Skip to main content
Version: Release 22.3

Manage Release Permissions in YAML

You can specify and maintain global permissions, roles, and users for Release in YAML, enabling you to manage this aspect of your Release configuration "as code".

Before you begin

In Release, you can assign internal and external users to roles that determine the global permissions that they have. Global permissions apply across the entire Release system.

You should familiarize yourself with how global permissions and roles work in Release:

In addition to global security, you can enforce security on the folder, template, and release level. for more information on how to do this using DevOps as Code, see Manage Release folder permissions

Work with users

This section describes how to define internal users in YAML, view the results in the UI, and then generate YAML that reflects your configuration.

note

Managing external users in YAML is not supported, as these users are managed using an LDAP provider.

Define users in the UI and generate YAML

You can generate a YAML file that specifies your users by using the xl generate command with the -u flag.

xl generate xl-release -uf users.yaml

Example of output results:

---
apiVersion: xl-release/v1
kind: Users
spec:
- username: admin
name: Release Administrator
enabled: true
- username: chris_smith
name: chris smith
email: csmith@company.com
enabled: true
- username: jay_albert
name: jay albert
email: jalbert@company.com
enabled: true
- username: sue_perez
name: sue perez
email: sperez@company.com
enabled: false

Apply user specification YAML to Release

Release users have passwords. Therefore, to add a new user, or update an existing user using a YAML specification, you need to add the password field to the user information. Note the following:

  • If you are creating a new user, you will specify an initial password in YAML that you should instruct the user to change at first login.
  • If you are updating an existing user (and assuming you have admin privileges), you do not need to know the user's existing password. You can effectively reset the password to the value you specify in the YAML.

For example, to add a new user named tim_ellis, create a YAML file called add-user.yaml with this specification:

---
apiVersion: xl-release/v1
kind: Users
spec:
- username: tim_ellis
name: tim ellis
email: tellis@company.com
password: changeme
enabled: true

Apply the YAML file to Release:

xl apply -f add-user.yaml

Return to the UI and see that the user tim_ellis is now listed.

Work with global roles

This section describes how to define global roles in YAML, view the results in the UI, and then generate YAML that reflects your configuration.

Define global roles in YAML

To support running the examples shown in this topic:

  • Create a YAML file called create-roles.yaml
  • Define two roles (Leaders and Developers)
  • Assign users (referred to as principals) to the Leaders and Developers roles

For example:

apiVersion: xl-release/v1
kind: Roles
spec:
- name: Leaders
principals:
- jay_albert
- name: Developers
principals:
- chris_smith
- sue_perez

Save the file and apply it to Release:

xl apply -f create-roles.yaml

Go to UI and confirm the results.

MyFolder

Generate YAML for global roles

To generate YAML for your existing global role configuration to a file called roles.yaml, add the -r flag:

xl generate xl-release -rf roles.yaml

Result:

---
apiVersion: xl-release/v1
kind: Roles
spec:
- name: Leaders
principals:
- jay_albert
- name: Developers
principals:
- chris_smith
- sue_perez

Work with global permissions

This section describes how to define global permissions and view the results in the UI.

Define global permissions in YAML

You can define global permissions in YAML and apply to Release.

Create a YAML file called global-perms.yaml and assign specific permissions to each role (Leaders and Developers).

For example:

---
apiVersion: xl-release/v1
kind: Permissions
spec:
- global:
- role: Leaders
permissions:
- template#create
- reports#view
- admin
- security#edit
- role: Developers
permissions:
- release#create
- global_variables#edit
- dashboard#create
- folder#create_top_level

Save the file (e.g., global-perms.yaml) and apply it to Release:

xl apply -f global-perms.yaml

Review the results in the UI:

MyFolder

Give more permissions to the Developers role

Using the Release UI, give the Developers role additional permissions for the highlighted actions and click Save.

MyFolder

Generate YAML for global permissions

To generate YAML for your global permissions configuration to a file called permissions.yaml, add the -m flag:

xl generate xl-release -mf permissions.yaml

The additional permissions you configured for the Developers role are now included:

---
apiVersion: xl-release/v1
kind: Permissions
spec:
- global:
- role: Leaders
permissions:
- template#create
- reports#view
- admin
- security#edit
- role: Developers
permissions:
- global_calendar#edit_blackout
- release#create
- reservation#edit
- global_variables#edit
- application#edit
- environment#edit
- dashboard#create
- folder#create_top_level
- risk_profile#edit