Execution Environment Permissions

Note

Execution environment permissions controls are currently in preview, and are off by default. To manage execution environment permissions, you must set EarlyAccess.ExecutionEnvironmentsAccessControl in the Connect configuration file to true. This feature will be enabled by default in a future release of Connect.

[EarlyAccess]
ExecutionEnvironmentsAccessControl = true

Administrators can configure execution environment permissions to control which Publishers can access specific execution environments in Connect. By default, an execution environment has no configured permissions, and is accessible by all Publishers.

Overview

When an execution environment has no configured permissions, all Publishers can use it to build or deploy their content.

Connect enforces access to execution environments with configured permissions as follows:

• Administrators:
  • Always have full access to all execution environments.
  • Do not need to be included on any environment’s permissions list.
  • Can view, use, and manage all environments regardless of permissions.
• Publishers:
  • Must be granted access directly or through a group.
  • Can only view and use environments they have access to.
• Viewers:
  • Viewers are restricted by content permissions and cannot view or select execution environments for any content.

Configuration

Administrators can use the Connect API or the Connect UI to grant or revoke access to execution environments for users and groups.

To configure execution environment permissions in the Connect UI, visit the System>Environments tab. The current permissions for an environment are displayed in the Access Control section of the environment details.

Environment permissions details

To modify permissions for an environment, click the Edit button in the Access Control section. This opens a modal where you can view the current permissions in the Access Control section. Search for users or groups to add them to the Access Control list.

Modifying environment permissions

Permission enforcement

Connect enforces execution environment permissions at a few different points in content lifecycle.

Note that Connect does not enforce changes to execution environment permissions for running content. To ensure that permissions changes take effect, you must stop and restart any running content configured to use the execution environment. Administrators can use a script in the cookbook to automate stopping all running content for a specific execution environment.

When creating or updating content

Content owners and collaborators must have access to an execution environment to configure content to use it. This includes actions such as:

• Using the following API endpoints to set the default_environment_guid for content:
  • POST /v1/content
  • PATCH /v1/content/{guid}
• Selecting an execution environment in the runtime settings for content.

When building or deploying content

• The content owner must have access to the execution environment.
• If the content owner doesn’t have access to the execution environment, the content will fail to build or deploy, even if a collaborator with access initiates it.
• Collaborators do not need access to the execution environment.