Permissions Management
CodeArts fine-grained permissions management combines the capabilities of Identity and Access Management (IAM) and CodeArts to help you flexibly set different permissions for IAM users under your tenant account.
The capabilities include IAM fine-grained permissions management and CodeArts authentication.
- IAM fine-grained permissions management: IAM users are authorized by user group using system-defined permissions.
- CodeArts authentication: The three-layer permission model enables you to manage operation permissions of IAM users using roles.
IAM Fine-Grained Permissions
New IAM users do not have any permissions assigned by default. You need to first add them to one or more groups and then attach policies or roles to these groups. The users then inherit permissions from the groups and can perform specified operations on cloud services based on the permissions they have been assigned.
Table 1 lists all the system-defined permissions for CodeArts.
|
Service |
Role/Policy Name |
Description |
Type |
Details |
|---|---|---|---|---|
|
CodeArts Console |
DevCloud Console FullAccess |
Full permissions for the CodeArts console. |
System-defined policy |
For details, see CodeArts Console Permission Description. |
|
DevCloud Console ReadOnlyAccess |
Read-only permissions for the CodeArts console. |
System-defined policy |
||
|
CodeArts Req |
ProjectMan ConfigOperations |
Full permissions for CodeArts Req. |
System-defined policy |
For details, see Cloud-Service-Level Permissions. |
|
CodeArts Pipeline |
CloudPipeline Tenant Extensions FullAccess |
Full permissions for extensions of CodeArts Pipeline. |
System-defined policy |
For details, see Tenant-level Permissions. |
|
CloudPipeline Tenant Pipeline Templates FullAccess |
Full permissions for templates of CodeArts Pipeline. |
System-defined policy |
||
|
CloudPipeline Tenant Rule Templates FullAccess |
Full permissions for policy settings of CodeArts Pipeline. |
System-defined policy |
||
|
CloudPipeline Tenant Rules FullAccess |
Full permissions for rule settings of CodeArts Pipeline. |
System-defined policy |
||
|
CodeArts PerfTest |
CodeArts PerfTest Administrator |
CodeArts PerfTest administrator, who has full permissions for this service. |
System-defined role |
See Permissions. |
|
CodeArts PerfTest Developer |
CodeArts PerfTest developer, who has full permissions for their own resources, but has no permission for those of other users under the tenant. |
System-defined role |
||
|
CodeArts PerfTest Operator |
CodeArts PerfTest operator, who has read-only permissions for this service. |
System-defined role |
||
|
CodeArts PerfTest Resource Administrator |
CodeArts PerfTest resource administrator, who has full permissions on test resources in this service. |
System-defined role |
||
|
CodeArts PerfTest Resource Developer |
CodeArts PerfTest resource developer, who can view and use test resources in this service, but cannot create, update, or delete infrastructure resources. |
System-defined role |
CodeArts Authentication
CodeArts provides a permission model that contains the tenant, project, and instance levels.
The application scope of this model is as follows: tenant-level permissions > project-level permissions > instance-level permissions.
If the permission configuration in this model conflicts, this permission priority is used: instance-level > project-level > tenant-level.
- Tenant-level Permissions
These permissions take effect for all CodeArts projects in your account, including creating, deleting, and modifying projects.
By default, users with the Tenant Administrator role have tenant-level permissions. They can also grant other users the permissions required to create projects. For details, see Project Creators.
- Project-level Permissions
These permissions take effect for the current project, including editing and archiving projects, configuring roles and permissions, and configuring members. You can also configure operation permissions for each service, including the permissions to create, submit, and copy raw requirements in CodeArts Req, and the permissions to commit and merge code in CodeArts Repo. These permissions take effect for all instances of the service.
CodeArts provides role-based access control (RBAC). By default, new users do not have permissions assigned. You need to add a user to a project, and assign roles to the user. The user then has the permissions specified in the roles and can perform specified operations on cloud services based on the permissions.
CodeArts provides multiple system roles and also supports custom roles. You can create desired roles with specified operation permissions for CodeArts Req, CodeArts Modeling, CodeArts Repo, CodeArts Check, CodeArts Build, CodeArts Artifact, CodeArts Deploy, CodeArts TestPlan, and CodeArts Pipeline.
Table 2 Built-in project roles in CodeArts Role Name
Description
Project administrator
The general owner of a project who manages all settings and members of the project, including creating, deleting, and modifying projects, assigning and canceling permissions of other roles.
Project manager
A primary owner of a project who manages requirements, plans, progress, and risks of the project, and coordinates work in the project team.
Product manager
Responsible for product design and planning, including defining product requirements, prototypes, and user stories, communicating and collaborating with developers and testers.
Test manager
Responsible for testing, including managing test plans, test cases, test execution, and bug tracking, guiding and supervising test personnel.
System engineer
Responsible for the system architecture and infrastructure of a project, including designing, setting up, and maintaining project resources such as servers, networks, and databases.
Committer
Reviews and merges code committed by developers.
Developer
Writes, commits, merges, and branches code, creates and runs services such as CodeArts Pipeline and CodeArts Build.
Tester
Executes test cases, reports bugs, and verifies fixes.
Participant
Participates in a project and creates work items.
Viewer
Views a project and cannot perform any operations in any services.
- Instance-level Permissions
These permissions take effect for a specific code repository or pipeline of a project, for example, permissions required to view, execute, update, and delete a pipeline.
Instance-level permissions are configured by the creator of the corresponding instance. CodeArts allows you to configure instance-level permissions for services listed in the following table.
Table 3 CodeArts instance-level permissions Service
Instance
Configuration Method
CodeArts Repo
Code repository
CodeArts Pipeline
Pipeline
CodeArts Build
Build task
CodeArts Deploy
Application
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
