How do I manage user access and approvals in Code Stream

Code Stream provides several ways to ensure that users have the appropriate authorization and consent to work with pipelines that release your software applications.

Each member on a team has an assigned role, which gives specific permissions on pipelines, endpoints, and dashboards, and the ability to mark resources as restricted.

User operations and approvals enable you to control when a pipeline runs and must stop for an approval. Your role determines whether you can resume a pipeline, and run pipelines that include restricted endpoints or variables.

Use secret variables to hide and encrypt sensitive information. Use restricted variable for strings, passwords, and URLs that must be hidden and encrypted, and to restrict use in executions. For example, use a secret variable for a password or URL. You can use secret and restricted variables in any type of task in your pipeline.

What are Roles in Code Stream

Depending on your role in Code Stream, you can perform certain actions and access certain areas. For example, your role might enable you to create, update, and run pipelines. Or, you might only have permission to view pipelines.

All actions except restricted means this role has permission to perform create, read, update, and delete actions on entities except for restricted variables and endpoints.

Table 1. Service and Project level access permissions in Code Stream
	Code Stream Roles
Access levels	Code Stream Administrator	Code Stream Developer	Code Stream Executor	Code Stream Viewer	Code Stream User
Code Stream service level access	All Actions	All actions except restricted	Execution actions	Read only	None
Project level access: Project Admin	All Actions	All Actions	All Actions	All Actions	All Actions
Project level access: Project Member	All Actions	All actions except restricted	All actions except restricted	All actions except restricted	All actions except restricted
Project level access: Project Viewer	All Actions	All actions except restricted	Execution actions	Read only	Read only

Users who have the Project Admin role can perform all actions on projects where they are a Project administrator.

A Project administrator can create, read, update, and delete pipelines, variables, endpoints, dashboards, triggers, and start a pipeline that includes restricted endpoints or variables if these resources are in the project where the user is a Project administrator.

Users who have the Service Viewer role can see all the information that is available to the administrator. They cannot take any action unless an administrator makes them a project administrator or a project member. If the user is affiliated with a project, they have the permissions related to the role. The project viewer would not extend their permissions the way that the administrator or member role does. This role is read-only across all projects.

If you have read permissions in a project, you can still see restricted resources.

To see restricted endpoints, which display a lock icon on the endpoint card, click Configure > Endpoints.
To see restricted and secret variables, which display RESTRICTED or SECRET in the Type column, click Configure > Variables.

Table 2. Code Stream service role capabilities
UI Context	Capabilities	Code Stream Administrator role	Code Stream Developer role	Code Stream Executor role	Code Stream Viewer role
Pipelines
	View pipelines	Yes	Yes	Yes	Yes
	Create pipelines	Yes	Yes
	Run pipelines	Yes	Yes	Yes
	Run pipelines that include restricted endpoints or variables	Yes
	Update pipelines	Yes	Yes
	Delete pipelines	Yes	Yes
Pipeline Executions
	View pipeline executions	Yes	Yes	Yes	Yes
	Resume, pause, and cancel pipeline executions	Yes	Yes	Yes
	Resume pipelines that stop for approval on restricted resources	Yes
Custom Integrations
	Create custom integrations	Yes	Yes
	Read custom integrations	Yes	Yes	Yes	Yes
	Update custom integrations	Yes	Yes
Endpoints
	View executions	Yes	Yes	Yes	Yes
	Create executions	Yes	Yes
	Update executions	Yes	Yes
	Delete executions	Yes	Yes
Mark resources as restricted
	Mark an endpoint or variable as restricted	Yes
Dashboards
	View dashboards	Yes	Yes	Yes	Yes
	Create dashboards	Yes	Yes
	Update dashboards	Yes	Yes
	Delete dashboards	Yes	Yes

Custom roles and permissions in Code Stream

You can create custom roles in Cloud Assembly that extend privileges to users who work with pipelines. When you create a custom role for Code Stream pipelines, you select one or more Pipeline permissions.

Select the minimal number of Pipeline permissions required for users who will be assigned this custom role.

When a user is assigned to a project and given a role in that project, and that user is assigned a custom role that includes one or more Pipeline permissions, they can perform all the actions that the permissions allow. For example, they can create restricted variables, manage restricted pipelines, create and manage custom integrations, and more.

Table 3. Pipeline permissions that you can assign to custom roles
Pipeline Permission	Code Stream Administrator	Code Stream Developer	Code Stream Executor	Code Stream Viewer	Project Administrator	Project Member	Project Viewer
Manage Pipelines	Yes	Yes			Yes	Yes
Manage Restricted Pipelines	Yes				Yes
Manage Custom Integrations	Yes	Yes
Execute Pipelines	Yes	Yes	Yes		Yes	Yes
Execute Restricted Pipelines	Yes				Yes
Manage Executions	Yes				Yes
Read. This permission is not visible.	Yes	Yes	Yes	Yes	Yes	Yes	Yes

Table 4. How you can use Pipeline permissions with custom roles
Permission	What you can do
Manage Pipelines	Create, update, delete, clone pipelines. Release and unrelease pipelines to VMware Service Broker. Create, update, and delete endpoints. Create, update, and delete regular and secret variables. Create, clone, update, and delete a Gerrit listener. Connect and disconnect a Gerrit listener. Create, clone, update, delete a Gerrit trigger. Create, update, and delete a Git webhook. Create, update, and delete a Docker webhook. Use smart pipeline templates to create pipelines. Import pipelines from YAML, and export them to YAML. Create, update, and delete custom dashboards. Read all custom integrations. Read all restricted endpoints and variables, but cannot view their values.
Manage Restricted Pipelines	Create, update, and delete endpoints. Mark endpoints as restricted, update restricted endpoints, and delete them. Create, update, and delete regular and secret variables. Create, update, and delete restricted variables. All permissions that you can do with Manage Pipelines.
Manage Custom Integrations	Create and update custom integrations. Version and release custom integrations. Delete and deprecate custom integration versions. Delete custom integrations.
Execute Pipelines	Run pipelines. Pause, resume, and cancel pipeline executions. Rerun pipeline executions. Resume, rerun, and manually trigger a Gerrit trigger event. Approve a user operation, and can do batch approvals of user operations.
Execute Restricted Pipelines	Run pipelines. Pause, resume, cancel, and delete pipeline executions. Rerun pipeline executions. Sync a running pipeline execution. Force delete a running pipeline execution. Resume, rerun, delete, and manually trigger a Gerrit trigger event. Resolve restricted items and continue the pipeline execution. Switch user context and continue the pipeline execution after a User Operation task approval. All permissions that you can do with Execute Pipelines.
Manage Executions	Run pipelines. Pause, resume, cancel, and delete pipeline executions. Rerun pipeline executions. Resume, rerun, delete, and manually trigger a Gerrit trigger event. All permissions that you can do with Execute Pipelines.

Custom roles can include combinations of permissions. These permissions are organized into groups of capabilities that enable users to manage or run pipelines, with and without restricted resources. These permissions represent all the capabilities that each role can perform in Code Stream.

For example, if you create a custom role and include the permission called Manage Restricted Pipelines, users who have the Code Stream Developer role can:

Create, update, and delete endpoints.
Mark endpoints as restricted, update restricted endpoints, and delete them.
Create, update, and delete regular and secret variables.
Create, update, and delete restricted variables.

Table 5. Example combinations of Pipeline permissions in custom roles
Number of Permissions Assigned to Custom Role	Examples of Combined Permissions	How to use this combination
Single permission	Execute Pipelines
Two permissions	Manage Pipelines and Execute Pipelines
Three permissions	Manage Pipelines and Execute Pipelines and Execute Restricted Pipelines
	Manage Pipelines and Manage Custom Integrations and Execute Restricted Pipelines	This combination might apply to a Code Stream Developer role but be limited to the projects where the user is a member.
	Manage Pipelines and Manage Custom Integrations and Manage Executions	This combination might apply to a Code Stream Administrator but limited to the projects where user is a member.
	Manage Pipelines, Manage Restricted Pipelines, and Manage Custom Integrations	With this combination, a user has full permissions and can create and delete anything in Code Stream.

If you have the Administrator role

As an administrator, you can create custom integrations, endpoints, variables, triggers, pipelines, and dashboards.

Projects enable pipelines to access infrastructure resources. Administrators create projects so that users can group pipelines, endpoints, and dashboards together. Users then select the project in their pipelines. Each project includes an administrator and users with assigned roles.

With the Administrator role, you can mark endpoints and variables as restricted resources, and you can run pipelines that use restricted resources. If a non-administrative user runs the pipeline that includes a restricted endpoint or variable, the pipeline will stop at the task where the restricted variable is used, and an administrator must resume the pipeline.

As an administrator, you can also request that pipelines be published in vRealize Automation Service Broker.

If you have the Developer role

You can work with pipelines like an administrator can, except that you cannot work with restricted endpoints or variables.

If you run a pipeline that uses restricted endpoints or variables, the pipeline only runs up to the task that uses the restricted resource. Then, it stops, and a Code Stream administrator or project administrator must resume the pipeline.

If you have the User role

You can access Code Stream, but do not have any privileges as the other roles provide.

If you have the Viewer role

You can see the same resources that an administrator sees, such as pipelines, endpoints, pipeline executions, dashboards, custom integrations, and triggers, but you cannot create, update, or delete them. To perform actions, the Viewer role must also be given the project administrator or project member role.

Users who have the Viewer role can see projects. They can also see restricted endpoints and restricted variables, but cannot see the detailed information about them.

If you have the Executor role

You can run pipelines and take action on user operation tasks. You can also resume, pause, and cancel pipeline executions. But, you cannot modify pipelines.

How do I assign and update roles

To assign and update roles for other users, you must be an administrator.

To see the active users and their roles, in vRealize Automation, click the nine dots at the upper right.
Click Identity & Access Management.
To display user names and roles, click Active Users.
To add roles for a user, or change their roles, click the check box next to the user name, and click Edit Roles.
When you add or change user roles, you can also add access to services.
To save your changes, click Save.