Thanks!

On Tuesday, March 21, 2023 at 10:29:01 AM UTC-5 Funkycybermonk wrote:

> Hello! 
>
> I'm sure I'm missing something simple, but I'm trying to lock down access 
> to certain tasks. We'll have some temporary users accessing our system and 
> I want to control what they can and can't do. I get the whole allow/deny 
> and I'm hoping that the View/Administer will be flexible enough to let me 
> limit what users can do to pipelines, but my initial test goal is to have a 
> working permissions set that does anything with pipelines. 
>
> when I set a system administrator everyone gets their permissions dropped 
> as expected. But once I start adding them to a role containing a policy 
> that says for example Allow - Administer - Environments - *, I get the 
> ability as that user to see all environments but I can't see pipelines in 
> those environments. 
>
> Setting Allow - Administer - All - * also doesn't let me see pipelines. 
>
> How can I use roles/policies to give users permissions to basic items in 
> the system such as: I want a user to be able to run pipelines containing a 
> certain wildcarded name filter or I want them to be able to view all but 
> only execute certain environments, say only pipelines assigned in the 
> environment labeled TEST. 
>
> The documentation doesn't give specific cases that are helpful in this 
> case. For example it says that Admnister on UI gives list, create, update, 
> delete, agent status and elastic profiles usage but the closes I can see in 
> the policy is the allow administer * * which doesn't let my user see any 
> pipelines.
>
> I'm running 22.3 with LDAP as my authentication provider if that 
> helps/affects anything.
>
> Any tips on how to get permissions set up to filter what can and can't be 
> accessed by non-systemadmins?
>
> Thanks!
>

-- 
You received this message because you are subscribed to the Google Groups 
"go-cd" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to go-cd+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/go-cd/4dbc8c4f-ad7e-444e-9113-f85c358b87den%40googlegroups.com.


[go-cd] Policies and Roles Issues

2023-03-21 Thread Funkycybermonk
Hello! 

I'm sure I'm missing something simple, but I'm trying to lock down access 
to certain tasks. We'll have some temporary users accessing our system and 
I want to control what they can and can't do. I get the whole allow/deny 
and I'm hoping that the View/Administer will be flexible enough to let me 
limit what users can do to pipelines, but my initial test goal is to have a 
working permissions set that does anything with pipelines. 

when I set a system administrator everyone gets their permissions dropped 
as expected. But once I start adding them to a role containing a policy 
that says for example Allow - Administer - Environments - *, I get the 
ability as that user to see all environments but I can't see pipelines in 
those environments. 

Setting Allow - Administer - All - * also doesn't let me see pipelines. 

How can I use roles/policies to give users permissions to basic items in 
the system such as: I want a user to be able to run pipelines containing a 
certain wildcarded name filter or I want them to be able to view all but 
only execute certain environments, say only pipelines assigned in the 
environment labeled TEST. 

The documentation doesn't give specific cases that are helpful in this 
case. For example it says that Admnister on UI gives list, create, update, 
delete, agent status and elastic profiles usage but the closes I can see in 
the policy is the allow administer * * which doesn't let my user see any 
pipelines.

I'm running 22.3 with LDAP as my authentication provider if that 
helps/affects anything.

Any tips on how to get permissions set up to filter what can and can't be 
accessed by non-systemadmins?

Thanks!

-- 
You received this message because you are subscribed to the Google Groups 
"go-cd" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to go-cd+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/go-cd/1582fc8d-5b93-4fa9-b098-9453b78e33ean%40googlegroups.com.