1.2.4 User Roles & Permissions

Concourse comes with five roles:

  1. Concourse Admin

  2. Team Owner

  3. Team Member

  4. Pipeline Operator

  5. Team Viewer

These roles are strictly ordered, so that each role always has all the permissions of any other role lower on the list. This means that a Pipeline Operator can always do anything a Team Viewer can, and so on.

In this document we say an action is assigned to a role if that role is capable of performing the action, but any less-privileged role is not. For example, the SaveConfig action is assigned to the member role, so owners and members can set a pipeline config, but pipeline operators and viewers cannot.

Concourse Admin

Admin is a special user attribute granted only to owners of the main team.

Admins have the ability to administrate teams using fly set-team, fly destroy-team, fly rename-team, etc.

Admins always have permission to perform any action on any team. You cannot assign actions to the admin role using the --config-rbac flag.

The following actions are also assigned to admins, and cannot be reconfigured:

- GetLogLevel
- ListActiveUsersSince
- SetLogLevel
- GetInfoCreds
- SetWall
- ClearWall

owner role

Team owners have read, write and auth management capabilities within the scope of their team, but they cannot rename or destroy the team.

Actions assigned to the owner role by default:

owner:
- SetTeam
- RenameTeam
- DestroyTeam

member role

Team members can operate within their team in a read & write fashion, but they can not change the configuration of their team.

Actions assigned to the member role by default:

member:
- SaveConfig
- CreateBuild
- DeletePipeline
- OrderPipelines
- ExposePipeline
- HidePipeline
- RenamePipeline
- CreatePipelineBuild
- RegisterWorker
- LandWorker
- RetireWorker
- PruneWorker
- HeartbeatWorker
- DeleteWorker
- HijackContainer
- ReportWorkerContainers
- ReportWorkerVolumes
- CreateArtifact
- GetArtifact

pipeline-operator role

Team pipeline operators can perform pipeline operations such as triggering builds and pinning resources, however they cannot update pipeline configurations.

Actions assigned to the pipeline-operator role by default:

pipeline-operator:
- AbortBuild
- RerunJobBuild
- CreateJobBuild
- PauseJob
- UnpauseJob
- ClearTaskCache
- UnpinResource
- SetPinCommentOnResource
- CheckResource
- CheckResourceWebHook
- CheckResourceType
- EnableResourceVersion
- DisableResourceVersion
- PinResourceVersion
- PausePipeline
- UnpausePipeline

viewer role

Team viewers have "read-only" access to a team and its pipelines. This locks everything down, preventing users from doing a fly set-pipeline or fly intercept.

Actions assigned to the viewer role by default:

viewer:
- GetConfig
- GetCC
- GetBuild
- GetCheck
- GetBuildPlan
- ListBuilds
- BuildEvents
- BuildResources
- GetBuildPreparation
- GetJob
- ListAllJobs
- ListJobs
- ListJobBuilds
- ListJobInputs
- GetJobBuild
- GetVersionsDB
- JobBadge
- MainJobBadge
- ListAllResources
- ListResources
- ListResourceTypes
- GetResource
- ListResourceVersions
- GetResourceVersion
- ListBuildsWithVersionAsInput
- ListBuildsWithVersionAsOutput
- GetResourceCausality
- ListAllPipelines
- ListPipelines
- GetPipeline
- ListPipelineBuilds
- PipelineBadge
- ListWorkers
- DownloadCLI
- GetInfo
- ListContainers
- GetContainer
- ListDestroyingContainers
- ListVolumes
- ListDestroyingVolumes
- ListTeams
- GetTeam
- ListTeamBuilds
- ListBuildArtifacts

Action Matrix

In this table, an action is marked as customizable if it is possible to change its permissions by providing the --config-rbac flag, documented below. Assigning an action to a role that is not customizable will have no effect on its permissions.

Action fly commands affected UI actions affected can be performed unauthenticated? customizable
GetBuild n/a view one-off build page
BuildResources n/a view build page
GetBuildPreparation n/a view build page
BuildEvents fly watch,fly execute view build page
GetBuildPlan n/a view build page
ListBuildArtifacts n/a n/a
AbortBuild fly abort-build abort button on build page
PruneWorker fly prune-worker n/a
LandWorker fly land-worker n/a
RetireWorker n/a n/a
ListDestroyingVolumes n/a n/a
ListDestroyingContainers n/a n/a
ReportWorkerContainers n/a n/a
ReportWorkerVolumes n/a n/a
GetPipeline n/a view pipeline page
GetJobBuild n/a view build page
PipelineBadge n/a n/a
JobBadge n/a n/a
ListJobs fly jobs view pipeline page
GetJob n/a view job page
ListJobBuilds fly builds view job page
ListPipelineBuilds fly builds n/a
GetResource n/a view resource page
ListBuildsWithVersionAsInput n/a expand version on resource page
ListBuildsWithVersionAsOutput n/a expand version on resource page
GetResourceCausality n/a n/a
GetResourceVersion n/a n/a
ListResources fly resources view pipeline page
ListResourceTypes n/a n/a
ListResourceVersions fly resource-versions,fly pin-resource view resource page
CreateBuild fly execute n/a
GetContainer n/a n/a
HijackContainer fly intercept n/a
ListContainers fly containers n/a
ListWorkers fly workers n/a
RegisterWorker n/a n/a
HeartbeatWorker n/a n/a
DeleteWorker n/a n/a
GetTeam fly get-team n/a
SetTeam fly set-team n/a
ListTeamBuilds fly builds n/a
RenameTeam fly rename-team n/a
DestroyTeam fly destroy-team n/a
ListVolumes fly volumes n/a
DownloadCLI fly sync icons on dashboard and pipeline pages
CheckResourceWebHook n/a n/a
GetInfo n/a n/a
GetCheck fly check-resource,fly check-resource-type check button on resource page
ListTeams fly teams view dashboard page
ListAllPipelines n/a view dashboard page
ListPipelines fly pipelines n/a
ListAllJobs fly teams view dashboard page
ListAllResources n/a view dashboard page
ListBuilds fly builds n/a
MainJobBadge n/a n/a
GetLogLevel n/a n/a
SetLogLevel n/a n/a
GetWall n/a n/a
SetWall n/a n/a
ClearWall n/a n/a
ListActiveUsersSince fly active-users n/a
GetInfoCreds n/a n/a
CheckResource fly check-resource check button on resource page
CheckResourceType fly check-resource-type n/a
CreateJobBuild fly trigger-job trigger button on job and build pages
RerunJobBuild fly rerun-build rerun button on build page
CreatePipelineBuild fly execute n/a
DeletePipeline fly destroy-pipeline n/a
DisableResourceVersion fly disable-resource-version version disable widget on resource page
EnableResourceVersion fly enable-resource-version version enable widget on resource page
PinResourceVersion fly pin-resource pin buttons on resource page
UnpinResource fly unpin-resource pin buttons on resource page
SetPinCommentOnResource fly pin-resource comment overlay on resource page
GetConfig fly get-pipeline n/a
GetCC n/a n/a
GetVersionsDB n/a n/a
ListJobInputs n/a n/a
OrderPipelines fly order-pipelines drag and drop on dashboard
PauseJob fly pause-job pause button on job page
PausePipeline fly pause-pipeline pause button on pipeline or dashboard
RenamePipeline fly rename-pipeline n/a
UnpauseJob fly unpause-job play button on job page
UnpausePipeline fly unpause-pipeline play button on pipeline or dashboard
ExposePipeline fly expose-pipeline eyeball button on dashboard
HidePipeline fly hide-pipeline slashed eyeball button on dashboard
SaveConfig fly set-pipeline n/a
ClearTaskCache fly clear-task-cache n/a
CreateArtifact fly execute n/a
GetArtifact fly execute n/a

Configuring RBAC

Configuring RBAC is experimental, and this may change in the future.

It is possible to promote or demote the roles to which actions are assigned by passing the --config-rbac to the concourse web command with a path to a .yml file, like the following:

concourse web --config-rbac=/path/to/rbac/config.yml

This file should be a YAML map where the keys are role names (owner, member, pipeline-operator, and viewer are valid). For each role, the value should be a list of actions. On startup, Concourse will assign each role to its associated list of actions.

For example, in the default configuration only pipeline-operators and above can abort builds. To restrict aborting builds to only members and above, you could pass this as a --config-rbac file:

member:
- AbortBuild

On the other hand, only members and above can order pipelines by default. To extend this privilege down to pipeline-operators, you can use a --config-rbac file like the following:

pipeline-operator:
- OrderPipelines

You do not need to specify a role for every possible action; if an action does not appear in the file, then the default role (as described in the sections above) will be assigned to that action. Also, please avoid specifying the same action under multiple roles in this file - it can have unpredictable results.