Add "Manage Runners" as a customizable permission
Release notes
Group owners and project maintainers have the ability to manage runners. This often leads to a user who is overprivileged where they may not need other group or project destructive permissions. With the release of this permission, you can create a custom role and set the permission to enable least privileged access.
Background
Group owners and project maintainers have the ability to manage runners. This leads organizations elevating a subset of users who need to manage runners that as a consequence can edit other Group/Project settings.. This permission will allow a custom role such as Developer + this permission offering organizations to reduce Owners and Maintainers in their environment
Proposal and User Experience
- When creating a role, any base can be selected. A new permission is available and labeled "Manage Runners" that can be selected.
- If the user role is targeted at the group level, they will be able to perform Group Actions indicated below to the group and sub groups. This continues to follow the waterfall permission model.
- If the user role is targeted at the project level, they can only perform Project Actions indicated below for the project.
- The permission actions for
admin_runners
allows create / write (create/update) / delete on Runners and settings including:
Group Actions | Project Actions |
---|---|
Runner Object
Runner List
Runner Settings
|
Runner Settings
Pipelines View
|
- API for reference
Views+Workflows include:
-
Base + permission: Can see Group-> Build -> Runners -
Base + permission: Can see Group -> Build -> Create Runner -
Base + permission: Can see Group -> Build -> View Runner Details -
Base + permission: Can see Group-> Settings > CI/CD > Runners -
Base + permission: Can see Projects -> Settings > CI/CD > Runners -
Base + permission: Can see Projects -> Pipelines > Clear Runner Cache
Documentation
-
Permission Title: Manage Runners
-
Permission Description: Create, view, edit, and delete group or project Runners. Includes configuring Runner settings.
-
Update prerequisites for Manage Runner Documentation, Configure Runners, Tutorials with: -
Update group prerequisites: You must have the Owner role for the group or custom role with the permission "admin_runners"
-
Update project prerequisites: You must have the Maintainer role for the project or custom role with the permission "admin_runners"
-