Skip to main content
System StatusContact Support
VersionOne Community

Access Control

Overview

In Continuum there are two mechanisms for access control - Teams and  Roles

  • Teams are used as an access control tool by large and medium enterprises that want to enforce a team-based access control within a single Continuum instance.

  • Roles are used for enabling features and functions and allowing configuration changes.

 

Tags are no longer used as an access control tool. It is used as a user grouping tool.

Set up one or more Tags, tag users with one or more Tags and then you can add one or more Tags to any Manual Activity or Manual Interaction so that the Manual Activity or Manual Interaction is assigned to the members of the Tags. 

Teams

While Tags and Roles were the access control tools available with Continuum 18.1 and earlier, Continuum 18.2 brings you the Teams feature that can further simplify the task of setting up access control in Continuum.

The Teams feature in Continuum is an access control tool for large and medium enterprises that want to enforce a team-based access control within a single Continuum instance. In other words, a single Continuum instance can now cater to the needs of multiple organizational units while ensuring that individual teams (and users) can access only objects that are assigned to them.

When you upgrade from Continuum 18.1 (or earlier) to Continuum 18.2 (or later), all your objects and users are, by default, assigned to a system generated team, Default. You can later set up one or more teams and assign users and objects to these teams as required.

Once you set up one or more teams and assign users and objects to teams, you can use the Teams filter (Team selector drop-down list) in Continuum to filter and see users, objects, and artifact that belong to the selected Teams.

As always, the ability to perform certain functions (such as create, edit or delete) is governed by the Roles assigned to the users.

  • While a user in Continuum can be a part of multiple Teams, an object such as a Project, Package or Pipeline can be associated with just one Team.
  • Only users with Administrator privileges can create Teams in Continuum.
  • A user must belong to at least one Team. In other words, you cannot set up a user account without selecting one or more Teams that the user belongs to.
  • An object must belong to a Team. In other words, you cannot create an object such as a Task, Package or a Pipeline without selecting a Team.

Create a Team

You must be an Administrator to set up Teams in Continuum. You can create Teams via the UI, API or command line tools.

From the UI

  1. Click the Administration icon ( ctm02.png ) at the top right and select System Configuration > Teams from the menu.
  2. Click Add Team.

Add a Team from the UI

  1. Type a name and description for the Team.
  2. Click Save.

From the Command Line

Use the ctm-create-team command to create Teams from a command line tool.

For example:

$ ctm-create-team -n team1 -T 5af37e4ff4db5e484aa13fae  --url http://cu217.cloud.maa.collab.net:8080

For more information, use the ctm-create-team command’s --help parameter.

 

Add Objects to Teams

In addition to users, the following objects can be associated with Teams: ProjectsTasksPackages and Pipelines.

Add a User to One or More Teams

Use the Teams tab on the User Management page to add users to one or more Teams either at the time of setting up new user accounts or at a later point in time.

  1. If you are setting up a new user account, select the Teams tab on the Create a New User page, select one or more Teams that the user would be a part of and click Save.
  2. To add an existing user to one or more Teams, select the Teams tab on the Modify User page, select one or more Teams that the user would be a part of and click Save.

Associate a Task to a Team

You can associate a Task to Team when you create it or at a later point in time.

  1. Click the Administration icon ( ctm02.png ) at the top right and select Automate > Tasks from the menu.
  2. Click Add New Tasks.

Select a Team while creating a task

  1. Select a team from the Team drop-down list and type a name, code and description for the task.
  2. Click Save.

Associate Projects, Packages and Pipelines to a Team

You can no longer create a Project, Package or a Pipeline without selecting a Team that they belong to. Selecting a Team is one of the requirements when you create these objects.

Select a Team while creating a Project

Select a Team while creating a Project

Select a Team while creating a Package

Select a Team while creating a Package

Select a Team while creating a Pipeline

Select a Team while creating a Pipeline

Roles - The New Continuum Role Based Access Control (RBAC)

With the addition of Teams in Continuum 18.2, Continuum RBAC was also improved.

This new RBAC pattern is being rolled out beginning in Continuum 18.2.  We introduce a new concept called Global User Roles and the three existing global roles, Administrator, Developer, and User are being deprecated. In addition, three new Team-level roles, Team Administrator, Developer, and User, are being added as discussed in the following sections. 

Global User Roles

Global User Roles are used to uniquely identify a user at a global level. There are two Global Roles, System Administrator and Shared Asset Manager.

For separation of duties, it is recommended to assign these two global roles to users that do not have any Team level permissions. 

The System Administrator flag identifies a user as a System Administrator.  Selecting this flag allows the user to:

  • Manage Security
  • Manage Teams (add/change/delete/add users/remove users)
  • Manage System Settings
  • Various other ‘system administration’ level features such as creating user accounts and Tags

Unlike in the past, a System Administrator is not a Super User.  System Administrators cannot manage Team-level configuration (projects, pipelines, packages, etc).  Every user in the system, regardless of global User Flags, must belong to a Team in order to gain access to that Team's internal assets. At least one Team is mandatory, and every user in the system must belong to at least one Team.

The Shared Asset Manager flag identifies a user as someone who can manage Continuum assets that are not scoped to just one team (in other words that are shared by more than one team).

For example, a user with the Shared Asset Manager global role can create and manage Continuum objects such as Progressions, Plugins, Assets, Webhooks, Shared Credentials and Virtual Infrastructure Assets (Clouds and Cloud Accounts). 

Team-based Roles

Within a Team, a user can have only one of the following Roles:

  • Team Administrator – A user with the Team Administrator role can manage (can add/change/delete users and assets) Team membership, Tags and Team assets (Projects, Packages, Pipelines and Tasks).
  • Developer – A user with the Developer role can manage (add/change/delete assets) Team assets (Projects, Packages, Pipelines and Tasks) but cannot manage Team membership. 
  • User –  With the User role, a user can see the output and reporting of the functions of the assets in a Team. However, users with the User role cannot manage a Team's membership or its assets.  

The output of a Team's assets (Pipeline runs, Package status, Cards on the Progression Board, Dashboards, and so on) are only visible to members of that team.  To see this information for a specific team, you must be at least a User on that Team.

Role-matrix

The following table illustrates the role-based access permissions required to access various Continuum pages at the site administration level.

ctm-admin-menu.png

Pages Roles and Access
  System Administrator Shared Asset Manager Team Administrator Developer User
System Configuration
Settings Yes No No No No
System Yes No No No No
Users Yes No No No No
Users tab (in Team Manager) No No Yes No No
Teams Yes No Yes No No
Tags Yes No No No No
Security Log Yes No No No No
Change Log Yes No No No No
Flow
Projects No No Yes No No
Progressions No Yes No No No
Pipelines No No Yes Yes No
Packages No No Yes Yes No
Plugins No No Yes Yes No
Global Registry No No Yes   No
Automate
Tasks No No Yes Yes Yes
Assets No Yes Yes Yes Yes
Shared Credentials No Yes Yes Yes Yes
Clouds No Yes Yes Yes Yes
Cloud Accounts No Yes Yes Yes Yes
Webhooks No Yes Yes Yes Yes

 

The following table illustrates the role-based access permissions required to access various Continuum pages at the project level.

ctm-project-menus.png

 

Pages Roles and Access
  System Administrator Shared Asset Manager Team Administrator Developer User
Projects No No Yes Yes Yes
Progressions No No Yes Yes Yes

Pipelines

(Groups, Instances, and Pending)

No No Yes Yes Yes
Tasks No No Yes Yes Yes

Perspectives

(Packages, Work Items, Changes, Artifacts, Buckets &Environments)

No No Yes Yes Yes
Perspective Contributors Yes No No No No

Tags

Tags are no longer used as an access control tool. It is used as a user grouping tool.
 

How Tagging Works

Set up one or more Tags, tag users with one or more Tags and then you can add one or more Tags to any Manual Activity or Manual Interaction. 

Once you add one or more tags to a Manual Activity or Manual Interaction, users that share the Tags are assigned to the Manual Activity or Manual Interaction.

tags01.png

Consider the following scenario:

  • John and Mark are two users with the tag 'PeoplesoftAdmin'

  • Manual Activity Approve is tagged with the the tag 'PeoplesoftAdmin'

As both John and Mark are tagged with 'PeoplesoftAdmin' and as the Manual Activity Approve is also tagged with 'PeoplesoftAdmin', both John and Mark are assigned to the Manual Activity Approve.

Tag Naming Conventions

Regarding Tag naming, it's best to select names based on the Users and Groups metaphor. For example, MySqlAdmins (plural) suggests the purpose of the Tag is to contain MySql administrators.

When designing a user grouping model for your purposes, selecting smart and intuitive Tag names is essential. Names such as JohnsStuff are restrictive and not reusable.

Tag names are limited to 32 alphanumeric characters, and cannot contain spaces or special characters.

Tags have a description property which is very helpful in determining what the Tag actually means. Here are a couple of good examples:

  • MySqlAdmin - MySQL DBAs and Servers.

  • BillingOperations - People and things associated with the nightly billing operations.

Creating a Tag

Tags can be created by an Administrator.

From the UI:

  1. Click the Administration icon ( ctm02.png ) at the top right, select System Configuration > Tags from the menu and click Add New.

tags02.png

 

Associating Objects with Tags

Tags can be associated with Users Manual Activities and Manual Pipeline Interactions.

User

  1. To associate a User with one or more Tags, click the Administration icon ( ctm02.png ) at the top right, select System Configuration > Users from the menu.
  2. Select a User from the list. Click the Groups (Tags) tab to see this User's Tags.
  3. Click the + button of the tags you want to assign to the user. The selected tags are moved to the Assigned  column.


tags03.png

Click the x on any existing Tags to remove it from the User.

Manual Activity

  1. To add tags to Manual Activities, click the Administration icon ( ctm02.png ) at the top right, select Flow > Packages from the menu.
  2. Select a Package from the drop-down list.
  3. Select the Progressions tab.
  4. Click Add Activity.
  5. While typing the Activity details, select Manual Activity from the Type drop-down list.
  6. Select the Tags text box and type one or more comma-separated tag names you want to add. Use the auto-suggest feature to select the tags.tags01.png
  7. Click Save.

Manual Pipeline Interaction

  1. To add tags to a Manual Pipeline Interaction, click the Administration icon ( ctm02.png ) at the top right, select Flow > Pipelines from the menu.
  2. Select a Pipeline from the drop-down list.
  3. Select the Phases tab.
  4. Click Add Phase and click the '+' icon to add a Stage.
  5. Select the Flow plugin, select Interact - Action or Interact - Confirmation, drag and drop it on the Stage. 
  6. Select the Tags text box and type one or more comma-separated Tags.tags00.png
  7. Click Save.
  • Was this article helpful?