How do I manage user access and approvals in
Automation Pipelines

Automation Pipelines
provides several ways to ensure that users have the appropriate authorization and consent to work with pipelines that release your software applications.
Each member on a team has an assigned role, which gives specific permissions on pipelines, endpoints, and dashboards, and the ability to mark resources as restricted.
User operations and approvals enable you to control when a pipeline runs and must stop for an approval. Your role determines whether you can resume a pipeline, and run pipelines that include restricted endpoints or variables.
Use secret variables to hide and encrypt sensitive information. Use restricted variable for strings, passwords, and URLs that must be hidden and encrypted, and to restrict use in executions. For example, use a secret variable for a password or URL. You can use secret and restricted variables in any type of task in your pipeline.

What are Roles in
Automation Pipelines

Depending on your role in
Automation Pipelines
, you can perform certain actions and access certain areas. For example, your role might enable you to create, update, and run pipelines. Or, you might only have permission to view pipelines.
All actions except restricted
means this role has permission to perform create, read, update, and delete actions on entities except for restricted variables and endpoints.
Service and Project level access permissions in
Automation Pipelines
Automation Pipelines
Roles
Access levels
Automation Pipelines
Administrator
Automation Pipelines
Developer
Automation Pipelines
Executor
Automation Pipelines
Viewer
Automation Pipelines
User
Automation Pipelines
service level access
All Actions
All actions except restricted
Execution actions
Read only
None
Project level access: Project Admin
All Actions
All Actions
All Actions
All Actions
All Actions
Project level access: Project Member
All Actions
All actions except restricted
All actions except restricted
All actions except restricted
All actions except restricted
Project level access: Project Viewer
All Actions
All actions except restricted
Execution actions
Read only
Read only
Users who have the Project Admin role can perform all actions on projects where they are a Project administrator.
A Project administrator can create, read, update, and delete pipelines, variables, endpoints, dashboards, triggers, and start a pipeline that includes restricted endpoints or variables if these resources are in the project where the user is a Project administrator.
Users who have the Service Viewer role can see all the information that is available to the administrator. They cannot take any action unless an administrator makes them a project administrator or a project member. If the user is affiliated with a project, they have the permissions related to the role. The project viewer would not extend their permissions the way that the administrator or member role does. This role is read-only across all projects.
If you have read permissions in a project, you can still see restricted resources.
  • To see restricted endpoints, which display a lock icon on the endpoint card, click
    Configure
    Endpoints
    .
  • To see restricted and secret variables, which display RESTRICTED or SECRET in the
    Type
    column, click
    Configure
    Variables
    .
Automation Pipelines
service role capabilities
UI Context
Capabilities
Automation Pipelines
Administrator role
Automation Pipelines
Developer role
Automation Pipelines
Executor role
Automation Pipelines
Viewer role
Automation Pipelines
User role
Pipelines
View pipelines
Yes
Yes
Yes
Yes
Create pipelines
Yes
Yes
Run pipelines
Yes
Yes
Yes
Run pipelines that include restricted endpoints or variables
Yes
Update pipelines
Yes
Yes
Delete pipelines
Yes
Yes
Pipeline Executions
View pipeline executions
Yes
Yes
Yes
Yes
Resume, pause, and cancel pipeline executions
Yes
Yes
Yes
Resume pipelines that stop for approval on restricted resources
Yes
Custom Integrations
Create custom integrations
Yes
Yes
Read custom integrations
Yes
Yes
Yes
Yes
Update custom integrations
Yes
Yes
Endpoints
View executions
Yes
Yes
Yes
Yes
Create executions
Yes
Yes
Update executions
Yes
Yes
Delete executions
Yes
Yes
Mark resources as restricted
Mark an endpoint or variable as restricted
Yes
Dashboards
View dashboards
Yes
Yes
Yes
Yes
Create dashboards
Yes
Yes
Update dashboards
Yes
Yes
Delete dashboards
Yes
Yes

Custom roles and permissions in
Automation Pipelines

You can create custom roles in
Automation Assembler
that extend privileges to users who work with pipelines. When you create a custom role for
Automation Pipelines
pipelines, you select one or more
Pipeline
permissions.
Select the minimal number of
Pipeline
permissions required for users who will be assigned this custom role.
When a user is assigned to a project and given a role in that project, and that user is assigned a custom role that includes one or more
Pipeline
permissions, they can perform all the actions that the permissions allow. For example, they can create restricted variables, manage restricted pipelines, create and manage custom integrations, and more.
Pipeline permissions that you can assign to custom roles
Pipeline Permission
Automation Pipelines
Administrator
Automation Pipelines
Developer
Automation Pipelines
Executor
Automation Pipelines
Viewer
Automation Pipelines
User
Project Administrator
Project Member
Project Viewer
Manage Pipelines
Yes
Yes
Yes
Yes
Manage Restricted Pipelines
Yes
Yes
Manage Custom Integrations
Yes
Yes
Execute Pipelines
Yes
Yes
Yes
Yes
Yes
Execute Restricted Pipelines
Yes
Yes
Manage Executions
Yes
Yes
Read. This permission is not visible.
Yes
Yes
Yes
Yes
Yes
Yes
Yes
How you can use Pipeline permissions with custom roles
Permission
What you can do
Manage Pipelines
  • Create, update, delete, clone pipelines.
  • Release and unrelease pipelines to
    Automation Service Broker
    .
  • Create, update, and delete endpoints.
  • Create, update, and delete regular and secret variables.
  • Create, clone, update, and delete a Gerrit listener.
  • Connect and disconnect a Gerrit listener.
  • Create, clone, update, delete a Gerrit trigger.
  • Create, update, and delete a Git webhook.
  • Create, update, and delete a Docker webhook.
  • Use smart pipeline templates to create pipelines.
  • Import pipelines from YAML, and export them to YAML.
  • Create, update, and delete custom dashboards.
  • Read all custom integrations.
  • Read all restricted endpoints and variables, but cannot view their values.
Manage Restricted Pipelines
  • Create, update, and delete endpoints.
  • Mark endpoints as restricted, update restricted endpoints, and delete them.
  • Create, update, and delete regular and secret variables.
  • Create, update, and delete restricted variables.
  • All permissions that you can do with Manage Pipelines.
Manage Custom Integrations
  • Create and update custom integrations.
  • Version and release custom integrations.
  • Delete and deprecate custom integration versions.
  • Delete custom integrations.
Execute Pipelines
  • Run pipelines.
  • Pause, resume, and cancel pipeline executions.
  • Rerun pipeline executions.
  • Resume, rerun, and manually trigger a Gerrit trigger event.
  • Approve a user operation, and can do batch approvals of user operations.
Execute Restricted Pipelines
  • Run pipelines.
  • Pause, resume, cancel, and delete pipeline executions.
  • Rerun pipeline executions.
  • Sync a running pipeline execution.
  • Force delete a running pipeline execution.
  • Resume, rerun, delete, and manually trigger a Gerrit trigger event.
  • Resolve restricted items and continue the pipeline execution.
  • Switch user context and continue the pipeline execution after a User Operation task approval.
  • All permissions that you can do with Execute Pipelines.
Manage Executions
  • Run pipelines.
  • Pause, resume, cancel, and delete pipeline executions.
  • Rerun pipeline executions.
  • Resume, rerun, delete, and manually trigger a Gerrit trigger event.
  • All permissions that you can do with Execute Pipelines.
Custom roles can include combinations of permissions. These permissions are organized into groups of capabilities that enable users to manage or run pipelines, with and without restricted resources. These permissions represent all the capabilities that each role can perform in
Automation Pipelines
.
For example, if you create a custom role and include the permission called
Manage Restricted Pipelines
, users who have the
Automation Pipelines
Developer role can:
  • Create, update, and delete endpoints.
  • Mark endpoints as restricted, update restricted endpoints, and delete them.
  • Create, update, and delete regular and secret variables.
  • Create, update, and delete restricted variables.
Example combinations of Pipeline permissions in custom roles
Number of Permissions Assigned to Custom Role
Examples of Combined Permissions
How to use this combination
Single permission
Execute Pipelines
Two permissions
Manage Pipelines
and
Execute Pipelines
Three permissions
Manage Pipelines
and
Execute Pipelines
and
Execute Restricted Pipelines
Manage Pipelines
and
Manage Custom Integrations
and
Execute Restricted Pipelines
This combination might apply to a
Automation Pipelines
Developer role but be limited to the projects where the user is a member.
Manage Pipelines
and
Manage Custom Integrations
and
Manage Executions
This combination might apply to a
Automation Pipelines
Administrator but limited to the projects where user is a member.
Manage Pipelines
,
Manage Restricted Pipelines
, and
Manage Custom Integrations
With this combination, a user has full permissions and can create and delete anything in
Automation Pipelines
.

If you have the Administrator role

As an administrator, you can create custom integrations, endpoints, variables, triggers, pipelines, and dashboards.
Projects enable pipelines to access infrastructure resources. Administrators create projects so that users can group pipelines, endpoints, and dashboards together. Users then select the project in their pipelines. Each project includes an administrator and users with assigned roles.
With the Administrator role, you can mark endpoints and variables as restricted resources, and you can run pipelines that use restricted resources. If a non-administrative user runs the pipeline that includes a restricted endpoint or variable, the pipeline will stop at the task where the restricted variable is used, and an administrator must resume the pipeline.
As an administrator, you can also request that pipelines be published in
Automation Service Broker
.

If you have the Developer role

You can work with pipelines like an administrator can, except that you cannot work with restricted endpoints or variables.
If you run a pipeline that uses restricted endpoints or variables, the pipeline only runs up to the task that uses the restricted resource. Then, it stops, and a
Automation Pipelines
administrator or project administrator must resume the pipeline.

If you have the User role

You can access
Automation Pipelines
, but do not have any privileges as the other roles provide.

If you have the Viewer role

You can see the same resources that an administrator sees, such as pipelines, endpoints, pipeline executions, dashboards, custom integrations, and triggers, but you cannot create, update, or delete them. To perform actions, the Viewer role must also be given the project administrator or project member role.
Users who have the Viewer role can see projects. They can also see restricted endpoints and restricted variables, but cannot see the detailed information about them.

If you have the Executor role

You can run pipelines and take action on user operation tasks. You can also resume, pause, and cancel pipeline executions. But, you cannot modify pipelines.

How do I assign and update roles

To assign and update roles for other users, you must be an administrator and an organization owner.
For more information about roles, see What are the VMware Aria Automation user roles.
  1. To see the active users and their roles, in
    VMware Aria Automation
    , click the nine dots at the upper right.
  2. Click
    Identity & Access Management
    .
    The VMware Cloud services pane opens the Identity and Access Management page and displays users and their roles.
  3. A list of
    Active Users
    appears. To add roles for a user, or change their roles, click the check box next to the user name, and click
    Edit Roles
    .
  4. When you add or change user roles, you can also add access to services.
  5. To save your changes, click
    Save
    .