vRealize Automation Code Stream provides several ways to ensure that users have the appropriate authorization and consent to work with pipelines that release your software applications.

Each member on a team has an assigned role, which gives specific permissions on pipelines, endpoints, and dashboards, and the ability to mark resources as restricted.

User operations and approvals allow you to control when a pipeline runs and must stop for an approval. Your role determines whether you can resume a pipeline, and run pipelines that include restricted endpoints or variables.

Use secret variables to hide and encrypt sensitive information. Use restricted variable for strings, passwords, and URLs that must be hidden and encrypted, as well as to retrict use in executions. For example, use a secret variable for a password or URL. You can use secret and restricted variables in any type of task in your pipeline.

What are Roles in vRealize Automation Code Stream

Depending on your role in vRealize Automation Code Stream, you can perform certain actions and access certain areas. For example, your role might allow you to create, update, and run pipelines. Or, you might only have permission to view pipelines.

All - restricted means this role has permission to perform create, read, update, and delete actions on entities except for restricted variables and endpoints.

Table 1. Service and Project level access permissions in vRealize Automation Code Stream
vRealize Automation Code Stream Roles
Access levels Administrator Developer Executor Viewer User
vRealize Automation Code Stream service level access All Actions All - restricted Execution actions Read only None
Project level access: Project Admin All Actions All - restricted All - restricted All - restricted All - restricted
Project level access: Project Member All Actions All - restricted All - restricted All - restricted All - restricted
Project level access: Project Viewer All Actions All - restricted Execution actions Read only Read only

Users who have the Service Viewer role can see all the information that is available to the administrator. They cannot take any action unless an administrator makes them a project administrator or a project member. If the user is affiliated with a project, they have the permissions related to the role. The project viewer would not extend their permissions the way that the administrator or member role does. This role is read-only across all projects.

Table 2. Permissions and roles in vRealize Automation Code Stream
Permission Administrator role Developer role Executor role Viewer role User role
Pipelines: View Yes Yes Yes Yes
Pipelines: Create Yes Yes
Pipelines: Run Yes Yes Yes
Pipelines: Run pipelines that include restricted endpoints or variables. Yes
Pipelines: Update Yes Yes
Pipelines: Delete Yes Yes
Pipeline executions: View Yes Yes Yes Yes
Pipeline executions: Resume, pause, cancel Yes Yes Yes
Pipeline executions: Resume pipelines that stop for approval on restricted resources. Yes
Custom integrations: Create Yes Yes
Custom integrations: Read Yes Yes
Custom integrations: Update Yes Yes
Endpoints: View Yes Yes Yes Yes
Endpoints: Create Yes Yes
Endpoints: Update Yes Yes
Endpoints: Delete Yes Yes
Endpoint or variable: Mark as restricted Yes
Dashboards: View Yes Yes Yes Yes
Dashboards: Create Yes Yes
Dashboards: Update Yes Yes
Dashboards: Delete Yes Yes

If you have the Administrator role

As an administrator, you can create integration endpoints, triggers, new pipelines, and dashboards.

Projects allow pipelines to access infrastructure resources. Administrators create projects so that users can group pipelines, endpoints, and dashboards together. Users then select the project in their pipelines. Each project includes an administrator and users with assigned roles.

With the Administrator role, you can mark endpoints and variables as restricted resources in a pipeline, and you can run pipelines that use restricted resources. A restricted endpoint or variable that a pipeline uses requires an approval to keep the pipeline running. Otherwise, the pipeline stops at the task where the restricted variable is used until approval is granted, at which point an administrator must resume the pipeline to run. When a pipeline task includes a restricted resource, the task in the pipeline displays an icon that indicates the resource is restricted.

As an administrator, you can also request that pipelines be published in vRealize Automation Service Broker.

If you have the Developer role

You can work with pipelines like an administrator can, except that you cannot work with restricted endpoints or variables.

If you run a pipeline that uses restricted endpoints or variables, the pipeline only runs up to the task that uses the restricted resource. Then, it stops. You must then get approval for the pipeline task, and have an administrator resume the pipeline.

If you have the User role

You can access vRealize Automation Code Stream, but do not have any privileges as the other roles provide.

If you have the Viewer role

You can see pipelines, endpoints, pipeline executions, and dashboards, but you cannot create, update, or delete them.

A user who also has the Service viewer role can see all the information that is available to the administrator. They cannot take any action unless you make them a project administrator or a project member. If the user is affiliated with a project, they have the permissions related to the role. The project viewer would not extend their permissions the way that the administrator or member role does.

If you have the Executor role

You can run pipelines and take action on user operation tasks. You can also resume, pause, and cancel pipeline executions. But, you cannot modify pipelines.

How do I assign and update roles

To assign and update roles for other users, you must be an administrator.

  1. To see the active users and their roles, in vRealize Automation, click the nine dots at the upper-right.
  2. Click Identity & Access Management.

  3. To display user names and roles, click Active Users.

  4. To add roles for a user, or change their roles, click the check box next to the user name, and click Edit Roles.
  5. When you add or change user roles, you can also add access to services.
  6. To save your changes, click Save.