From 093975aa0f8b38326863f5e588d0fd36d40b99f2 Mon Sep 17 00:00:00 2001 From: Nicolas Favre-Felix Date: Fri, 26 Jul 2024 15:54:19 -0700 Subject: [PATCH] fix(permissions): Pipeline permissions do not affect manual triggers The documentation page for Pipeline Permissions explains that when roles are added to a pipeline definition, only users with all of these roles can then edit or execute the pipeline. This is true about edits, since adding a privileged role there would let a user trigger an execution with privileges they don't have, but this feature does not affect manual executions. These still run with the roles and privileges of the user who triggered the pipeline manually, regardless of Pipeline Permissions. --- .../security/authorization/pipeline-permissions/index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/en/docs/setup/other_config/security/authorization/pipeline-permissions/index.md b/content/en/docs/setup/other_config/security/authorization/pipeline-permissions/index.md index 6ab08c62..c87678f5 100644 --- a/content/en/docs/setup/other_config/security/authorization/pipeline-permissions/index.md +++ b/content/en/docs/setup/other_config/security/authorization/pipeline-permissions/index.md @@ -36,7 +36,7 @@ window.spinnakerSettings.feature.managedServiceAccounts = true; The permissions selector will show up automatically when an automated trigger is added in the pipeline configuration page in the UI. You can add any of the roles that you currently have. Once you add a role to the pipeline, only users -who have _all of the specified roles_ can edit or execute the pipeline. +who have _all of the specified roles_ can edit the pipeline. This is similar to the behavior of [Fiat service accounts](/docs/setup/other_config/security/authorization/service-accounts#service-account-roles). @@ -75,4 +75,4 @@ new service user will get the same permissions as the manual service user that i replaces. If a pipeline has multiple triggers with different `runAsUser` fields set, the new managed service user will get all of the roles of the different manual service users (as you can only have one managed service -user per pipeline). This can potentially remove some users ability to edit or execute affected pipelines." \ No newline at end of file +user per pipeline). This can potentially remove some users ability to edit affected pipelines.