How can I prevent users from aborting a Pipeline Input Step using RBAC?

Issue

  • When I use a Pipeline Input Step, I can define the users that can submit the “Proceed” message, but any user can abort the pipeline by clicking on “Abort” Button.
  • Is there an option or a way to prevent selected users from cancelling these jobs?

Environment

Resolution

There is a simple way to prevent that from happening, and that is by removing the Cancel permission for a user or a group of users from a given Job.

Nevertheless, we will detail some steps that you can use to have more control on the way that this “removal” takes place.

In an Input Step once that the buttons appears and can be clicked, the only way to prevent that any user can cancel the job is by removing the permission for those users on that job or within that folder.

In order to have that done, there is a basic approach which consists on creating two roles for the users.

  1. An Executor role, which holds the main permissions related to a job.
    01-executor.png

  2. Another role that we have called users that will only had permissions on Job Read, Overall Read, Job Discovery and Job/Workspace.
    02-users.png

  3. Once that you have done that, you can set a group of users or a user to belong to both roles. This way the user will have all the required permissions over jobs.
    03-group.png

The key point here is that, in order to prevent a user to be able to abort the input step, we can filter for that job the Executor role. This will leave users without the required permission to be able to abort the job, the Job/Cancel permission.
04-filtering.png

This way even if the user is able to access to the input link, if the user tries to abort the build:
05-input.png

Will get the error below:
06-error.png

You can filter the role even at job level, if you need to restrict the permissions with the maximum granularity.

References

Have more questions? Submit a request

1 Comments

  • 0
    Avatar
    Ghtimothy Ghtimothy

    I did not find this helpful because there are are other valid ways of aborting the job such as hitting the little red X. Typically the users should be able to abort the job and the method described here prevents the users from terminating the job outside of the user input section.

    I consider the abort button on the user input is "click bait". I've seen multiple occasions (typically on a long, complex pipeline) where users have mis-clicked the abort button instead of the submit button. 

    When I've searched for this solution and it's typically in the context of "How do I remove the abort button from user input"

Please sign in to leave a comment.