Security Roles

The administration of roles is located in the following menu path: Security -> Security Roles

The framework has the ability to create different security profiles for different groups of users in order to allow or deny operations via assigning permissions, project groups and environment types to a role.

RD framework validates permissions against operations within project groups and environment types security context. If the role is set as global, the framework ignores project group and environment type on any permission validation.

Every time any security permission is checked against the current logged in user, the RD framework validates every role assigned transitively via user groups. Where the user should have granted the permission for the current project group and environment type if it is required. On each permission details is described if it check for Project Group and/or Environment Type.

The role can be selected via the auto complete drop down list or search list pop up panel.

To create a new role press Add button, add role information and then press Save button.

To edit, select an existing role, made any change and then press Save button.

To delete, select an existing role, press Delete button and confirm this action.

To copy, select an existing role, press Add button, made any change and then press Save button.

NOTE: You can not change the name of the security role once it is created. Name is treated as unique ID. At the moment to achieve this goal you can copy existing security role using Add button when role is selected - put different name and click Create. Then you can delete the old one.

  • Security Group Settings
    • Name (ID)
    • Description
    • Global
  • Pick up list of Permissions
  • Pick up list of Security Groups
  • Pick up list of Project Groups
  • Pick up list of Environment Types

Built-in Roles

GLOBAL_ADMINISTRATOR

Can do:

  • [Resources] Projects: create, copy, edit, delete, import, execute SCM plugin commands, assign groups (commit, update, refresh... etc) (Any Project Group)
  • [Resources -> Targets] Servers: create, copy, edit, delete, allow deployments, deploy java, deploy agent, start agent, test transport connection, synchronise cloud instance, view cloud instance,create cloud instance, terminate cloud instance, start cloud instance, stop cloud instance
  • [Resources -> Targets] Environments: create, copy, edit, delete, allow deployments, select product type, set approval requirement
  • [Resources -> Orchestration] Tasks: view list and details, create, edit, delete, upload custom library
  • [Resources] Job Plans: view list and details, edit, delete
  • [Help] System Info: view administrative system information page. Can migrate from a previous version.
  • [Help] License Info: view and change license information
  • [Help] Extensions: view, edit, deploy and integrate extension plugin
  • [Help] SSO Providers: view details

GLOBAL_SECURITY_ADMINISTRATOR

Can do:

  • [Resources -> Targets] Environments: edit type (Development, Testing or Production) in combination with Administrator role
  • [Security] Users: create, copy, edit, delete, assign security groups.
  • [Security] Security Groups: create, copy, edit, delete, assign users, assign security roles, assign deployment approval environment types and assign configuration approval environment types.
  • [Security] Security Roles: create, copy, edit, delete, assign permissions, assign security groups, assign project groups and assign environment types.
  • [Security] Project Groups: create, copy, edit, delete, assign projects and assign security roles.
  • [Security] Environment Type: create, copy, edit, delete, assign environments, assign security roles, assign deployment approval security groups and assign configuration approval security groups.

GLOBAL_RELEASE_MANAGER (Backward compatibility)

Can do:

  • Run or Request Jobs for ANY Environment (Any Project Group)

GLOBAL_TEST_MANAGER (Backward compatibility)

Can do:

  • Run or Request Jobs for ANY Environment (Any Project Group)

GLOBAL_DEVELOPMENT_MANAGER (Backward compatibility)

Can do:

  • Run or Request Jobs for ANY Environment (Any Project Group)

GLOBAL_ENVIRONMENT_ADMINISTRATOR

Can do:

  • [Configuration] Edit / Promote: promote environment

GLOBAL_ENVIRONMENT_MANAGER

Can do:

  • [Configuration] Comparison: delete snapshots

GLOBAL_PRODUCTION_EDITOR (Backward compatibility)

Can do:

  • [Configuration] Edit / Promote: create from template, create from snapshot, edit, copy, delete for ANY Environment (Any Project Group)

GLOBAL_TEST_EDITOR (Backward compatibility)

Can do:

  • [Configuration] Edit / Promote: create from template, create from snapshot, edit, copy, delete for ANY Environment (Any Project Group)

GLOBAL_DEVELOPMENT_EDITOR (Backward compatibility)

Can do:

  • [Configuration] Edit / Promote: create from template, create from snapshot, edit, copy, delete for ANY Environment (Any Project Group)

GLOBAL_CONFIGURATION_CHANGE_REQUESTOR

Can do:

  • [Configuration] Edit / Promote: request changes and promotions (Any Project Group)

GLOBAL_PACKAGE_MANAGER

Can do:

  • [Resources -> Software Management] Packages: create, delete, upload, compare (Any Project Group)

GLOBAL_RESOURCE_ADMIN

Can do:

  • [Resources -> Libraries] create, edit, delete (Any Project Group)

GLOBAL_PLUGIN_MANAGER

Can do:

  • [Help] Plugin Manager: install, reinstall, uninstall, upload, update plugin data on a Project, Server or Environment objects

GLOBAL_APPLICATION_JOB

Can do:

  • Run or Request Application Jobs (Any Project Group) * Run or edit saved deployment plans

PROJECT_ADMINISTRATOR

Can do:

  • [Resources] Projects: edit, import, execute SCM plugin commands, assign groups (commit, update, refresh... etc) (Only Assigned Project Groups)

PROJECT_RELEASE_MANAGER

Can do:

  • Run or Request Jobs for PRODUCTION Environments (Only Assigned Project Groups)

PROJECT_TEST_MANAGER

Can do:

  • Run or Request Jobs for TEST Environments (Only Assigned Project Groups)

PROJECT_DEVELOPMENT_MANAGER

Can do:

  • Run or Request Jobs for DEVELOPMENT Environments (Only Assigned Project Groups)

GLOBAL_PRODUCTION_EDITOR

Can do:

  • [Configuration] Edit / Promote: create from template, create from snapshot, edit, copy, delete for PRODUCTION Environments (Only Assigned Project Groups)

GLOBAL_TEST_EDITOR

Can do:

  • [Configuration] Edit / Promote: create from template, create from snapshot, edit, copy, delete for TEST Environments (Only Assigned Project Groups)

GLOBAL_DEVELOPMENT_EDITOR

Can do:

  • [Configuration] Edit / Promote: create from template, create from snapshot, edit, copy, delete for DEVELOPMENT Environments (Only Assigned Project Groups)

PROJECT_CONFIGURATION_CHANGE_REQUESTOR

Can do:

  • [Configuration] Edit / Promote: request changes and promotions (Only Assigned Project Groups)

PROJECT_PACKAGE_MANAGER

Can do:

  • [Resources -> Software Management] Packages: create, delete, upload, compare (Only Assigned Project Groups)

PROJECT_APPLICATION_JOB

Can do:

  • Run or Request Application Jobs (Only Assigned Project Groups) * Run or edit saved deployment plans

GLOBAL_BLACKOUT_MANAGER

Can do:

  • Add new job blackout periods. * Edit saved job blackout periods. * Delete saved job blackout periods.

Roles Profiles Scenarios

  1. Users allowed to create and edit project configuration, create deployment plans and have the ability to run/deploy those projects/plans in DEVELOPMENT environments.

    Users have to be assigned to a group having the following roles:

    • Role [GLOBAL_ADMINISTRATOR]
    • Role [GLOBAL_DEVELOPMENT_MANAGER]
    • Role [PROJECT_APPLICATION_JOB]
  2. Set of users allowed to run/deploy the projects/plans into TEST environments whilst another set of users are only allowed to deploy the projects/plans into PRODUCTION environments.

    First set of users have to be assigned to one group having the following roles:

    • Role [GLOBAL_TEST_MANAGER]
    • Role [PROJECT_APPLICATION_JOB]

    Second set of users have to be assigned to another group having the following roles:

    • Global Role [GLOBAL_RELEASE_MANAGER]
    • Role [PROJECT_APPLICATION_JOB]
  3. Three sets of users allowed to create and update environment configurations for any project into: DEVELOMENT, TEST and PRODUCTION environments.

    First set of users have to be assigned to one group having the following role:

    • Role [GLOBAL_DEVELOPMENT_EDITOR]

    Second set of users have to be assigned to one group having the following role:

    • Role [GLOBAL_TEST_EDITOR]

    Third set of users have to be assigned to one group having the following role:

    • Role [GLOBAL_PRODUCTION_EDITOR]