Code Stream provides several ways to ensure that users have the appropriate authorization and consent to work with pipelines that release your software applications.

Each member on a team has an assigned role, which gives specific permissions on pipelines, endpoints, and dashboards, and the ability to mark resources as restricted.

User operations and approvals enable you to control when a pipeline runs and must stop for an approval. Your role determines whether you can resume a pipeline, and run pipelines that include restricted endpoints or variables.

Use secret variables to hide and encrypt sensitive information. Use restricted variable for strings, passwords, and URLs that must be hidden and encrypted, and to restrict use in executions. For example, use a secret variable for a password or URL. You can use secret and restricted variables in any type of task in your pipeline.

What are Roles in Code Stream

Depending on your role in Code Stream, you can perform certain actions and access certain areas. For example, your role might enable you to create, update, and run pipelines. Or, you might only have permission to view pipelines.

All actions except restricted means this role has permission to perform create, read, update, and delete actions on entities except for restricted variables and endpoints.

Table 1. Service and Project level access permissions in Code Stream
Code Stream Roles
Access levels Code Stream Administrator Code Stream Developer Code Stream Executor Code Stream Viewer Code Stream User
Code Stream service level access All Actions All actions except restricted Execution actions Read only None
Project level access: Project Admin All Actions All Actions All Actions All Actions All Actions
Project level access: Project Member All Actions All actions except restricted All actions except restricted All actions except restricted All actions except restricted
Project level access: Project Viewer All Actions All actions except restricted Execution actions Read only Read only

Users who have the Project Admin role can perform all actions on projects where they are a Project administrator.

A Project administrator can create, read, update, and delete pipelines, variables, endpoints, dashboards, triggers, and start a pipeline that includes restricted endpoints or variables if these resources are in the project where the user is a Project administrator.

Users who have the Service Viewer role can see all the information that is available to the administrator. They cannot take any action unless an administrator makes them a project administrator or a project member. If the user is affiliated with a project, they have the permissions related to the role. The project viewer would not extend their permissions the way that the administrator or member role does. This role is read-only across all projects.

If you have read permissions in a project, you can still see restricted resources.

  • To see restricted endpoints, which display a lock icon on the endpoint card, click Configure > Endpoints.
  • To see restricted and secret variables, which display RESTRICTED or SECRET in the Type column, click Configure > Variables.
Table 2. Code Stream service role capabilities
UI Context Capabilities Code Stream Administrator role Code Stream Developer role Code Stream Executor role Code Stream Viewer role Code Stream User role
Pipelines
View pipelines Yes Yes Yes Yes
Create pipelines Yes Yes
Run pipelines Yes Yes Yes
Run pipelines that include restricted endpoints or variables Yes
Update pipelines Yes Yes
Delete pipelines Yes Yes
Pipeline Executions
View pipeline executions Yes Yes Yes Yes
Resume, pause, and cancel pipeline executions Yes Yes Yes
Resume pipelines that stop for approval on restricted resources Yes
Custom Integrations
Create custom integrations Yes Yes
Read custom integrations Yes Yes Yes Yes
Update custom integrations Yes Yes
Endpoints
View executions Yes Yes Yes Yes
Create executions Yes Yes
Update executions Yes Yes
Delete executions Yes Yes
Mark resources as restricted
Mark an endpoint or variable as restricted Yes
Dashboards
View dashboards Yes Yes Yes Yes
Create dashboards Yes Yes
Update dashboards Yes Yes
Delete dashboards Yes Yes

Custom roles and permissions in Code Stream

You can create custom roles in Cloud Assembly that extend privileges to users who work with pipelines. When you create a custom role for Code Stream pipelines, you select one or more Pipeline permissions.

Select the minimal number of Pipeline permissions required for users who will be assigned this custom role.

When a user is assigned to a project and given a role in that project, and that user is assigned a custom role that includes one or more Pipeline permissions, they can perform all the actions that the permissions allow. For example, they can create restricted variables, manage restricted pipelines, create and manage custom integrations, and more.

Table 3. Pipeline permissions that you can assign to custom roles
Pipeline Permission Code Stream Administrator Code Stream Developer Code Stream Executor Code Stream Viewer Code Stream User Project Administrator Project Member Project Viewer
Manage Pipelines Yes Yes Yes Yes
Manage Restricted Pipelines Yes Yes
Manage Custom Integrations Yes Yes
Execute Pipelines Yes Yes Yes Yes Yes
Execute Restricted Pipelines Yes Yes
Manage Executions Yes Yes
Read. This permission is not visible. Yes Yes Yes Yes Yes Yes Yes
Table 4. How you can use Pipeline permissions with custom roles
Permission What you can do
Manage Pipelines
  • Create, update, delete, clone pipelines.
  • Release and unrelease pipelines to VMware Service Broker.
  • Create, update, and delete endpoints.
  • Create, update, and delete regular and secret variables.
  • Create, clone, update, and delete a Gerrit listener.
  • Connect and disconnect a Gerrit listener.
  • Create, clone, update, delete a Gerrit trigger.
  • Create, update, and delete a Git webhook.
  • Create, update, and delete a Docker webhook.
  • Use smart pipeline templates to create pipelines.
  • Import pipelines from YAML, and export them to YAML.
  • Create, update, and delete custom dashboards.
  • Read all custom integrations.
  • Read all restricted endpoints and variables, but cannot view their values.
Manage Restricted Pipelines
  • Create, update, and delete endpoints.
  • Mark endpoints as restricted, update restricted endpoints, and delete them.
  • Create, update, and delete regular and secret variables.
  • Create, update, and delete restricted variables.
  • All permissions that you can do with Manage Pipelines.
Manage Custom Integrations
  • Create and update custom integrations.
  • Version and release custom integrations.
  • Delete and deprecate custom integration versions.
  • Delete custom integrations.
Execute Pipelines
  • Run pipelines.
  • Pause, resume, and cancel pipeline executions.
  • Rerun pipeline executions.
  • Resume, rerun, and manually trigger a Gerrit trigger event.
  • Approve a user operation, and can do batch approvals of user operations.
Execute Restricted Pipelines
  • Run pipelines.
  • Pause, resume, cancel, and delete pipeline executions.
  • Rerun pipeline executions.
  • Sync a running pipeline execution.
  • Force delete a running pipeline execution.
  • Resume, rerun, delete, and manually trigger a Gerrit trigger event.
  • Resolve restricted items and continue the pipeline execution.
  • Switch user context and continue the pipeline execution after a User Operation task approval.
  • All permissions that you can do with Execute Pipelines.
Manage Executions
  • Run pipelines.
  • Pause, resume, cancel, and delete pipeline executions.
  • Rerun pipeline executions.
  • Resume, rerun, delete, and manually trigger a Gerrit trigger event.
  • All permissions that you can do with Execute Pipelines.

Custom roles can include combinations of permissions. These permissions are organized into groups of capabilities that enable users to manage or run pipelines, with and without restricted resources. These permissions represent all the capabilities that each role can perform in Code Stream.

For example, if you create a custom role and include the permission called Manage Restricted Pipelines, users who have the Code Stream Developer role can:

  • Create, update, and delete endpoints.
  • Mark endpoints as restricted, update restricted endpoints, and delete them.
  • Create, update, and delete regular and secret variables.
  • Create, update, and delete restricted variables.
Table 5. Example combinations of Pipeline permissions in custom roles
Number of Permissions Assigned to Custom Role Examples of Combined Permissions How to use this combination
Single permission Execute Pipelines
Two permissions Manage Pipelines and Execute Pipelines
Three permissions Manage Pipelines and Execute Pipelines and Execute Restricted Pipelines
Manage Pipelines and Manage Custom Integrations and Execute Restricted Pipelines

This combination might apply to a Code Stream Developer role but be limited to the projects where the user is a member.

Manage Pipelines and Manage Custom Integrations and Manage Executions

This combination might apply to a Code Stream Administrator but limited to the projects where user is a member.

Manage Pipelines, Manage Restricted Pipelines, and Manage Custom Integrations With this combination, a user has full permissions and can create and delete anything in Code Stream.

If you have the Administrator role

As an administrator, you can create custom integrations, endpoints, variables, triggers, pipelines, and dashboards.

Projects enable pipelines to access infrastructure resources. Administrators create projects so that users can group pipelines, endpoints, and dashboards together. Users then select the project in their pipelines. Each project includes an administrator and users with assigned roles.

With the Administrator role, you can mark endpoints and variables as restricted resources, and you can run pipelines that use restricted resources. If a non-administrative user runs the pipeline that includes a restricted endpoint or variable, the pipeline will stop at the task where the restricted variable is used, and an administrator must resume the pipeline.

As an administrator, you can also request that pipelines be published in vRealize Automation Service Broker.

If you have the Developer role

You can work with pipelines like an administrator can, except that you cannot work with restricted endpoints or variables.

If you run a pipeline that uses restricted endpoints or variables, the pipeline only runs up to the task that uses the restricted resource. Then, it stops, and a Code Stream administrator or project administrator must resume the pipeline.

If you have the User role

You can access Code Stream, but do not have any privileges as the other roles provide.

If you have the Viewer role

You can see the same resources that an administrator sees, such as pipelines, endpoints, pipeline executions, dashboards, custom integrations, and triggers, but you cannot create, update, or delete them. To perform actions, the Viewer role must also be given the project administrator or project member role.

Users who have the Viewer role can see projects. They can also see restricted endpoints and restricted variables, but cannot see the detailed information about them.

If you have the Executor role

You can run pipelines and take action on user operation tasks. You can also resume, pause, and cancel pipeline executions. But, you cannot modify pipelines.

How do I assign and update roles

To assign and update roles for other users, you must be an administrator.

  1. To see the active users and their roles, in vRealize Automation, click the nine dots at the upper right.
  2. Click Identity & Access Management.

    The VMware Cloud services pane opens the Identity and Access Management page and displays users and their roles.

  3. To display user names and roles, click Active Users.

    The Identity and Access Management page displays user names, email addresses, organization roles, and service roles.

  4. To add roles for a user, or change their roles, click the check box next to the user name, and click Edit Roles.
  5. When you add or change user roles, you can also add access to services.
  6. To save your changes, click Save.