Making progress! I found a link in the console that explained attaching roles to pipelines which works, but I'd like to be able to say that I want a user to have permissions on a pipeline group through a role, but I only want them to run pipelines with TEST in the name and not and PROD pipelines. In the role I've tried adding deny to administer * * but the role permission on the pipeline group doesn't get modified.
Is this just a fringe case we've put ourselves into and its not possible to manage things in this way? We've been using pipeline groups to contain all pipelines using a particular template type so PROD and TEST both are in the same pipeline group. If this isn't possible we can probably just split our groups out into 2x with a prod and dev/test group separately. I'm just confused on what I can and can't do with roles since its not a centrally managed feature but the roles can be reused for membership. Thanks! On Tuesday, March 21, 2023 at 10:29:01 AM UTC-5 Funkycybermonk wrote: > Hello! > > I'm sure I'm missing something simple, but I'm trying to lock down access > to certain tasks. We'll have some temporary users accessing our system and > I want to control what they can and can't do. I get the whole allow/deny > and I'm hoping that the View/Administer will be flexible enough to let me > limit what users can do to pipelines, but my initial test goal is to have a > working permissions set that does anything with pipelines. > > when I set a system administrator everyone gets their permissions dropped > as expected. But once I start adding them to a role containing a policy > that says for example Allow - Administer - Environments - *, I get the > ability as that user to see all environments but I can't see pipelines in > those environments. > > Setting Allow - Administer - All - * also doesn't let me see pipelines. > > How can I use roles/policies to give users permissions to basic items in > the system such as: I want a user to be able to run pipelines containing a > certain wildcarded name filter or I want them to be able to view all but > only execute certain environments, say only pipelines assigned in the > environment labeled TEST. > > The documentation doesn't give specific cases that are helpful in this > case. For example it says that Admnister on UI gives list, create, update, > delete, agent status and elastic profiles usage but the closes I can see in > the policy is the allow administer * * which doesn't let my user see any > pipelines. > > I'm running 22.3 with LDAP as my authentication provider if that > helps/affects anything. > > Any tips on how to get permissions set up to filter what can and can't be > accessed by non-systemadmins? > > Thanks! > -- You received this message because you are subscribed to the Google Groups "go-cd" group. To unsubscribe from this group and stop receiving emails from it, send an email to go-cd+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/go-cd/4dbc8c4f-ad7e-444e-9113-f85c358b87den%40googlegroups.com.