Protect Your Pipeline: Restrict Who Can Start It Manually or Edit Its Configuration

If you want to prevent unauthorized users from manually starting your pipeline or editing (and changing) its configuration, you can impose those restrictions from the Pipeline Protection tab on the Project Administration Builds page. You can also use glob patterns to impose restrictions on any pipeline whose name matches a rule that specifies a pattern. Follow these steps to protect your pipeline:

Note:

Before you apply any protections to a pipeline, you should consider the following:

A protection rule defined with a glob pattern will not overrule a pipeline protection defined by using a name (no glob pattern or rule).
A protection that is applied to a single pipeline will override a protection applied by using a rule (defined by a glob pattern).
When two rules are combined, the protection is determined by the most restrictive rule. You need to look at the events in the Activities feed and examine the notifications, which provide the information explaining the restrictions when one rule overrides another.
A pipeline will not be created if the user that is creating the pipeline wouldn't be able to access their own pipeline. The same principle is true for renaming pipelines.

In the left navigator, click Project Administration .
Select the Builds tile.
Select the Pipeline Protection tab.

The Pipeline Protection page is displayed.

Description of the illustration pipeline-prot-page-initial.png
In the Find rules by panel, located above the pipelines/rules list, select one of these radio buttons:
- Select Pipeline name to choose a pipeline from the list.
  If your project has many pipelines, you may have difficulty finding the specific pipeline you want to protect. Use the Filter pipeline bar to quickly locate the pipeline to which you want to add the restricted settings.
  
  If a pipeline in the list of pipelines to the left has a lock icon next to it, it has already been protected. A protected pipeline's restrictions can still be modified, removed, or the list of authorized users and groups can still be changed.
  
  The Protection Settings dialog box is displayed.
  
  Description of the illustration pipeline-protection-default-setting.png
  When a pipeline is not directly protected but is protected by a rule instead, an informational message like the following one, will show the rules that protect the specific pipeline:
```
This pipeline is restricted by the following glob pattern rules matching this pipeline name: <rule-name>
```
- Select Glob pattern to specify a string that is matched against the pipeline name.
  This is what you'd see if no rules have been defined yet.
  
  Description of the illustration pipeline-protection-filter-glob-selected-no-rules.png
  
  The glob syntax can be used to specify pattern-matching behavior. These wildcard characters can be used in glob patterns: *, **, ?, [], {}, and \.
  
  Either select an existing protection rule from the list or click + Rule to display the New Protection Rule dialog and create a new one.
  
  The Protection Rule dialog box is displayed.
  
  Description of the illustration protection-rule-dialog-populated.png
  
  Here we've entered a name (Test Rule) and a glob pattern (test*) and we're about to press Create to create a new pipeline protection rule.
Select the RESTRICTED option.

This is what you see after selecting the Restricted option for a pipeline.

Description of the illustration pipeline-protection-edit-restricted-setting.png

With this setting, only authorized users and groups will be allowed to edit the pipeline configuration.

This is what you see after selecting the Restricted option for a protection rule.

Description of the illustration protection-rule-dialog-restricted-selected.png
Click in the Authorized Users/Groups field to display a dialog that lists the project's Users and Groups you can select from.

Under Users, you can see a flattened list of all users that are members of the group(s) as well as ones that were added individually. For example, the dev-group members (Clara Coder, Don Developer, and Tina Testsuite) appear in the Users list, along with Alex Admin, who was added individually. From the list, select one or more groups and/or users. Don't forget to add yourself.

Description of the illustration authorized-groups-and-users.png

Note:
Users in Oracle Cloud Application environments that have multiple VB Studio instances in different identity stripes have username strings that include the environment name, where that user has been defined. Since a unique user may have been defined for multiple environments, this format ensures that one identity can be distinguished from that user's other unique identities. This should help you select the correct user to add.

This is what you would see for the myExt-Package_and_Deploy pipeline after Alex Admin was selected as an authorized user.

Description of the illustration pipeline-protection-authorized-users.png

This is what you'd see for the Test Rule protection rule after Alex Admin was selected as an authorized user.

Description of the illustration protection-rule-dialog-authorized-user.png
Select the Allow any member of the project to manually start this pipeline checkbox to leave the restriction for editing the pipeline by authorized users and groups in place but lift the restriction on who can manually start the pipeline.

This what you'd see after selecting the Allow any member of the project to manually start this pipeline check box for the myExt-Package_and_Deploy pipeline.

Description of the illustration pipeline-protection-checkbox-checked.png

This what you'd see after selecting the Allow any member of the project to manually start this pipeline check box for the Test Rule protection rule.

Description of the illustration protection-rule-dialog-allow-check-box-checked.png

If you select this check box, any project member with sufficient privileges can start the pipeline manually, even if they haven't been specified as an authorized user or are a member of a group that has been authorized. This effectively cancels any previous restriction for starting or running the pipeline manually.
Click Save.

When a pipeline is protected, the Pipeline Details page won't show the Configure and Delete buttons to unauthorized users for protected pipelines and the Configure Pipeline option in the Actions menu on the Pipelines page won't be available. However, an unauthorized user could still inadvertently access a protected pipeline, perhaps by using a bookmarked URL that was saved before the user lost access, and this is what they'll see:
Description of pipeline-protection-error.png follows
Description of the illustration pipeline-protection-error.png

The lock icon in the Private column in the list of pipelines on the Pipelines page identifies protected pipelines.

The project's activity feed shows all edit-restricting activities, thereby providing a historical record of showing how the pipeline was protected. The pipeline log also records these protective activities and provides a historical accounting that can be referred to later, if needed.

Tip:

Protecting the pipeline prevents unauthorized users from editing the configuration but it does not prevent anyone from running the pipeline. The only way to limit that is to protect the initial job (the one that follows the Start node) by changing its Job Protection Settings to Private. That way, if the job is triggered in a pipeline by an unauthorized user or group, it won't be initiated. By default, the Job Protection settings don't allow commits and triggers to start a private job. You may, however, click the Allow commits and triggers to start this private job button to allow the job to be initiated if it is triggered by an SCM commit or by a timer.

See Configure Job Protection Settings for more information.