x
login Signup

What Flow permissions are needed to run this procedure/pipeline?

We are creating new procedures and pipelines and have strict ACLs to prevent unauthorized use of them. In order to determine what permissions a user group needs, we log in with the user of a specific group and attempt to run the procedure/pipeline. Then, when we receive an error we must switch to another account to grant the necessary access to that group. This must be done repeatedly until all errors are resolved.

Is there any way to identify the permissions needed to run a given procedure/pipeline?

avatar image By mwalton.ihg 51 asked Jun 25 at 04:46 PM
more ▼
(comments are locked)
10|750 characters needed characters left

3 answers: sort voted first

the easiest in this case is to give permission to the procedures (or containing project) from the pipeline project using the following options to aclEntry():

  principalType: 'user', principalName: 'project: PROJNAME'

the syntax for the principal name is important, 'project' followed by ':' followed by a space followed by the name of the project. The principalype is 'user'

avatar image By lrochette 6k answered Jun 28 at 04:06 PM
more ▼
(comments are locked)
10|750 characters needed characters left

http://docs.electric-cloud.com/eflow_doc/9_1/User/HTML/FlowUserGuide_9_1.htm#eflow_user/accesscontrol.htm

There is an Access Control icon on the procedure page that will show you the Access Control hierarchy for the procedure: Server > Projects > Project > Procedure .

avatar image By gregm 2k answered Jun 25 at 06:29 PM
more ▼
(comments are locked)
avatar image lrochette Jun 25 at 07:02 PM

instead of login/logout, I usually use 2 different browsers: one for the user I test, one with elevated privileges to make it easier.

In addition, I will recommend using DSL to set up your ACLs so it's reproducible and documented.

10|750 characters needed characters left

Thank you for the answers, but I realize now I was not clear in my question.

Say you have a pipeline and you want to give a group permission to run that pipeline only. If you set the ACL to add the group to that individual pipeline (with "allow" permissions for Read and Execute), you will run into ACCESS_DENIED errors because the user does not have permissions to run the procedures within the pipeline.

Likewise, if you give a group permission to run one procedure, but that procedure calls sub-procedures from different projects, the same access denied errors will appear.

So how can we identify all the projects/procedures/property sheets/etc that the user/group needs to have access to in order to execute a given pipeline or procedure?

avatar image By mwalton.ihg 51 answered Jun 28 at 01:41 PM
more ▼
(comments are locked)
10|750 characters needed characters left
Your answer
toggle preview:

Up to 8 attachments (including images) can be used with a maximum of 524.3 kB each and 1.0 MB total.