Making progress! I found a link in the console that explained attaching
roles to pipelines which works, but I'd like to be able to say that I want
a user to have permissions on a pipeline group through a role, but I only
want them to run pipelines with TEST in the name and not and PROD
pipelines. In the role I've tried adding deny to administer * * but the
role permission on the pipeline group doesn't get modified.
Is this just a fringe case we've put ourselves into and its not possible to
manage things in this way? We've been using pipeline groups to contain all
pipelines using a particular template type so PROD and TEST both are in the
same pipeline group. If this isn't possible we can probably just split our
groups out into 2x with a prod and dev/test group separately.
I'm just confused on what I can and can't do with roles since its not a
centrally managed feature but the roles can be reused for membership.
Thanks!
On Tuesday, March 21, 2023 at 10:29:01 AM UTC-5 Funkycybermonk wrote:
> Hello!
>
> I'm sure I'm missing something simple, but I'm trying to lock down access
> to certain tasks. We'll have some temporary users accessing our system and
> I want to control what they can and can't do. I get the whole allow/deny
> and I'm hoping that the View/Administer will be flexible enough to let me
> limit what users can do to pipelines, but my initial test goal is to have a
> working permissions set that does anything with pipelines.
>
> when I set a system administrator everyone gets their permissions dropped
> as expected. But once I start adding them to a role containing a policy
> that says for example Allow - Administer - Environments - *, I get the
> ability as that user to see all environments but I can't see pipelines in
> those environments.
>
> Setting Allow - Administer - All - * also doesn't let me see pipelines.
>
> How can I use roles/policies to give users permissions to basic items in
> the system such as: I want a user to be able to run pipelines containing a
> certain wildcarded name filter or I want them to be able to view all but
> only execute certain environments, say only pipelines assigned in the
> environment labeled TEST.
>
> The documentation doesn't give specific cases that are helpful in this
> case. For example it says that Admnister on UI gives list, create, update,
> delete, agent status and elastic profiles usage but the closes I can see in
> the policy is the allow administer * * which doesn't let my user see any
> pipelines.
>
> I'm running 22.3 with LDAP as my authentication provider if that
> helps/affects anything.
>
> Any tips on how to get permissions set up to filter what can and can't be
> accessed by non-systemadmins?
>
> Thanks!
>
--
You received this message because you are subscribed to the Google Groups
"go-cd" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to go-cd+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/go-cd/4dbc8c4f-ad7e-444e-9113-f85c358b87den%40googlegroups.com.