1.3.4 User Roles & Permissions
Concourse comes with five roles:
Concourse Admin
Team Owner
Team Member
Pipeline Operator
Team Viewer
These roles are strictly ordered, so that each role always has all the permissions of any other role lower on the list. This means that a Pipeline Operator can always do anything a Team Viewer can, and so on.
In this document we say an action is assigned to a role if that role is capable of performing the action, but any less-privileged role is not. For example, the SaveConfig action is assigned to the member role, so owners and members can set a pipeline config, but pipeline operators and viewers cannot.
Concourse Admin
Admin is a special user attribute granted only to owners of the main team.
Admins have the ability to administrate teams using fly set-team, fly destroy-team, fly rename-team, etc.
Admins always have permission to perform any action on any team. You cannot assign actions to the admin role using the --config-rbac flag.
The following actions are also assigned to admins, and cannot be reconfigured:
- GetLogLevel
- ListActiveUsersSince
- SetLogLevel
- GetInfoCreds
- SetWall
- ClearWallowner role
Team owners have read, write and auth management capabilities within the scope of their team, and can rename or destroy the team.
Actions assigned to the owner role by default:
owner:
- SetTeam
- RenameTeam
- DestroyTeammember role
Team members can operate within their team in a read & write fashion, but they can not change the configuration of their team.
Actions assigned to the member role by default:
member:
- SaveConfig
- CreateBuild
- DeletePipeline
- OrderPipelines
- OrderPipelinesWithinGroup
- ExposePipeline
- HidePipeline
- RenamePipeline
- ArchivePipeline
- CreatePipelineBuild
- RegisterWorker
- LandWorker
- RetireWorker
- PruneWorker
- HeartbeatWorker
- DeleteWorker
- HijackContainer
- ReportWorkerContainers
- ReportWorkerVolumes
- CreateArtifact
- GetArtifactpipeline-operator role
Team pipeline operators can perform pipeline operations such as triggering builds and pinning resources, however they cannot update pipeline configurations.
Actions assigned to the pipeline-operator role by default:
pipeline-operator:
- AbortBuild
- RerunJobBuild
- CreateJobBuild
- PauseJob
- UnpauseJob
- ClearTaskCache
- UnpinResource
- SetPinCommentOnResource
- CheckResource
- CheckResourceWebHook
- CheckResourceType
- EnableResourceVersion
- DisableResourceVersion
- PinResourceVersion
- PausePipeline
- UnpausePipeline
- ClearResourceCacheviewer role
Team viewers have "read-only" access to a team and its pipelines. This locks everything down, preventing users from doing a fly set-pipeline or fly intercept.
Actions assigned to the viewer role by default:
viewer:
- GetConfig
- GetCC
- GetBuild
- GetCheck
- GetBuildPlan
- ListBuilds
- BuildEvents
- BuildResources
- GetBuildPreparation
- GetJob
- ListAllJobs
- ListJobs
- ListJobBuilds
- ListJobInputs
- GetJobBuild
- GetVersionsDB
- JobBadge
- MainJobBadge
- ListAllResources
- ListResources
- ListResourceTypes
- GetResource
- ListResourceVersions
- GetResourceVersion
- ListBuildsWithVersionAsInput
- ListBuildsWithVersionAsOutput
- GetResourceCausality
- ListAllPipelines
- ListPipelines
- GetPipeline
- ListPipelineBuilds
- PipelineBadge
- ListWorkers
- DownloadCLI
- GetInfo
- ListContainers
- GetContainer
- ListDestroyingContainers
- ListVolumes
- ListDestroyingVolumes
- ListTeams
- GetTeam
- ListTeamBuilds
- ListBuildArtifactsAction Matrix
In this table, an action is marked as customizable if it is possible to change its permissions by providing the --config-rbac flag, documented below. Assigning an action to a role that is not customizable will have no effect on its permissions.
| Action | fly commands affected |
UI actions affected | can be performed unauthenticated? | customizable |
| GetBuild | n/a | view one-off build page | ✓ | ✓ |
| BuildResources | n/a | view build page | ✓ | ✓ |
| GetBuildPreparation | n/a | view build page | ✓ | ✓ |
| BuildEvents | fly watch,fly execute |
view build page | ✓ | ✓ |
| GetBuildPlan | n/a | view build page | ✓ | ✓ |
| ListBuildArtifacts | n/a | n/a | ✓ | ✓ |
| AbortBuild | fly abort-build |
abort button on build page | ✘ | ✓ |
| PruneWorker | fly prune-worker |
n/a | ✘ | ✓ |
| LandWorker | fly land-worker |
n/a | ✘ | ✓ |
| RetireWorker | n/a | n/a | ✘ | ✘ |
| ListDestroyingVolumes | n/a | n/a | ✘ | ✘ |
| ListDestroyingContainers | n/a | n/a | ✘ | ✘ |
| ReportWorkerContainers | n/a | n/a | ✘ | ✘ |
| ReportWorkerVolumes | n/a | n/a | ✘ | ✘ |
| GetPipeline | n/a | view pipeline page | ✓ | ✓ |
| GetJobBuild | n/a | view build page | ✓ | ✓ |
| PipelineBadge | n/a | n/a | ✓ | ✓ |
| JobBadge | n/a | n/a | ✓ | ✓ |
| ListJobs | fly jobs |
view pipeline page | ✓ | ✓ |
| GetJob | n/a | view job page | ✓ | ✓ |
| ListJobBuilds | fly builds |
view job page | ✓ | ✓ |
| ListPipelineBuilds | fly builds |
n/a | ✓ | ✓ |
| GetResource | n/a | view resource page | ✓ | ✓ |
| ListBuildsWithVersionAsInput | n/a | expand version on resource page | ✓ | ✓ |
| ListBuildsWithVersionAsOutput | n/a | expand version on resource page | ✓ | ✓ |
| GetResourceCausality | n/a | n/a | ✓ | ✓ |
| GetResourceVersion | n/a | n/a | ✓ | ✓ |
| ListResources | fly resources |
view pipeline page | ✓ | ✓ |
| ListResourceTypes | n/a | n/a | ✓ | ✓ |
| ListResourceVersions | fly resource-versions,fly pin-resource |
view resource page | ✓ | ✓ |
| CreateBuild | fly execute |
n/a | ✘ | ✓ |
| GetContainer | n/a | n/a | ✘ | ✓ |
| HijackContainer | fly intercept |
n/a | ✘ | ✓ |
| ListContainers | fly containers |
n/a | ✘ | ✓ |
| ListWorkers | fly workers |
n/a | ✘ | ✓ |
| RegisterWorker | n/a | n/a | ✘ | ✘ |
| HeartbeatWorker | n/a | n/a | ✘ | ✘ |
| DeleteWorker | n/a | n/a | ✘ | ✘ |
| GetTeam | fly get-team |
n/a | ✘ | ✓ |
| SetTeam | fly set-team |
n/a | ✘ | ✓ |
| ListTeamBuilds | fly builds |
n/a | ✘ | ✓ |
| RenameTeam | fly rename-team |
n/a | ✘ | ✓ |
| DestroyTeam | fly destroy-team |
n/a | ✘ | ✓ |
| ListVolumes | fly volumes |
n/a | ✘ | ✓ |
| DownloadCLI | fly sync |
icons on dashboard and pipeline pages | ✓ | ✘ |
| CheckResourceWebHook | n/a | n/a | ✓ | ✘ |
| GetInfo | n/a | n/a | ✓ | ✘ |
| GetCheck | fly check-resource,fly check-resource-type |
check button on resource page | ✘ | ✓ |
| ListTeams | fly teams |
view dashboard page | ✓ | ✘ |
| ListAllPipelines | n/a | view dashboard page | ✓ | ✘ |
| ListPipelines | fly pipelines |
n/a | ✓ | ✓ |
| ListAllJobs | fly teams |
view dashboard page | ✓ | ✘ |
| ListAllResources | n/a | view dashboard page | ✓ | ✘ |
| ListBuilds | fly builds |
n/a | ✓ | ✘ |
| MainJobBadge | n/a | n/a | ✓ | ✘ |
| GetLogLevel | n/a | n/a | ✘ | ✘ |
| SetLogLevel | n/a | n/a | ✘ | ✘ |
| GetWall | n/a | n/a | ✓ | ✘ |
| SetWall | n/a | n/a | ✘ | ✘ |
| ClearWall | n/a | n/a | ✘ | ✘ |
| ListActiveUsersSince | fly active-users |
n/a | ✘ | ✘ |
| GetInfoCreds | n/a | n/a | ✘ | ✘ |
| CheckResource | fly check-resource |
check button on resource page | ✘ | ✓ |
| CheckResourceType | fly check-resource-type |
n/a | ✘ | ✓ |
| CreateJobBuild | fly trigger-job |
trigger button on job and build pages | ✘ | ✓ |
| RerunJobBuild | fly rerun-build |
rerun button on build page | ✘ | ✓ |
| CreatePipelineBuild | fly execute |
n/a | ✘ | ✓ |
| DeletePipeline | fly destroy-pipeline |
n/a | ✘ | ✓ |
| DisableResourceVersion | fly disable-resource-version |
version disable widget on resource page | ✘ | ✓ |
| EnableResourceVersion | fly enable-resource-version |
version enable widget on resource page | ✘ | ✓ |
| PinResourceVersion | fly pin-resource |
pin buttons on resource page | ✘ | ✓ |
| UnpinResource | fly unpin-resource |
pin buttons on resource page | ✘ | ✓ |
| SetPinCommentOnResource | fly pin-resource |
comment overlay on resource page | ✘ | ✓ |
| GetConfig | fly get-pipeline |
n/a | ✘ | ✓ |
| GetCC | n/a | n/a | ✘ | ✓ |
| GetVersionsDB | n/a | n/a | ✘ | ✓ |
| ListJobInputs | n/a | n/a | ✘ | ✓ |
| OrderPipelines | fly order-pipelines |
drag and drop on dashboard | ✘ | ✓ |
| OrderPipelinesWithinGroup | fly order-instanced-pipelines |
drag and drop within instance group on dashboard | ✘ | ✓ |
| PauseJob | fly pause-job |
pause button on job page | ✘ | ✓ |
| PausePipeline | fly pause-pipeline |
pause button on pipeline or dashboard | ✘ | ✓ |
| RenamePipeline | fly rename-pipeline |
n/a | ✘ | ✓ |
| UnpauseJob | fly unpause-job |
play button on job page | ✘ | ✓ |
| UnpausePipeline | fly unpause-pipeline |
play button on pipeline or dashboard | ✘ | ✓ |
| ExposePipeline | fly expose-pipeline |
eyeball button on dashboard | ✘ | ✓ |
| HidePipeline | fly hide-pipeline |
slashed eyeball button on dashboard | ✘ | ✓ |
| SaveConfig | fly set-pipeline |
n/a | ✘ | ✓ |
| ClearTaskCache | fly clear-task-cache |
n/a | ✘ | ✓ |
| CreateArtifact | fly execute |
n/a | ✘ | ✓ |
| GetArtifact | fly execute |
n/a | ✘ | ✓ |
| ClearResourceCache | fly clear-resource-cache |
n/a | ✘ | ✓ |
Configuring RBAC
It is possible to promote or demote the roles to which actions are assigned by passing the --config-rbac to the concourse web command with a path to a .yml file, like the following:
concourse web --config-rbac=/path/to/rbac/config.ymlThis file should be a YAML map where the keys are role names (owner, member, pipeline-operator, and viewer are valid). For each role, the value should be a list of actions. On startup, Concourse will assign each role to its associated list of actions.
For example, in the default configuration only pipeline-operators and above can abort builds. To restrict aborting builds to only members and above, you could pass this as a --config-rbac file:
member:
- AbortBuildOn the other hand, only members and above can order pipelines by default. To extend this privilege down to pipeline-operators, you can use a --config-rbac file like the following:
pipeline-operator:
- OrderPipelinesYou do not need to specify a role for every possible action; if an action does not appear in the file, then the default role (as described in the sections above) will be assigned to that action. Also, please avoid specifying the same action under multiple roles in this file - it can have unpredictable results.
powered by