...
Roles can also contain other roles. Such parent roles are called Composite Roles. You probably never require such type of roles, since they are mainly used in PIPEFORCE internally only.
Default Roles (ROLE_
)
These composite roles exist by default in PIPEFORCE and cannot be removed (“factory defaults”). Any user or group, which is assigned to such a role, has some additional basic set of permissions assigned to fulfill a certain role in PIPEFORCE.
...
Since PIPEFORCE is a microservice system, it hosts many different services. Some of them require groups and some can work with roles. Furthermore, there is also a conceptional difference: Groups can be created and managed by admins, roles cannot. They can only be assigned and revoked by admins.
Command Permissions (CAN_CMD_
)
For any command in PIPEFORCE, there is a corresponding role (or permission) which allows the user assigned to this role to execute this command. The role name has the format:
Code Block |
---|
CAN_ |
...
CMD_<command_name> |
...
Some examples:
Command Name | Permission / Role Name |
|
|
|
|
|
|
See Role Mappings
section for users and groups in IAM for a full list of all available command permissions.
Wildcard command permission (use with maximum care!)
Besides the specific command permission, you can also use the wildcard permissions in order to give a permission to all commands or a specific subset. This should not be used by users, but is reserved for admins and developers.
Examples:
CAN_PIPECMD_%
: Grants access to all commandsCAN_PIPECMD_drive.%
: Grants access to all drive commands
App Permissions (CAN_APP_
)
Note: Depending on the setup of your PIPEFORCE system, these steps usually are done by your global corporate admin and cannot be done by developers or default admins. Please ask your global admin or the PIPEFORCE support team to do these steps for you.
...
Code Block |
---|
global/app/myapp/setup/permissions.pi.yamlcreate-default-permissions |
Open this pipeline, add this content, and then publish + execute it:
Code Block | ||
---|---|---|
| ||
headers: description: "Creates the default users, groups and permissions of myapp" onCommandError: "IGNORE" pipeline: - iam.run.as: username: systemuser # Create the new app role - iam.role.create: name: "CAN_APP_MYAPP" # Assign this role to all employees automatically - iam.role.add.composites: roleName: "ROLE_EMPLOYEE" composites: "CAN_APP_MYAPP" |
...