Travis

User Role Management

Available from Travis CI Enterprise 3.1.0

Travis CI introduces the new User Role Management feature to increase security and functionality. This feature offers more granular access control management, adding more strict access rights management while continuing to protect vital information that may be present in the CI/CD build job logs.

This feature allows Travis CI administrators to execute permission limits on user privileges to the minimum functionality necessary to work (on an as-needed basis) to protect particular build job logs.

Enable User Role Management #

From the Travis CI Enterprise admin console, open the Config menu, expand the Advanced Settings menu on the left, and click on the Users Roles Management.

Member Management menu

To enable the setting, select the Enabled option and save the settings.

Member Management option

Travis CI Roles #

New Travis CI Users are created via the “sign-in with…” functionality, linking a third-party application (GitHub, Assembla, BitBucket, or GitLab) to Travis CI. See the Onboarding guide for more information.

In Travis CI, user access to Travis CI repositories and accounts functionalities and the following are the different types of user roles:

  • Admin:
    • Repository: manages repository settings, triggers builds, and can utilize various functions around builds.
    • Account: able to activate repositories in Travis CI and billing.
  • Push (Write) User:
    • Repository: triggers builds and can utilize various functions around builds.
    • Account: able to request repository activation in Travis CI.
  • Pull (Read) User:
    • Repository: cannot trigger builds and has limited functionality around builds
    • Account: able to request repository activation in Travis CI
  • Owner: an owner is an admin user for the owned Repository and accounts. An owner can be a user or an organization.

This feature authorizes admin users to handle regular users to their liking. Regular users must still log in using a version control system (VCS). Therefore, the User Management functionality allows admin users to identify regular user roles for those with access to Travis CI.

Member Management Tab #

The Member Management tab presents a list of users with their respective roles.

Travis CI admin users are presented with a list of users and have access to change or assign the roles of regular users. Admin users can use the “Sync org” or “Sync users” to update the list of users.

The following are the available fields where each user can be associated with several roles.

  • Name: displays the user’s name.
  • Login: displays the login email for the user.
  • Old Role: displays the previous authorization permissions for the selected user.
  • New Role: Shows the role or number of roles assigned to the selected user. Allows admin users to choose or change the role or roles for the selected user.
    • All: Enables all four options.
  • Admin: Has all account and repository permissions.
  • Account Settings Editor: Access to create and edit account settings.
  • Account Settings Admin: Unlimited access to manage the account and can manage account plans, billings, and contacts.
  • Account Plan Viewer: Can invoice, use, and view the account plans.
  • Can Build: Check the checkbox to authorize the selected user to build.

Member Management Tab

User Management Tab #

The User Management tab lists the users who have access to the repository, and Travis CI admin users can assign repository connection roles.

The following are the available fields where each user can be associated with several roles.

  • Name: displays the user’s name.
  • Login: displays the login email for the user.
  • New Role: Shows the role or number of roles assigned to the selected user. Allows admin users to choose or change the role or roles for the selected user.

User Managemenet Tab

The available roles and their current permissions are shown in the table below:

Role Permissions (Technical) Permission Description
Repository.Settings.Editor repository.settings.create, repository.settings.update, repository.settings.delete Can fully manage the repository settings
Repository.Settings.Viewer repository.settings.read Can read the repository settings
Repository.Builds.Restarter repository.build.restart Can restart the repository builds
Repository.Builds.Triggerer repository.build.create, repository.build.cancel Can create and cancel the repository builds
Repository.Builds.Cancel repository.build.cancel Can cancel the repository builds
Repository.Logs.Viewer repository.log.view Can view the repository logs
Repository.Logs.Admin repository.log.delete, repository.log.view Can delete and view the repository logs
Repository.Builds.Debugger repository.build.debug Can debug the repository builds
Repository.Cache.Editor repository.cache.delete, repository.cache.view Can delete and view the repository caches
Repository.Cache.Viewer repository.cache.view Can view the repository caches
Repository.Collaborator repository.build.create, repository.build.cancel, repository.build.restart, repository.log.delete, repository.log.view, repository.build.debug, repository.cache.view Can fully manage builds and logs. Can view the repository caches
Repository.Admin repository.settings.create, repository.settings.update, repository.settings.delete, repository.build.create, repository.build.cancel, repository.build.restart, repository.log.delete, repository.log.view repository.build.debug, repository.cache.delete, repository.cache.view, repository.cache.view Has unlimited access to manage the repository. He can fully manage repositories and builds, logs, and caches.
Repository.Reader repository.log.view, repository.cache.view Can view the repository logs and caches
Account.Settings.Editor accounts.settings.edit, account.settings.create Can create and edit accounts settings
Account.Settings.Admin account.settings.delete, accounts.settings.edit, account.settings.create, account.plan.create, account.plan.invoices, account.plan.usage, account.billing.view, account.contact.view, account.billing.update, account.contact.update Has unlimited access to manage the account. Can fully manage account plans, billings, and contacts
Account.Plan.Viewer account.plan.invoices, account.plan.usage, account.plan.view Can create invoices, usage, and view the account plans
Account.Plan.Editor account.plan.create, account.plan.invoices, account.plan.usage Can fully manage the account plans
Account.Billing.Editor account.billing.view, account.contact.view, account.billing.update, account.contact.update Can view and update the account billings and contacts
Account.Billing.Viewer account.billing.view, account.contact.view Can view the account billings and contacts
Account.Admin all perms (including Repository object permissions) Has all the account and the repository permissions

Travis Admin and extended VCS synchronization logic #

All Travis CI Admin users can access the additional Repository and Account (personal or organizational) settings screen, where they can configure the new roles and permissions assigned to a single user, either at the Account or the Repository level.

The new permission system implemented in Travis CI updates the modified roles and permissions after every synchronization with the version control system (VCS). The goal of the new permission system is to upgrade any modifications made by Admin users with access to these settings to single users’ roles and permissions.

The process for the new permission system is as follows:

  1. Synchronization with a version control system. Occurs daily or on-demand.
  2. The new systems’ mapping assigns a correct Travis CI role according to the existing role from the VSC provider.
  3. The new roles and permission system records new roles and permission updates in the database and checks for any modification to user settings.
  4. The new roles and permission system assigns each existing system user the default set of settings (roles and permissions) obtained from the VSC access rights during the VCS synchronization.
  5. The new roles and permissions service creates or updates the new roles and permissions.

Note: If errors occur, unprocessed requests are queued to retry sync with VCS, and error logs are recorded.

Note: Suspending or unsuspending a user’s repository access removes the user’s build-triggering access and assigns the respective Repository Reader role.

Note: Suspending or unsuspending a user’s account access removes the user from all Admin and editing roles and allows the user to be only a Plan Viewer and Billing Viewer.

When existing Travis CI users log in, the user’s current membership and permissions are checked against the new permissions service to check for any role or permission modifications.

The following table displays the action executed for each specific modification of settings for user accounts and repositories.

Permission Modifications Action executed
User permissions creation The new permission service creates the user and adds the new permissions.
User permissions were not modified The new permission service does not modify permissions.
User permissions are extended The new permission service updates the permissions to match permissions received from version control system synchronization.
User permissions are restricted The new permissions service
User access is removed from Repository All TCI roles and permissions for user repository access are removed. If the removed user has a personal account and invites collaborators to his personal repositories, Travis CI directly maps the collaborators’ access rights to the owners’ Travis CI Repository.
User access is removed from Account All TCI Roles and permissions, in the context of the users’ Travis CI account, are removed.

Roles and Permissions #

The following tables display the new roles and permissions for repositories and accounts.

Roles #

Previous Repository Roles New Roles Permissions
admin user Repository.Settings.Editor repository.settings.create, repository.settings.update, repository.settings.delete, repository.settings.read
admin user Repository.Settings.Viewer repository.settings.read
admin user, push user Repository.Builds.Restarter repository.build.restart
admin user, push user Repository.Builds.Triggerer repository.build.create, repository.build.cancel
admin user, push user Repository.Builds.Cancel repository.build.cancel
admin user, push user, pull user, anonymous (for public repos) Repository.Logs.Viewer repository.log.view
admin user Repository.Logs.Admin repository.log.delete, repository.log.view
admin user, push user Repository.Builds.Debugger repository.build.debug
admin user Repository.Cache.Editor repository.cache.delete, repository.cache.view
admin user, push user, pull user Repository.Cache.Viewer repository.cache.view
push user Repository.Collaborator repository.build.create, repository.build.cancel, repository.build.restart, repository.log.delete, repository.log.view, repository.build.debug, repository.cache.view
admin user Repository.Admin repository.settings.create, repository.settings.update, repository.settings.delete, repository.build.create, repository.build.cancel, repository.build.restart, repository.log.delete, repository.log.view, repository.build.debug, repository.cache.delete, repository.cache.view, repository.cache.view, repository.scan.view
pull user Repository.Reader repository.log.view, repository.cache.view, repository.build.restart
pull user Repository.State.Editor repository.state.update

Accounts #

Previous Account Roles New Roles Permissions
admin Account.Settings.Editor account.settings.edit, account.settings.create
admin Account.Settings.Admin account.settings.delete, accounts.settings.edit, account.settings.create, account.plan.create, account.plan.invoices, account.plan.usage, account.billing.view, account.billing.update, account.contact.view, account.contact.update
admin,push user Account.Plan.Viewer account.plan.invoices, account.plan.usage, account.plan.view
admin Account.Plan.Editor account.plan.create, account.plan.invoices, account.plan.usage
admin Account.Billing.Editor account.billing.view, account.contact.view, account.billing.update, account.contact.update
admin, push user Account.Billing.Viewer account.billing.view, account.contact.view
admin Account.Admin all permissions (including both Account and Repository object permissions)

The following tables show the Travis CI roles and permissions corresponding to those taken from each version control system.

GitHub #

The following table displays GitHub repository roles.

GitHub Role Travis CI Role
Admin admin user
Read pull user
Triage pull user
Write push user
Maintain push user

The following table displays GitHub organization roles.

GitHub Role Travis CI Role
Owner admin user
Member push user
Moderator push user
Billing Manager  
Security Manager push user

Assembla #

Assembla Role Travis CI Role
Owner admin user
Member push user
Watcher read user

GitLab #

GitLab Role Travis CI Role
Owner admin user
Maintainer admin user
Developer push user
Reporter pull user
Guest pull user

Bitbucket #

Bitbucket Role Travis CI Role
Admin admin user
Read pull user
Write push user

Contact Enterprise Support #

To get in touch with us, please write a message to enterprise@travis-ci.com. If possible, please include as much of the following as you can:

  • Description of the problem - what are you observing?
  • Which steps did you try already?
  • A support bundle (see table below on how to obtain it)
  • Log files from all workers (They can be found at /var/log/upstart/travis-worker.log - please include as many as you can retrieve).
  • If a build failed or errored, a text file of the build log
TCI Enterprise version Support bundle
3.x Run kubectl kots admin-console -n [namespace] to access admin console on http://localhost:8800
Support bundle generation instruction is available in ‘troubleshoot’ menu or directly at: http://localhost:8800/app/tci-enterprise-kots/troubleshoot

A command for generating support bundle will appear after selecting:
If you'd prefer, [click here]() to get a command to manually generate a support bundle.
2.x+ You can get it from https://<your-travis-ci-enterprise-domain>:8800/support

Since the announcement in Q3 2020, the most up to date version of Travis CI Enterprise is 3.x line. There are not any new releases for version 2.2 and the support patches has been limited since March 2021 as well. For existing users of Travis CI 2.x we strongly recommend upgrading to the latest Travis CI Enterprise 3.x.

Have you made any customizations to your setup? While we may be able to see some information (such as hostname, IaaS provider, and license expiration), there are many other things we cannot see which could lead to something not working. Therefore, we would like to ask you to also answer the questions below in your support request (if applicable):

  • How many machines are you using / what is your Kubernetes cluster setup?
  • Do you use configuration management tools (Chef, Puppet)?
  • Which other services do interface with Travis CI Enterprise?
  • Which Version Control system (VCS) do you use together with Travis CI Enterprise (e.g. github.com, GitHub Enterprise, or BitBucket Cloud)?
  • If you are using GitHub Enterprise, which version of it?

We are looking forward to helping!