How do I manage user access and approvals in
Automation Pipelines

Automation Pipelines
provides several ways to ensure that users have the appropriate authorization and consent to work with pipelines that release your software applications.
Each member on a team has an assigned role, which gives specific permissions on pipelines, endpoints, and dashboards, and the ability to mark resources as restricted.
User operations and approvals enable you to control when a pipeline runs and must stop for an approval. Your role determines whether you can resume a pipeline, and run pipelines that include restricted endpoints or variables.
비밀 변수를 사용하여 중요한 정보를 숨기고 암호화합니다. 제한된 변수는 숨기고 암호화되어야 하는 문자열, 암호 및 URL에 사용하고, 실행에서 사용을 제한하기 위해 사용합니다. 예를 들어 암호 또는 URL에 대해 비밀 변수를 사용합니다. 파이프라인의 모든 작업 유형에서 비밀 변수와 제한된 변수를 사용할 수 있습니다.

What are Roles in
Automation Pipelines

Depending on your role in
Automation Pipelines
, you can perform certain actions and access certain areas. For example, your role might enable you to create, update, and run pipelines. Or, you might only have permission to view pipelines.
제한된 항목을 제외한 모든 작업
은 엔티티(제한된 변수와 끝점은 제외)에 대한 생성, 읽기, 업데이트 및 삭제 작업을 수행할 수 있는 권한이 이 역할에 있다는 의미입니다.
Service and Project level access permissions in
Automation Pipelines
Automation Pipelines
Roles
Access levels
Automation Pipelines
Administrator
Automation Pipelines
Developer
Automation Pipelines
Executor
Automation Pipelines
Viewer
Automation Pipelines
User
Automation Pipelines
service level access
All Actions
All actions except restricted
Execution actions
Read only
None
Project level access: Project Admin
All Actions
All Actions
All Actions
All Actions
All Actions
Project level access: Project Member
All Actions
All actions except restricted
All actions except restricted
All actions except restricted
All actions except restricted
Project level access: Project Viewer
All Actions
All actions except restricted
Execution actions
Read only
Read only
Users who have the Project Admin role can perform all actions on projects where they are a Project administrator.
A Project administrator can create, read, update, and delete pipelines, variables, endpoints, dashboards, triggers, and start a pipeline that includes restricted endpoints or variables if these resources are in the project where the user is a Project administrator.
Users who have the Service Viewer role can see all the information that is available to the administrator. They cannot take any action unless an administrator makes them a project administrator or a project member. If the user is affiliated with a project, they have the permissions related to the role. The project viewer would not extend their permissions the way that the administrator or member role does. This role is read-only across all projects.
If you have read permissions in a project, you can still see restricted resources.
  • To see restricted endpoints, which display a lock icon on the endpoint card, click
    Configure
    Endpoints
    .
  • To see restricted and secret variables, which display RESTRICTED or SECRET in the
    Type
    column, click
    Configure
    Variables
    .
Automation Pipelines
서비스 역할 기능
UI 컨텍스트
기능
Automation Pipelines
관리자 역할
Automation Pipelines
개발자 역할
Automation Pipelines
실행자 역할
Automation Pipelines
뷰어 역할
Automation Pipelines
사용자 역할
파이프라인
파이프라인 보기
파이프라인 생성
파이프라인 실행
제한된 끝점 또는 변수를 포함하는 파이프라인 실행
파이프라인 업데이트
파이프라인 삭제
파이프라인 실행
파이프라인 실행 보기
파이프라인 실행 재개, 일시 중지 및 취소
제한된 리소스에 대한 승인을 위해 중지되는 파이프라인 재개
사용자 지정 통합
사용자 지정 통합 생성
사용자 지정 통합 읽기
사용자 지정 통합 업데이트
끝점
실행 보기
실행 생성
실행 업데이트
실행 삭제
리소스를 제한된 리소스로 표시
끝점 또는 변수를 제한된 리소스로 표시
대시보드
대시보드 보기
대시보드 생성
대시보드 업데이트
대시보드 삭제

Custom roles and permissions in
Automation Pipelines

You can create custom roles in
Automation Assembler
that extend privileges to users who work with pipelines. When you create a custom role for
Automation Pipelines
pipelines, you select one or more
Pipeline
permissions.
Select the minimal number of
Pipeline
permissions required for users who will be assigned this custom role.
When a user is assigned to a project and given a role in that project, and that user is assigned a custom role that includes one or more
Pipeline
permissions, they can perform all the actions that the permissions allow. For example, they can create restricted variables, manage restricted pipelines, create and manage custom integrations, and more.
Pipeline permissions that you can assign to custom roles
Pipeline Permission
Automation Pipelines
Administrator
Automation Pipelines
Developer
Automation Pipelines
Executor
Automation Pipelines
Viewer
Automation Pipelines
User
Project Administrator
Project Member
Project Viewer
Manage Pipelines
Yes
Yes
Yes
Yes
Manage Restricted Pipelines
Yes
Yes
Manage Custom Integrations
Yes
Yes
Execute Pipelines
Yes
Yes
Yes
Yes
Yes
Execute Restricted Pipelines
Yes
Yes
Manage Executions
Yes
Yes
Read. This permission is not visible.
Yes
Yes
Yes
Yes
Yes
Yes
Yes
How you can use Pipeline permissions with custom roles
Permission
What you can do
Manage Pipelines
  • Create, update, delete, clone pipelines.
  • Release and unrelease pipelines to
    Automation Service Broker
    .
  • Create, update, and delete endpoints.
  • Create, update, and delete regular and secret variables.
  • Create, clone, update, and delete a Gerrit listener.
  • Connect and disconnect a Gerrit listener.
  • Create, clone, update, delete a Gerrit trigger.
  • Create, update, and delete a Git webhook.
  • Create, update, and delete a Docker webhook.
  • Use smart pipeline templates to create pipelines.
  • Import pipelines from YAML, and export them to YAML.
  • Create, update, and delete custom dashboards.
  • Read all custom integrations.
  • Read all restricted endpoints and variables, but cannot view their values.
Manage Restricted Pipelines
  • Create, update, and delete endpoints.
  • Mark endpoints as restricted, update restricted endpoints, and delete them.
  • Create, update, and delete regular and secret variables.
  • Create, update, and delete restricted variables.
  • All permissions that you can do with Manage Pipelines.
Manage Custom Integrations
  • Create and update custom integrations.
  • Version and release custom integrations.
  • Delete and deprecate custom integration versions.
  • Delete custom integrations.
Execute Pipelines
  • Run pipelines.
  • Pause, resume, and cancel pipeline executions.
  • Rerun pipeline executions.
  • Resume, rerun, and manually trigger a Gerrit trigger event.
  • Approve a user operation, and can do batch approvals of user operations.
Execute Restricted Pipelines
  • Run pipelines.
  • Pause, resume, cancel, and delete pipeline executions.
  • Rerun pipeline executions.
  • Sync a running pipeline execution.
  • Force delete a running pipeline execution.
  • Resume, rerun, delete, and manually trigger a Gerrit trigger event.
  • Resolve restricted items and continue the pipeline execution.
  • Switch user context and continue the pipeline execution after a User Operation task approval.
  • All permissions that you can do with Execute Pipelines.
Manage Executions
  • Run pipelines.
  • Pause, resume, cancel, and delete pipeline executions.
  • Rerun pipeline executions.
  • Resume, rerun, delete, and manually trigger a Gerrit trigger event.
  • All permissions that you can do with Execute Pipelines.
Custom roles can include combinations of permissions. These permissions are organized into groups of capabilities that enable users to manage or run pipelines, with and without restricted resources. These permissions represent all the capabilities that each role can perform in
Automation Pipelines
.
For example, if you create a custom role and include the permission called
Manage Restricted Pipelines
, users who have the
Automation Pipelines
Developer role can:
  • Create, update, and delete endpoints.
  • Mark endpoints as restricted, update restricted endpoints, and delete them.
  • Create, update, and delete regular and secret variables.
  • Create, update, and delete restricted variables.
Example combinations of Pipeline permissions in custom roles
Number of Permissions Assigned to Custom Role
Examples of Combined Permissions
How to use this combination
Single permission
Execute Pipelines
Two permissions
Manage Pipelines
and
Execute Pipelines
Three permissions
Manage Pipelines
and
Execute Pipelines
and
Execute Restricted Pipelines
Manage Pipelines
and
Manage Custom Integrations
and
Execute Restricted Pipelines
This combination might apply to a
Automation Pipelines
Developer role but be limited to the projects where the user is a member.
Manage Pipelines
and
Manage Custom Integrations
and
Manage Executions
This combination might apply to a
Automation Pipelines
Administrator but limited to the projects where user is a member.
Manage Pipelines
,
Manage Restricted Pipelines
, and
Manage Custom Integrations
With this combination, a user has full permissions and can create and delete anything in
Automation Pipelines
.

If you have the Administrator role

As an administrator, you can create custom integrations, endpoints, variables, triggers, pipelines, and dashboards.
Projects enable pipelines to access infrastructure resources. Administrators create projects so that users can group pipelines, endpoints, and dashboards together. Users then select the project in their pipelines. Each project includes an administrator and users with assigned roles.
With the Administrator role, you can mark endpoints and variables as restricted resources, and you can run pipelines that use restricted resources. If a non-administrative user runs the pipeline that includes a restricted endpoint or variable, the pipeline will stop at the task where the restricted variable is used, and an administrator must resume the pipeline.
As an administrator, you can also request that pipelines be published in
Automation Service Broker
.

If you have the Developer role

You can work with pipelines like an administrator can, except that you cannot work with restricted endpoints or variables.
If you run a pipeline that uses restricted endpoints or variables, the pipeline only runs up to the task that uses the restricted resource. Then, it stops, and a
Automation Pipelines
administrator or project administrator must resume the pipeline.

If you have the User role

You can access
Automation Pipelines
, but do not have any privileges as the other roles provide.

If you have the Viewer role

You can see the same resources that an administrator sees, such as pipelines, endpoints, pipeline executions, dashboards, custom integrations, and triggers, but you cannot create, update, or delete them. To perform actions, the Viewer role must also be given the project administrator or project member role.
Users who have the Viewer role can see projects. They can also see restricted endpoints and restricted variables, but cannot see the detailed information about them.

If you have the Executor role

You can run pipelines and take action on user operation tasks. You can also resume, pause, and cancel pipeline executions. But, you cannot modify pipelines.

How do I assign and update roles

To assign and update roles for other users, you must be an administrator and an organization owner.
For more information about roles, see What are the VMware Aria Automation user roles.
  1. To see the active users and their roles, in
    VMware Aria Automation
    , click the nine dots at the upper right.
  2. Click
    Identity & Access Management
    .
    The VMware Cloud services pane opens the Identity and Access Management page and displays users and their roles.
  3. A list of
    Active Users
    appears. To add roles for a user, or change their roles, click the check box next to the user name, and click
    Edit Roles
    .
  4. When you add or change user roles, you can also add access to services.
  5. To save your changes, click
    Save
    .