Minimal permissions config for build functional user role
I inherited a Team Concert project area configuration where a build functional user has all permissions. This is obviously a bad idea because it opens potential security vulnerabilities and even severe accidents.
I want to reduce this functional user's permissions to the minimal necessary set required to run automated builds, but I'm struggling to find documentation on what operations are required by functional users. First of all, if such doc exists, can someone respond with a link? Assuming it doesn't exist, here are the minimal permissions I think the build functional user needs. Can someone please confirm or tweak the list? Build Permissions -------------------- Complete Build Retrieve the Next Build Request Start Build Request Build Request Personal Build Create Build Result Modify Build Result Source Control Permissions ------------------------------- Deliver Baselines Save Baseline (server) -> Modify Name and Description (Is this required to give the baseline the name of the build ID?) Save Snapshot (server) -> Modify Name and Description (Is this required to give the snapshot the name of the build ID?) ----- A few notes: - I didn't provide any permissions around build definitions or deletion of build results because I assume a human will perform these operations or automated clean-up tasks. - I didn't provide any permissions on streams because I assume the functional user only performs write operations on a repository workspace - I didn't provide any permissions for work items because currently we don't have any automation between builds and work items (e.g. automatically creating a defect when a build fails) |
5 answers
The user given on the JBE command line (-userId) must have permission for the following operations/actions as a minimum:
Build Permissions -------------------- Control the Build Lifecycle (all) Save Build Engine / Modify Build Engine (for updating the last contact time) Save Build Result (all) If using Jazz SCM, no extra permissions are needed for the accept/fetch, since workspaces are owned by individuals, not projects/teams, but the build workspace owner must be the same as the JBE user. Permissions may be needed for Save Baseline, since a snapshot is created against the build workspace (so no permissions needed for that) but baselines may be created too (if the component is not already at a baseline) and baseline creation is governed by the owner of the component (which may be an individual or project/team area). Other permissions will be needed for certain Ant tasks. For example, if requesting builds via the requestTeamBuild Ant task, the user given in the task invocation (usually the same as the JBE user) must have permission for Request Build. Your assumptions under "A few notes" are all correct. If you want to lock down permissions, start with the basic set above, and add others as needed if the build fails due to missing permissions. Note that 'Save Build Engine', 'Delete Build Engine' and 'Control the Build Lifecycle / Retrieve the Next Build Request' are governed by project/team area associated with the build engine. All the other Build operations/actions are governed by the area associated with the build definition. One potential gotcha is that the build can get into a weird 'permanently pending' state if the JBE user has permission (in the engine's area) to get the next request, but does not have permission (in the definition's area) to save the build result. It can get the next request and claim it, but will fail trying to start the build (bump the build result's state to In Progress). |
|
Thanks very much Nick, this is tremendously helpful.
I would suggest that this would make a helpful short article: "Best practices for configuring build users' permissions" or something. Dan Berg pointed out in an email that a build user also needs a reduced license as well, the "Build System" license. |
Geoffrey Clemm (30.1k●3●30●35)
| answered May 17 '12, 2:01 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER
Note that a build user account does not have to be assigned a Build Sstem license, but it can be, in order to not use up an end-user license that you have purchased (but only if the build user account is only used to do builds).
Cheers, Geoff Thanks very much Nick, this is tremendously helpful. |
|
That's correct. The Build System license and Developer license are equivalent in the operations that they allow. They just differ in the terms of use.
|
|
I'm not sure this warrants a full article or tech tip. I've added the info to the Build FAQ:
https://jazz.net/wiki/bin/view/Main/BuildFAQ#ProcessPermissions and also: https://jazz.net/wiki/bin/view/Main/BuildFAQ#RepositoryPermissions |
Your answer
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.