You signed in with another tab or window.Reload to refresh your session.You signed out in another tab or window.Reload to refresh your session.You switched accounts on another tab or window.Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: _docs/administration/account-user-management/access-control.md
+24-20Lines changed: 24 additions & 20 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -14,11 +14,11 @@ toc: true
14
14
<!-- needs fine tuning for GitOps as well; all x-refs have to be updated-->
15
15
Codefresh provides several complementary ways for access control within an organization:
16
16
17
-
***Role-based access**:[Role-based access](#users-and-administrators), restricts access to parts of the Codefresh UI intended for account administrators. For example, only an account administrator should be able to change integrations with[git providers]({{site.baseurl}}/docs/integrations/git-providers/) and[cloud services]({{site.baseurl}}/docs/deployments/kubernetes/add-kubernetes-cluster/).
17
+
***Role-based access**:[Role-based access]({{site.baseurl}}/docs/administration/account-user-management/add-users/#users-in-codefresh), restricts access to parts of the Codefresh UI intended for account administrators. For example, only an account administrator should be able to change integrations with[git providers]({{site.baseurl}}/docs/integrations/git-providers/) and[cloud services]({{site.baseurl}}/docs/integrations/kubernetes/#connect-a-kubernetes-cluster).
18
18
19
-
***Attribute-based access control (ABAC)**: Policy-based access control via attributes (ABAC), restricts access to[Kubernetes clustersand pipelines](#access-to-kubernetes-clusters-and-pipelines). This option allows account administrators to define exactly which teams have access to which clusters and pipelines. For example, access to production clusters can be granted only to a subset of trusted developers/operators. On the other hand, access to a QA/staging cluster can be less strict.
19
+
***Attribute-based access control (ABAC)**: Policy-based access control via attributes (ABAC), restricts access to[AddKubernetes clusterswith policy attributes](##add-kubernetes-clusters-with-policy-attributes). This option allows account administrators to define exactly which teams have access to which clusters and pipelines. For example,you can grantaccess to production clusters only to a subset of trusted developers/operators. On the other hand, access to a QA/staging cluster can be less strict.
20
20
21
-
***Git-repository access**: Restrict the Git repositories used to load[pipeline definitions](#pipeline-definition-restrictions).
21
+
***Git-repository access**: Restrict the Git repositories used to load[pipeline definitions](##enabledisable-access-to-pipeline-yamls-by-source).
22
22
23
23
24
24
##Role-based access for users and administrators
@@ -47,14 +47,14 @@ The table below lists the functionality available for role-based access.
@@ -92,7 +92,7 @@ You can assign multiple tags to each cluster, making it easy to define multiple
92
92
%}
93
93
94
94
**Before you begin**
95
-
* If needed,[add a Kubernetes cluster]({{site.baseurl}}/docs/deployments/kubernetes/add-kubernetes-cluster/)
95
+
* If needed,[add a Kubernetes cluster]({{site.baseurl}}/docs//integrations/kubernetes/#connect-a-kubernetes-cluster)
96
96
97
97
**How to**
98
98
@@ -109,6 +109,8 @@ You can assign multiple tags to each cluster, making it easy to define multiple
109
109
caption="Assigning tags to a cluster"
110
110
max-width="60%"
111
111
%}
112
+
113
+
{:start="3"}
112
114
1. Click**Add** and type in the tag.
113
115
1. Continue to add tags and when finished, click**Save**.
114
116
@@ -119,11 +121,11 @@ You can assign multiple tags to each cluster, making it easy to define multiple
119
121
Similar to Kubernetes clusters, you can also add tags to specific pipelines.
120
122
121
123
**Before you begin**
122
-
* If needed,[create aCIpipeline]({{site.baseurl}}/docs/pipelines/pipelines/)
124
+
* If needed,[create a pipeline]({{site.baseurl}}/docs/pipelines/pipelines/)
123
125
124
126
**How to**
125
127
126
-
1. In the Codefresh UI,go to[Pipelines](https://g.codefresh.io/pipelines/all/){:target="\_blank"}.
128
+
1. In the Codefresh UI,from Pipelines in the sidebar, select[Pipelines](https://g.codefresh.io/pipelines/all/){:target="\_blank"}.
127
129
1. In the row with the target pipline, click the context menu for the pipeline, and then select**Edit tags**.
128
130
1. Type in the new tag, press Enter, and continue to add the tags you need.
129
131
1. When finished, click**Save**.
@@ -149,7 +151,7 @@ For each rule you define, select:
149
151
150
152
151
153
**Before you begin**
152
-
* Make sure you have[created at least one team]({{site.baseurl}}/docs/administration/add-users/#create-a-team-in-codefresh)
154
+
* Make sure you have[created at least one team]({{site.baseurl}}/docs/administration/account-user-management/add-users/#teams-in-codefresh)
153
155
154
156
**How to**
155
157
1. In the Codefresh UI, on the toolbar, click the**Settings** icon and then select**Account Settings**.
@@ -177,23 +179,23 @@ For each rule you define, select:
177
179
*`Update` - can see and edit existing allowed cluster resources (which means also perform[installation, removal and rollbacks of Helm charts]({{site.baseurl}}/docs/new-helm/helm-best-practices/)). Tags are managed from account settings, so this permission doesn’t apply to it currently.
178
180
*`Delete` - cluster removal requires someone to be account administrator anyway so currently this permission isn’t really necessary.
179
181
180
-
For pipelines:
182
+
**For pipelines:**
181
183
182
184
*`Create` - can only create new pipelines, not see, edit (which includes tagging them) or delete them. This permission should also go hand in hand with additional permissions like read/edit untagged pipelines.
183
185
*`Read` - view allowed pipelines only.
184
186
*`Update` - see and edit allowed pipelines only (including tagging them).
185
187
*`Delete` - can delete allowed pipelines only.
186
188
*`Run` - can run allowed pipelines only.
187
-
*`Approve` - resume pipelines that are waiting for manual[approval]({{site.baseurl}}/docs/codefresh-yaml/steps/approval/).
188
-
*`Debug` - allow the usage of the[pipeline debugger]({{site.baseurl}}/docs/configure-ci-cd-pipeline/debugging-pipelines/).
189
+
*`Approve` - resume pipelines that are waiting for manual[approval]({{site.baseurl}}/docs/pipelines/steps/approval/).
190
+
*`Debug` - allow the usage of the[pipeline debugger]({{site.baseurl}}/docs/pipelines/debugging-pipelines/).
189
191
190
192
191
193
192
194
##Git-repository access restrictions
193
195
194
-
By default, users can load pipeline definitions when[creating a pipeline]({{site.baseurl}}/docs/configure-ci-cd-pipeline/pipelines/), from the inline editor, or any private or public Git repository.
196
+
By default, users can load pipeline definitions when[creating a pipeline]({{site.baseurl}}/docs/pipelines/pipelines/), from the inline editor, or any private or public Git repository.
195
197
196
-
You can change the default behavior to restrict loadingCIpipeline definitions from specific Git repositories or completely disable loading the definitions from all Git repositories.
198
+
You can change the default behavior to restrict loading pipeline definitions from specific Git repositories or completely disable loading the definitions from all Git repositories.
197
199
198
200
###Enable/disable access to pipeline YAMLs by source
199
201
Enable or disable access to pipeline definition YAMLs based on the source of the YAML. These global settings are effective for all pipelines in the account and enables or disables that method of pipeline creation from the Codefresh UI.
@@ -203,6 +205,7 @@ pipeline definitions from:
203
205
* Any Git repository connected to Codefresh
204
206
***Any** public URL
205
207
208
+
206
209
1. In the Codefresh UI, on the toolbar, click the**Settings** icon and then select**Account Settings**.
207
210
1. From Configuration on the sidebar, select[**Pipeline Settings**](https://g.codefresh.io/account-admin/account-conf/pipeline-settings){:target="\_blank"}.
208
211
@@ -215,8 +218,9 @@ pipeline definitions from:
215
218
max-width="80%"
216
219
%}
217
220
221
+
{:start="3"}
218
222
1. Turn on or off the options as needed.
219
-
1. Continue with
223
+
220
224
221
225
###Define access to Git repositories for pipeline YAMLs
222
226
If access to pipeline definitions are enabled for Git repositories, you can configure fine-grained restrictions through the integrations settings for your[Git provider]({{site.baseurl}}/docs/integrations/git-providers/).
@@ -244,5 +248,5 @@ If access to pipeline definitions are enabled for Git repositories, you can conf
Once you have created a Codefresh account, you can add any number of users to collaborate on repositories, workflows, and pipelines, and teams of users.
9
+
Once you have created a Codefresh account, you can add any number of users to collaborate on repositories, workflows, and pipelines, and teams of users.
10
+
11
+
10
12
You can then create teams in Codefresh to group users who share a common denominator, such as the same permissions, access to the same functionality, or roles. Teams make it easy for administrators to both define and manage items shared by multiple users in an orgranization.
11
13
12
14
13
15
##Users in Codefresh
14
-
Adding a user requires assigning a role to define access to account resources, and optionally, selecting an SSO provider for the user:
16
+
Adding a userto an accountrequires assigning a role to define access to account resources, and optionally, selecting an SSO provider for the user:
15
17
16
18
***Role**: Defines the user's access level to the resources in the account.
17
19
***User**: The default. With this role, users can work with your repositories and pipelines, but cannot change settings
18
20
on clusters, docker registries, git integrations, shared configurations etc.
19
-
***Administrator**:User withthis rolehave full access toyour accountand can change all your settings, so make sure that they are trusted colleagues.
21
+
***Administrator**:Withthis role, usershave full access toaccounts,and can change all settings, so make sure that they are trusted colleagues.
20
22
For guidelines on access control, see[Access control]({{site.baseurl}}/docs/administration/account-user-management/access-control/).
21
23
***SSO**: By default, SSO is not enabled for users. If required, explicitly select the SSO provider. For an overview of SSO, see[Single Sign on]({{site.baseurl}}/docs/single-sign-on/).
22
24
23
25
24
26
###Add a user to a Codefresh account
25
27
1. In the Codefresh UI, on the toolbar, click the**Settings** icon and then select**Account Settings**.
26
-
1. On the sidebar, from Access & Collaboration, select[**Users & Teams**](https://g.codefresh.io/account-admin/collaborators/users){:target="\_blank"}.
28
+
1. On the sidebar, from Access & Collaboration select[**Users & Teams**](https://g.codefresh.io/account-admin/collaborators/users){:target="\_blank"}.
27
29
1. Select**Users**, and then select**+[Add User]**.
28
30
1. Type the**User's email address**, and click**Invite**.
29
31
<!---add screenshot-->
@@ -45,10 +47,10 @@ Once you add a user to your Codefresh account, you can do the following to manag
45
47
46
48
47
49
##Teams in Codefresh
48
-
Teams are users who share the same permissions, roles, oras required and defined according to company processes. Teams allow you to enforce access control through ABAC (Attribute Based Access Control).
50
+
Teams are users who share the same permissions, roles, orrequirements defined according to company processes. Teams allow you to enforce access control through ABAC (Attribute Based Access Control).
49
51
By default, there are two teams:
50
52
* Users
51
-
*Admins with users[invited as collaborators]({{site.baseurl}}/docs/accounts/assign-a-user-to-a-team/)
53
+
* Admins with users[invited as collaborators](#assign-a-user-to-a-team)
52
54
53
55
>Only Enterprise customers can add new teams. Other Codefresh plans can only use the predefined*Users* and*Admin* teams.[Contact us](https://codefresh.io/contact-us/){:target="\_blank"} to upgrade to an Enterprise plan.
54
56
@@ -84,10 +86,11 @@ As an administrator, you can optionally define session timeouts to automatically
84
86
85
87
>The maximum duration for inactivity is 30 days. Inactive users are warned 15 minutes before they are logged out.
86
88
87
-
1. In the Codefresh UI, on the toolbar, click the**Settings** icon and then select**Account Settings**.
89
+
1. In the Codefresh UI, on the toolbar, click the**Settings** icon, and then select**Account Settings**.
88
90
1. On the sidebar, from Access & Collaboration, select[**Users & Teams**](https://g.codefresh.io/account-admin/collaborators/users){:target="\_blank"}.
89
91
1. Select**Security**.
90
92
1. For**User Session**, add the timeout duration in minutes/hours/days.
93
+
1. To restrict invitations to specific email domains, below User Invitations, turn on**Restrict inviting additional users..** and then in the**Email domains**, type in the domains to allow, one per line.
91
94
92
95
{% include image.html
93
96
lightbox="true"
@@ -98,18 +101,14 @@ As an administrator, you can optionally define session timeouts to automatically
98
101
max-width="90%"
99
102
%}
100
103
101
-
{:start="5"}
102
-
1. To restrict invitations to specific email domains, in the**Email domains** field below User Invitations, type in the domains to allow, one per line.
103
-
104
104
##Troubleshoot add users
105
105
106
-
*[User is prompted to enter an organization name](https://support.codefresh.io/hc/en-us/articles/360020177959-User-is-prompted-to-enter-an-organization-name)
107
-
*[Account invitation not permitting login](https://support.codefresh.io/hc/en-us/articles/360015251000-Account-invitation-not-permitting-login)
108
-
106
+
*[User is prompted to enter an organization name](https://support.codefresh.io/hc/en-us/articles/360020177959-User-is-prompted-to-enter-an-organization-name){:target="\_blank"}
107
+
*[Account invitation not permitting login](https://support.codefresh.io/hc/en-us/articles/360015251000-Account-invitation-not-permitting-login){:target="\_blank"}
109
108
<!--this is already mentioned as inline refs; add other topics-->