With the release of our Roles and Permissions feature, we gave our customers the ability to add granular controls over who can do what on our platform. One of the limitations however, was that certain items in the system were global, such as webhooks and secrets. This restriction meant that in high security environments, only administrators could manage these resources lest any secrets be exposed to the masses. We want to enable teams do contract testing at scale, and to achieve this we envision a level of autonomy where teams are able to self-administer rather than rely on a few global admins that may be a bottleneck to productivity.
Today we'd like to announce the release of a change in this direction - team scoped Webhooks and Secrets.
How it works: the
Previously, these resources were implicitly created with a global scope - meaning any webhook could use any secret. This ability is maintained for administrators, where non-team resources can be created but with one minor caveat - they may only reference other non-team resources. That is, non-team webhooks may not reference a team scoped secret.
Users without these permissions must create or use a resource scoped to a team they are a member of. Extending our existing model, we have added the
* scopes to the
webhook:manage permissions to narrow how they may be used.
When creating or updating a secret, users with the
secret:manage:team permission (by default, assigned to the
Test Maintainer role) must assign a secret to a team. Team secrets may only be used in webhooks that are assigned to the same team. Users with the
secret:manage:* permission (by default, assigned to the
Administrator role) may choose not to assign a secret to any team. Secrets without a team assigned may only be used in webhooks that also have no team assigned.
Creating a secret is the same as before, however there is now an option to select a team for the webhook (or none, for a non-team scoped secret). The team list is populated by your current team membership. Administrators are also given the option not to select a team, meaning the secret is a non-team secret.
When creating or editing a webhook, users with the
webhook:manage:team permission (by default, assigned to the
Test Maintainer role) must assign a webhook to a team. Users with the
webhook:manage:* permission (by default, assigned to the
Administrator role) may choose not to assign a webhook to any team. Team selection affects which secrets are available for use in the webhook.
Creating a webhook is similar. The dynamic substitution variables are also updated based on the team that you select.
Lastly, we've added the
system_account:manage:team permission, to allow users to manage System Accounts that belong to their team. Users with this permission are able to create, read, update and delete a System Account associated with their own team.
Users with the
system_account:manage:* may create and manage System Accounts associated with a team, or no team, as per webhooks and secrets.
To avoid confusion and prevent introducing changes that might upset your security teams, the default roles within existing accounts have not had any permissions updated. You may simply update the permissions for existing roles (such as the
Test Maintainer), swapping any
* permission for the
team one. The effect will be to prevent a
Test Maintainer from being able to manage non-team secrets and webhooks.
The built-in roles for new accounts will automatically have the new permissions enabled by default.
We believe this change will both improve our security posture and simplify the way teams setup their CI/CD pipelines with Pactflow, making it easier to administer Pactflow as you scale to dozens or hundreds of teams.
Team scoped permissions are available now on all plans.