...
| Table of Contents | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|
|
Introduction
Permissions in PIPEFORCE are also called roles. With such roles, you can define what a user is allowed to do. Roles can be assigned directly to a user or to a group via the webui of the IAM or the iam.* commands. Furthermore, there are also roles which define a set of other roles. These parent roles are called composite roles.
Note that you need to be a member of ROLE_ADMIN or ROLE_DEVELOPER in order to be able to change role permissions as described in this chapter. In case you’re not able to login into IAM or apply the steps described below, please contact the PIPEFORCE admin in your company or feel free to contact our support team to grant you the required permissions and roles.
What is a Role (Permission)?
In PIPEFORCE, there is the concept of roles. A role can be seen as a permission (privilege) for a user to be allowed to do a certain task in the system. A role is a permission: So whenever you see a role, it can also be called a permission, and vice versa. These names are equal.
...
Roles can also contain other roles. Such parent roles are called Composite Roles. You probably never require such type of roles, since they are mainly used in PIPEFORCE internally only.
Default Roles (ROLE_)
These composite roles exist by default in PIPEFORCE and cannot be removed (“factory defaults”). Any user or group, which is assigned to such a role, has some additional basic set of permissions assigned to fulfill a certain role in PIPEFORCE.
...
Since PIPEFORCE is a microservice system, it hosts many different services. Some of them require groups and some can work with roles. Furthermore, there is also a conceptional difference: Groups can be created and managed by admins, roles cannot. They can only be assigned and revoked by admins.
Command Permissions (CAN_CMD_)
For any command in PIPEFORCE, there is a corresponding role (or permission) which allows the user assigned to this role to execute this command. The role name has the format:
...
CAN_CMD_%: Grants access to all commandsCAN_CMD_drive.%: Grants access to all drive commands
App Permissions (CAN_APP_)
Note: Depending on the setup of your PIPEFORCE system, these steps usually are done by your global corporate admin and cannot be done by developers or default admins. Please ask your global admin or the PIPEFORCE support team to do these steps for you.
...
Also, make sure that users and groups you want to give access to your app are trustworthy. Furthermore, make sure that they also have the permission to access all commands you are using inside your app.
Automate setup of app permissions
Instead of manually creating and assigning the roles of your app, you can automate these steps by providing a setup pipeline using the iam.* commands. To do so, follow these steps:
...
For more information about the available iam.* commands, see the commands' dashboard of your instance.
What is a Group?
A group in PIPEFORCE combines a set of users with a set of roles. Groups are typically created and managed by admins. There can be “factory default” groups and also customer specific groups.
Default Groups
There are some default groups in PIPEFORCE. These groups may not be renamed or deleted by admins or developers, otherwise the system will no longer work as expected. These default groups are:
...
Each group can contain one or more roles which is the core permission entity.
Anonymous User
In case a user is not logged-in, the system handles this automatically as anonymousUser with no roles/permissions and no groups assigned to it. Such a user can only execute a very limited set of public commands.