Versions Compared

Old Version 4

changes.mady.by.user PIPEFORCE

Saved on

compared with

New Version 5

changes.mady.by.user PIPEFORCE

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Roles can also contain other roles. Such parent roles are called Composite Roles. You probably never require such type of roles, since they are mainly used in PIPEFORCE internally only.

Default Roles (ROLE_)

These composite roles exist by default in PIPEFORCE and cannot be removed (“factory defaults”). Any user or group, which is assigned to such a role, has some additional basic set of permissions assigned to fulfill a certain role in PIPEFORCE.

...

Since PIPEFORCE is a microservice system, it hosts many different services. Some of them require groups and some can work with roles. Furthermore, there is also a conceptional difference: Groups can be created and managed by admins, roles cannot. They can only be assigned and revoked by admins.

Command Permissions (CAN_CMD_)

For any command in PIPEFORCE, there is a corresponding role (or permission) which allows the user assigned to this role to execute this command. The role name has the format:

Code Block
CAN_

...

CMD_<command_name>

...

Some examples:
Command Name
Permission / Role Name
drive.read
CAN_PIPECMD_drive.read
drive.save
CAN_PIPECMD_drive.save
property.put
CAN_PIPECMD_property.put
See Role Mappings section for users and groups in IAM for a full list of all available command permissions.
Wildcard command permission (use with maximum care!)
Besides the specific command permission, you can also use the wildcard permissions in order to give a permission to all commands or a specific subset. This should not be used by users, but is reserved for admins and developers.
Examples:
  • CAN_PIPECMD_%: Grants access to all commands
  • CAN_PIPECMD_drive.%: Grants access to all drive commands
App Permissions (CAN_APP_)
Note: Depending on the setup of your PIPEFORCE system, these steps usually are done by your global corporate admin and cannot be done by developers or default admins. Please ask your global admin or the PIPEFORCE support team to do these steps for you.
...
 Code Block
global/app/myapp/setup/permissions.pi.yamlcreate-default-permissions
Open this pipeline, add this content, and then publish + execute it:
 Code Block
languageyaml
headers:
  description: "Creates the default users, groups and permissions of myapp"
  onCommandError: "IGNORE"

pipeline:

  - iam.run.as:
      username: systemuser

  # Create the new app role
  - iam.role.create:
      name: "CAN_APP_MYAPP"

  # Assign this role to all employees automatically
  - iam.role.add.composites:
      roleName: "ROLE_EMPLOYEE"
      composites: "CAN_APP_MYAPP"
...