Permissions required for DevOps tools
Summarize
Summarized using AI
This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.
Summary of Permissions required for DevOps tools
This document details the necessary permissions that ServiceNow customers must configure in various third-party DevOps tools to enable seamless integration with ServiceNow DevOps Change Velocity. Proper permission setup allows automatic discovery of repositories, pipelines, work items, and real-time data synchronization via webhooks, eliminating manual configuration efforts.
Show less
Azure DevOps Permissions
- Work Items (Read): For discovering boards and receiving work items.
- Code (Read): To discover repositories and receive branches, commits, and tags.
- Build (Read and Execute): To access build pipelines, execution details, and to pause/resume pipelines during change control.
- Release (Read, Write, Execute): For managing release pipelines and controlling pipeline execution per change control.
- Test Management (Read): To receive test results from pipeline executions.
- Service Connections (Read, Query, Manage): Enables automatic creation of service connections used in ServiceNow tasks such as change acceleration and artifact registration.
- Packaging (Read): To access artifact repositories and package feeds.
- Project Administrators Role: Required to create webhooks and service connections automatically. The Personal Access Token (PAT) owner must be in the Project or Project Collection Administrators group depending on onboarding scope.
Important: Full access level is recommended when creating tools to avoid duplication of service hooks during reconfiguration.
Bitbucket Permissions
- Account and Projects (Read): To discover repositories and fetch branches, commits, pull requests, and tags.
- Webhooks (Read and Write): Required to create and manage webhooks for real-time data synchronization.
- Pull Requests (Read): To fetch pull request details.
GitHub Permissions
Separate permissions apply depending on authentication method:
- Basic Authentication:
- repo: Discover repositories and workflows, receive branches, commits, pull requests, and tags.
- admin:repohook (write and read): Create and verify webhooks for real-time repo data.
- user:email: Discover pull request actors (approvers, reviewers, etc.).
- OAuth 2.0 Authentication:
- Actions (Read-only): Access workflows associated with repos.
- Contents (Read-only): Discover repositories and workflows.
- Deployments (Read and Write): Resume workflows with environment secrets linked to ServiceNow changes.
- Environments, Metadata, Secrets (Read-only): Access environment secrets and repository metadata.
- Webhooks (Read and Write): Create webhooks automatically for real-time repo data.
- Pull Requests, Checks (Read-only): Fetch pull request and workflow event details.
GitLab Permissions
- api (Read and Write): Discover plans, repos, pipelines, and receive branches, commits, tags, pipeline execution details, and work items. Also supports pausing/resuming pipelines during change control.
Jenkins Permissions
- Overall and Job (Read): Discover pipelines and receive details such as jobs, stages, artifacts, test results, and code security results, supporting import, polling, or real-time integration via the ServiceNow Jenkins plugin.
JFrog Permissions
- Roles Administer Platform: Required to access artifact details including name, repository, and version.
Jira Permissions
- Groups jira-software-users: Discover plans and fetch features and stories through import, polling, or webhook.
- Jira Administrators: Required to create webhooks automatically for real-time fetching of features and stories.
Practical Takeaways for ServiceNow Customers
- Ensure the integration user or PAT holders have the specified roles and permissions within each DevOps tool to enable automatic discovery and real-time synchronization.
- Full access levels are recommended for Azure DevOps tools to prevent webhook duplication during credential changes.
- Automatic webhook and service connection creation reduces manual setup and accelerates integration timelines.
- Correct permissions ensure ServiceNow DevOps Change Velocity can pause/resume pipelines as part of change control workflows.
Permissions required in your third-party tool to connect to DevOps Change Velocity.
Azure DevOps permissions
Important:
With the access level permissions specified in the following table in Azure DevOps, and the ServiceNow
DevOps extension, you can connect to Azure DevOps from ServiceNow. Your Azure DevOps admin does not have to manually configure webhooks and service connections in Azure DevOps.
Important:
- When onboarding a Project, the Project Administrators privilege requires the owner of the PAT to be a member of the project's Project Administrators group.
- When onboarding an Organization, the Project Administrators privilege requires the owner of the PAT to be a member of the organization's Project Collection Administrators group.
| Object | Permissions required | Impact |
|---|---|---|
| Work Items | Read | Required to discover the boards and receive the work items either through import, polling, or real time with a configured webhook. |
| Code | Read | Required to discover repositories and receive branches, commits, and tags either through import, polling, or real time with a configured webhook. |
| Build | Read and execute |
Read: Required to discover the build pipelines and receive pipeline execution details like stages, artifacts, test results, code security results, and so on, either through import, polling, or real time with a configured webhook. Execute: Required to pause or resume the pipelines based on the change control step. |
| Release | Read, write, and execute |
Read: Required to discover the release pipelines and receive pipeline execution details like stages, artifacts, test results, code security results, and so on, either through import, polling, or real time with a configured webhook. Write and Execute: Required to pause or resume the pipelines based on change control step. |
| Test Management | Read | Required to receive test results for pipeline execution. |
| Service Connections | Read, query, and manage | Required to create Service connection automatically which is used to configure ServiceNow tasks like change acceleration, artifact, and package registration, and so on. |
| Packaging | Read | Required to discover the artifact repositories and receive the feeds and packages either through import, polling, or real-time with a configured webhook. |
| Permissions | Project Administrators | Required to create webhooks automatically to receive data in real-time and to create Service connections automatically which is used to configure ServiceNow tasks like change acceleration, artifact and package registration, and so on. |
- Limitation of Azure DevOps
- If you create an Azure tool with custom defined access level, and you reconfigure such a tool because of change in your Integration user credentials, then the existing service hooks for release created and release deployment are not updated. Instead, two new service hooks are created with new configuration details. To avoid the duplication of these service hooks, you must create the tool with full access level.
Bitbucket
| Object | Permissions required | Impact |
|---|---|---|
| Account | Read | Required to discover repos and fetch branches, commit, pull requests, and tags either through import, polling, or configured webhook. |
| Projects | Read | Required to discover repos and fetch branches, commit, pull requests, and tags either through import, polling, or configured webhook. |
| Webhooks | Read and write | Required to discover repos and fetch branches, commit, pull requests, and tags either through import, polling, or configured webhook. |
| Pull requests | Read | Required to discover repos and fetch branches, commit, pull requests, and tags either through import, polling, or configured webhook. |
GitHub permissions
The following table lists the GitHub permissions for basic authentication.
| Object | Permissions required | Impact |
|---|---|---|
| repo | repo | Required to discover repositories and their respective workflows and receive branches, commits, pull requests, and tags either through import, polling, or real-time with a configured webhook. |
| admin:repo_hook | write:repo_hook | Required to create webhooks automatically to receive repo data in real time. |
| admin:repo_hook | read:repo_hook | Required to lookup already existing webhooks before any new webhook is automatically created to receive repo data in real time. |
| user | user:email | Required to discover pull requests actors like approvers, raised by, merged by, reviewers, and assignees either through import, polling, or real time with a configured webhook. |
The following table lists the GitHub permissions required for OAuth 2.0 authentication.
| Object | Permissions required | Impact |
|---|---|---|
| Actions | Read-only | Required to receive workflows associated to the respective repos real time with a configured webhook. |
| Contents | Read-only | Required to discover repositories and its respective workflows and receive branches, commits, and tags either through import/polling or real time with a configured webhook. |
| Deployments | Read and write | Required to resume the workflow which has environment with ServiceNow change as an environment secret. |
| Environments | Read-only | Required to lookup for existing environment secrets for change creation. |
| Metadata | Read-only | Required to discover repositories and its respective workflows. |
| Secrets | Read-only | Required to get access to environment secrets (to create change). |
| Webhooks | Read and write Note: Read and write permissions are required to configure webhooks from ServiceNow. |
Required to create webhook automatically to receive repo data in real time. |
| Pull requests | Read-only | Required to discover pull requests and receive related details like pull request ID, commits, raised by, approvers, comments, reviewers, etc., either through import/polling or real time with a configured webhook. |
| Checks | Read-only | Required to process workflow events associated with private repositories. |
GitLab permissions
| Object | Permissions required | Impact |
|---|---|---|
| api | Read and write | Required to discover plans, repos, and pipelines and receive branches, commit, and tags, and pipeline execution details (like stages, artifacts, test results, code security results), work items, tags, branches, and commits either through import, polling, or real time with a configured webhook. Also, to pause or resume the pipelines based on change control step. |
Jenkins permissions
| Object | Permissions required | Impact |
|---|---|---|
| Overall | Read | Required to discover the pipelines and receive pipeline execution details like jobs or stages, artifacts, test results, code security results, and so on, either through import, polling, or real time with ServiceNow DevOps Jenkins plugin. |
| Job | Read | Required to discover the pipelines and receive pipeline execution details like jobs or stages, artifacts, test results, code security results, and so on, either through import, polling, or real time with ServiceNow DevOps Jenkins plugin. |
JFrog permissions
| Object | Permissions required | Impact |
|---|---|---|
| Roles | Administer Platform | Required to access artifact details like artifact name, artifact repo, and artifact version. |
Jira permissions
| Object | Permissions required | Impact |
|---|---|---|
| Groups | jira-software-users | Required to discover plans and fetch features, stories, and so on, either through import, polling, or configured webhook. |
| Permissions | Jira Administrators | Required to create webhooks automatically for fetching features and stories in real time. |