Skip to main content

Setting user permissions on team-shared pipelines & CI jobs

Control who can do what with team-shared pipelines & continuous integration jobs

Valerio Chang avatar
Written by Valerio Chang
Updated over 2 weeks ago

Controlling which members can run and edit team-shared CI jobs or pipelines is an important part of any secure large team. In Gearset, there are two ways to assign pipeline or CI job permissions to members of your team.

Note: Team owners will always have Admin permission on all team-shared resources, which bestows the same level of access as the Edit permission, with the addition of being able to delete team-owned resources.

Admin cannot be assigned to members.

CI job permission levels

Levels of access for CI jobs are:

  • Edit - This allows users to edit the CI job, letting users to edit the metadata filters etc, as well as run the job.

  • Run - This allows users to run the CI job. If the CI job is in a pipeline, this setting would allow users to promote the PR within the pipeline.

  • None - This setting means that users cannot run the CI job or edit the job settings.

  • Admin - a team member becomes an owner of the CI job, effectively gaining "Edit" access rights for the job, and the ability to assign permissions for the job to other Gearset team members.

    • Note: Team members with an Admin permission don't get right to delete a team-shared CI job. Deletion can only be done by Team Owners.

Note: By assigning Run access to a CI job for a team member, you're essentially giving that member a permission to run the job and deploy - provided that the necessary Org-level access permissions have been configured in the Delegate org access section.
​
​FYI: You can read more about the org access permission in this article: Sharing org credentials with team members

Pipeline permission levels

Levels of access for a pipeline are:

  • Edit - this allows users to edit details of the pipeline, including adding, removing or rearranging static environments and dev sandboxes.

  • View - this allows users to view the pipeline, but user cannot change any pipeline settings.

  • None - this setting means users cannot see the pipeline or edit any of its details.

  • Admin - a team member becomes an owner of the Pipeline, and they gain the ability to assign Pipelines permissions to other team members.

    • This permission doesn't automatically give an Admin deployment rights for all the CI jobs within the Pipeline. It's because permissions for team-shared CI jobs used within the Pipeline are set up individually for each CI job.

    • Note: A team member with an Admin access is also authorized to delete a Pipeline, should there ever be a need for this.

Note: Even if a user has the None permission assigned for pipeline, that does not stop the user from running the CI jobs within the pipeline. That is controlled by individual CI job permissions.

This article also explains how to set CI job permissions later on.

Assigning multiple permissions to a member

In the My account menu, select Team management -> People -> Users (or directly through this link; similarly you can open this link to access the My Profile tab). This will present a list of all the users in your team:

Selecting a team member on this screen will display the team-shared resources they have access to:

Selecting Edit access to pipelines & CI jobs will bring you to the pipelines & CI job permission screen. Here you can set a user's permission level to Edit, Run or None for each CI job, as well as Edit, View or None for each pipeline.

In the Current pipelines & CI jobs tab you can change permissions to pipelines and CI jobs that the user already has access to. These are grouped into jobs that are part of a pipeline and those that are standalone:

In the Delegate access to other pipelines & CI jobs tab you can grant permissions to pipelines or CI jobs that the user currently has no access to. To grant a permission across many pipelines or CI jobs at once, there is a bulk assign feature as well:

Assigning permissions to multiple members

To set many user permissions on a specific pipeline or CI job, in the My account menu, select Team management -> Permissions -> Pipelines & continuous integration (CI) (or directly through this link).

This page lists team-shared pipelines, and also any CI jobs that are not connected to a pipeline in a section below.

Selecting any pipeline in the list will bring you to the permission screen of the pipeline.

This page shows user pipeline permissions and the CI jobs connected to this pipeline, and allows you to set which members can edit or view the pipeline, as well as who can run or edit the CI jobs within the pipeline.

Selecting Edit users & access for this pipeline will allow you to add members from your team using the search box, and assign them permissions to the pipeline - or alternatively you can remove any permission assigned to them.

You can expand any CI job in the list to see users' permissions on the job. Add or remove users and change their permissions for the org by selecting Edit users & access for this CI job:


​

Related Articles
Pipeline setup - minimum permissions needed to set up Gearset pipelines
Managing and viewing your CI jobs
Team-shared CI jobs
Setting user permissions on team-shared orgs
Configuring Gearset permissions
Did this answer your question?