Enabling and Authorizing CodeArts Pipeline
Prerequisites
You have signed up for a HUAWEI ID and enabled Huawei Cloud services.
Enabling CodeArts Pipeline
You need to subscribe to a CodeArts package before using CodeArts Pipeline.
- Access the CodeArts Pipeline console.
- Click Buy to purchase a CodeArts package.
- Purchase a package as needed. For details, see Purchasing CodeArts.
Authorizing CodeArts Pipeline
You can configure CodeArts Pipeline permissions at three levels to control user behaviors.
|
Level |
Module |
Description |
|---|---|---|
|
Extension, tenant-level policy, tenant-level rule, and pipeline template |
Permissions to manage module resources in a tenant. You can configure permissions in IAM. The configurations take effect for all projects of a tenant. |
|
|
Pipeline, policy (project-level), microservice, and change |
Permissions to manage module resources of a specific project. You can configure permissions in project settings. The configurations take effect for all resources of a project. |
|
|
Pipeline |
Permissions to perform operations for a specific pipeline. You can configure permissions in a pipeline. The configuration takes effect for a specified pipeline. |
- Tenant-level permissions
IAM allows you to configure permissions for specified users regarding tenant-level rules, tenant-level policies, extensions, and pipeline templates.
- Log in to CodeArts using a tenant account or an authorized account.
- Click the username in the upper right corner and select IAM.
- In the navigation pane on the left, choose User Groups. On the displayed page, create a user group or select an existing user group, and click Authorize.
Select the CodeArts Pipeline service to check related policies, as shown in the following table.
Table 2 Pipeline policies Policy Name
Description
CloudPipeline Tenant Rules FullAccess
Full permissions on tenant-level rules within CodeArts Pipeline.
- Permissions on rules correspond to cloudpipeline:rule:update in IAM. An administrator can use the system-defined policy CloudPipeline Tenant Rules FullAccess or custom policies to authorize users.
- Common users can check all tenant-level rules. Authorized users can check and manage all tenant-level rules.
CloudPipeline Tenant Rule Templates FullAccess
Full permissions on tenant-level policies within CodeArts Pipeline.
- Permissions on pipeline policies correspond to cloudpipeline:ruletemplate:update in IAM. An administrator can use the system-defined policy CloudPipeline Tenant Rule Templates FullAccess or custom policies to authorize users.
- Common users can check all tenant-level policies. Authorized users can check and manage all tenant-level policies.
CloudPipeline Tenant Extensions FullAccess
Full permissions on extensions within CodeArts Pipeline.
- Permissions on extensions correspond to cloudpipeline:extensions:update in IAM. An administrator can use the system-defined policy CloudPipeline Tenant Extensions FullAccess or custom policies to authorize users.
- Common users can view all extensions. Authorized users can view and manage all extensions.
CloudPipeline Tenant Pipeline Templates FullAccess
Full permissions on pipeline templates within CodeArts Pipeline.
- Permissions on pipeline templates correspond to cloudpipeline:pipelinetemplate:update in IAM. An administrator can use the system-defined policy CloudPipeline Tenant Pipeline Templates FullAccess or custom policies to authorize users.
- Common users can create templates and view all templates. However, they can manage only the templates created by themselves. Authorized users can view and manage all templates.
- Select the required policies, click Next, and set the minimum authorization scope for the user group.
- Add the specified users to the user group to complete user authorization.
In addition to system-defined policies, tenants can also create custom policies to grant permissions.
- Project-level permissions
CodeArts allows you to configure permissions on pipeline resources for each role in a project.
- Log in to the Huawei Cloud console.
- Click
in the upper left corner of the page and choose from the service list. - Click Access Service to access the CodeArts Pipeline homepage.
- On the top navigation bar, click Homepage to access the CodeArts homepage.
- Click a project name to access the project.
- In the left navigation pane on the left, choose Settings > Permissions.
Pipeline-related resources are in CodeArts Pipeline. They are change, pipeline, policy (project-level), microservice, pre-production environment, production environment, test environment, parameter group, and job template.
By default, a user with permissions to edit or execute pipelines can also view pipelines.
Pipeline permissions
The following table lists the pipeline permissions for each role in a project in the initial state.
Table 3 Project-level permissions Role
View
Create
Execute
Edit
Delete
Group
Tag
Disable
Project admin
√
√
√
√
√
√
√
√
Project manager
√
√
√
√
√
√
√
√
Developer
√
√
√
×
×
×
×
×
Test manager
√
×
×
×
×
×
×
×
Tester
√
×
×
×
×
×
×
×
Participant
√
×
×
×
×
×
×
×
Viewer
√
×
×
×
×
×
×
×
Product manager
√
×
×
×
×
×
×
×
System engineer
√
√
√
√
√
√
√
√
Committer
√
√
√
×
×
×
×
×
- To clone a pipeline, you must have the permission to create a pipeline and edit the source pipeline.
- By default, role permissions in a pipeline inherit and are associated with the role permissions in the project until role or user permissions are modified in the pipeline.
- By default, a pipeline creator has all permissions on the pipeline.
Policy permissions
The following table lists the project-level policy permissions for each role in a project in the initial state.Table 4 Project-level policy permissions Role
View
Create
Edit
Delete
Project admin
√
√
√
√
Project manager
√
√
√
√
Developer
√
√
√
√
Test manager
√
×
×
×
Tester
√
×
×
×
Participant
√
×
×
×
Viewer
√
×
×
×
Product manager
√
×
×
×
System engineer
√
√
√
√
Committer
√
√
√
√
To clone a policy, you must have the permission to create a policy and edit the source policy.
Microservice permissions
The following table lists the microservice permissions for each role in a project in the initial state.Table 5 Project-level microservice permissions Role
View
Create
Edit
Delete
Project admin
√
√
√
√
Project manager
√
√
√
√
Developer
√
×
×
×
Test manager
√
×
×
×
Tester
√
×
×
×
Participant
√
×
×
×
Viewer
√
×
×
×
Product manager
√
×
×
×
System engineer
√
√
√
√
Committer
√
×
×
×
Change permissions
The following table lists the change permissions for each role in a project in the initial state.Table 6 Project-level change permissions Role
View
Create
Edit
Execute
Project admin
√
√
√
√
Project manager
√
√
√
√
Developer
√
√
√
√
Test manager
√
×
×
×
Tester
√
×
×
×
Participant
√
×
×
×
Viewer
√
×
×
×
Product manager
√
×
×
×
System engineer
√
√
√
√
Committer
√
√
√
√
Environment permissions
The following table lists the release environment permissions for each role in a project in the initial state.
Table 7 Project-level development environment permissions Role
View
Create
Edit
Delete
Execute
Roll Back
Project admin
√
√
√
√
√
√
Project manager
√
√
√
√
√
√
Developer
√
√
√
√
√
√
Test manager
√
×
×
×
×
×
Tester
√
×
×
×
×
×
Participant
√
×
×
×
×
×
Viewer
√
×
×
×
×
×
Product manager
√
√
√
√
√
√
System engineer
√
√
√
√
√
√
Committer
√
√
√
√
√
√
Table 8 Project-level test environment permissions Role
View
Create
Edit
Delete
Execute
Roll Back
Project admin
√
√
√
√
√
√
Project manager
√
√
√
√
√
√
Developer
√
×
×
×
×
×
Test manager
√
√
√
√
√
√
Tester
√
√
√
√
√
×
Participant
√
×
×
×
×
×
Viewer
√
×
×
×
×
×
Product manager
√
×
×
×
×
×
System engineer
√
×
×
×
×
×
Committer
√
√
√
√
√
√
Table 9 Project-level pre-production environment permissions Role
View
Create
Edit
Delete
Execute
Roll Back
Project admin
√
√
√
√
√
√
Project manager
√
√
√
√
√
√
Developer
√
×
×
×
×
×
Test manager
√
×
×
×
×
×
Tester
√
×
×
×
×
×
Participant
×
×
×
×
×
×
Viewer
×
×
×
×
×
×
Product manager
√
×
×
×
×
×
System engineer
√
×
×
×
×
×
Committer
√
√
√
√
√
√
Table 10 Project-level production permissions Role
View
Create
Edit
Delete
Execute
Roll Back
Project admin
√
√
√
√
√
√
Project manager
√
√
√
√
√
√
Developer
×
×
×
×
×
×
Test manager
×
×
×
×
×
×
Tester
×
×
×
×
×
×
Participant
×
×
×
×
×
×
Viewer
×
×
×
×
×
×
Product manager
×
×
×
×
×
×
System engineer
√
×
×
×
×
×
Committer
√
√
√
√
√
√
Parameter group permissions
The following table lists the parameter group permissions for each role in a project in the initial state.Table 11 Project-level parameter group permissions Role
Create
Delete
Edit
Associate
Project admin
√
√
√
√
Project manager
√
√
√
√
Developer
√
√
√
√
Test manager
×
×
×
×
Tester
×
×
×
×
Participant
×
×
×
×
Viewer
×
×
×
×
Product manager
×
×
×
×
System engineer
√
√
√
√
Committer
√
√
√
√
- Resource-level permissions
You can configure permissions for a single pipeline by role or user. For details, see Configuring Pipeline Permissions.
Role permissions
- The project admin, pipeline creator, and project manager can change pipeline role permissions.
- By default, role permissions for a pipeline are the same as the role permissions at the project level. If role permissions at the project level are changed, role permissions in a pipeline will be changed accordingly.
- If you change the role permissions for a pipeline, the changed permissions will take effect, because the resource-level permissions take precedence over the project-level permissions.
User permissions
- The project admin, pipeline creator, and project manager can change pipeline user permissions.
- By default, user and role permissions are consistent. If pipeline role permissions are changed, pipeline user permissions will be changed accordingly.
- If you change the pipeline user permissions, the changed permissions will take effect, because user permissions take precedence over role permissions.
Use project-level permissions
- If this function is enabled, the role permissions of a pipeline are the same as those in the project settings.
- If this function is disabled, you can customize the role permissions of a specific pipeline.
- User permissions take precedence over role permissions.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.
