Code Stream provides several ways to ensure that users have the appropriate authorization and consent to work with pipelines that release your software applications.
Each member on a team has an assigned role, which gives specific permissions on pipelines, endpoints, and dashboards, and the ability to mark resources as restricted.
User operations and approvals enable you to control when a pipeline runs and must stop for an approval. Your role determines whether you can resume a pipeline, and run pipelines that include restricted endpoints or variables.
Use secret variables to hide and encrypt sensitive information. Use restricted variable for strings, passwords, and URLs that must be hidden and encrypted, and to restrict use in executions. For example, use a secret variable for a password or URL. You can use secret and restricted variables in any type of task in your pipeline.
What are Roles in Code Stream
Depending on your role in Code Stream, you can perform certain actions and access certain areas. For example, your role might enable you to create, update, and run pipelines. Or, you might only have permission to view pipelines.
All actions except restricted means this role has permission to perform create, read, update, and delete actions on entities except for restricted variables and endpoints.
|Code Stream Roles|
|Access levels||Code Stream Administrator||Code Stream Developer||Code Stream Executor||Code Stream Viewer||Code Stream User|
|Code Stream service level access||All Actions||All actions except restricted||Execution actions||Read only||None|
|Project level access: Project Admin||All Actions||All Actions||All Actions||All Actions||All Actions|
|Project level access: Project Member||All Actions||All actions except restricted||All actions except restricted||All actions except restricted||All actions except restricted|
|Project level access: Project Viewer||All Actions||All actions except restricted||Execution actions||Read only||Read only|
Users who have the Project Admin role can perform all actions on projects where they are a Project administrator.
A Project administrator can create, read, update, and delete pipelines, variables, endpoints, dashboards, triggers, and start a pipeline that includes restricted endpoints or variables if these resources are in the project where the user is a Project administrator.
Users who have the Service Viewer role can see all the information that is available to the administrator. They cannot take any action unless an administrator makes them a project administrator or a project member. If the user is affiliated with a project, they have the permissions related to the role. The project viewer would not extend their permissions the way that the administrator or member role does. This role is read-only across all projects.
If you have read permissions in a project, you can still see restricted resources.
- To see restricted endpoints, which display a lock icon on the endpoint card, click .
- To see restricted and secret variables, which display RESTRICTED or SECRET in the Type column, click .
|UI Context||Capabilities||Code Stream Administrator role||Code Stream Developer role||Code Stream Executor role||Code Stream Viewer role||Code Stream User role|
|Run pipelines that include restricted endpoints or variables||Yes|
|View pipeline executions||Yes||Yes||Yes||Yes|
|Resume, pause, and cancel pipeline executions||Yes||Yes||Yes|
|Resume pipelines that stop for approval on restricted resources||Yes|
|Create custom integrations||Yes||Yes|
|Read custom integrations||Yes||Yes||Yes||Yes|
|Update custom integrations||Yes||Yes|
|Mark resources as restricted|
|Mark an endpoint or variable as restricted||Yes|
Custom roles and permissions in Code Stream
You can create custom roles in Cloud Assembly that extend privileges to users who work with pipelines. When you create a custom role for Code Stream pipelines, you select one or more Pipeline permissions.
Select the minimal number of Pipeline permissions required for users who will be assigned this custom role.
When a user is assigned to a project and given a role in that project, and that user is assigned a custom role that includes one or more Pipeline permissions, they can perform all the actions that the permissions allow. For example, they can create restricted variables, manage restricted pipelines, create and manage custom integrations, and more.
|Pipeline Permission||Code Stream Administrator||Code Stream Developer||Code Stream Executor||Code Stream Viewer||Code Stream User||Project Administrator||Project Member||Project Viewer|
|Manage Restricted Pipelines||Yes||Yes|
|Manage Custom Integrations||Yes||Yes|
|Execute Restricted Pipelines||Yes||Yes|
|Read. This permission is not visible.||Yes||Yes||Yes||Yes||Yes||Yes||Yes|
|Permission||What you can do|
|Manage Restricted Pipelines||
|Manage Custom Integrations||
|Execute Restricted Pipelines||
Custom roles can include combinations of permissions. These permissions are organized into groups of capabilities that enable users to manage or run pipelines, with and without restricted resources. These permissions represent all the capabilities that each role can perform in Code Stream.
For example, if you create a custom role and include the permission called Manage Restricted Pipelines, users who have the Code Stream Developer role can:
- Create, update, and delete endpoints.
- Mark endpoints as restricted, update restricted endpoints, and delete them.
- Create, update, and delete regular and secret variables.
- Create, update, and delete restricted variables.
|Number of Permissions Assigned to Custom Role||Examples of Combined Permissions||How to use this combination|
|Single permission||Execute Pipelines|
|Two permissions||Manage Pipelines and Execute Pipelines|
|Three permissions||Manage Pipelines and Execute Pipelines and Execute Restricted Pipelines|
|Manage Pipelines and Manage Custom Integrations and Execute Restricted Pipelines||
This combination might apply to a Code Stream Developer role but be limited to the projects where the user is a member.
|Manage Pipelines and Manage Custom Integrations and Manage Executions||
This combination might apply to a Code Stream Administrator but limited to the projects where user is a member.
|Manage Pipelines, Manage Restricted Pipelines, and Manage Custom Integrations||With this combination, a user has full permissions and can create and delete anything in Code Stream.|
If you have the Administrator role
As an administrator, you can create custom integrations, endpoints, variables, triggers, pipelines, and dashboards.
Projects enable pipelines to access infrastructure resources. Administrators create projects so that users can group pipelines, endpoints, and dashboards together. Users then select the project in their pipelines. Each project includes an administrator and users with assigned roles.
With the Administrator role, you can mark endpoints and variables as restricted resources, and you can run pipelines that use restricted resources. If a non-administrative user runs the pipeline that includes a restricted endpoint or variable, the pipeline will stop at the task where the restricted variable is used, and an administrator must resume the pipeline.
As an administrator, you can also request that pipelines be published in VMware Service Broker.
If you have the Developer role
You can work with pipelines like an administrator can, except that you cannot work with restricted endpoints or variables.
If you run a pipeline that uses restricted endpoints or variables, the pipeline only runs up to the task that uses the restricted resource. Then, it stops, and a Code Stream administrator or project administrator must resume the pipeline.
If you have the User role
You can access Code Stream, but do not have any privileges as the other roles provide.
If you have the Viewer role
You can see the same resources that an administrator sees, such as pipelines, endpoints, pipeline executions, dashboards, custom integrations, and triggers, but you cannot create, update, or delete them. To perform actions, the Viewer role must also be given the project administrator or project member role.
Users who have the Viewer role can see projects. They can also see restricted endpoints and restricted variables, but cannot see the detailed information about them.
If you have the Executor role
You can run pipelines and take action on user operation tasks. You can also resume, pause, and cancel pipeline executions. But, you cannot modify pipelines.
How do I assign and update roles
To assign and update roles for other users, you must be an administrator.
- To see the active users and their roles, in vRealize Automation Cloud, click the nine dots at the upper right.
- Click Identity & Access Management.
- To display user names and roles, click Active Users.
- To add roles for a user, or change their roles, click the check box next to the user name, and click Edit Roles.
- When you add or change user roles, you can also add access to services.
- To save your changes, click Save.