User Role Management

Available from Travis CI Enterprise 3.1.0

Travis CI introduces the new User Role Management feature to increase security and functionality. This feature offers more granular access control management, adding more strict access rights management while continuing to protect vital information that may be present in the CI/CD build job logs.

This feature allows Travis CI administrators to execute permission limits on user privileges to the minimum functionality necessary to work (on an as-needed basis) to protect particular build job logs.

Enable User Role Management #

From the Travis CI Enterprise admin console, open the Config menu, expand the Advanced Settings menu on the left and click on the Users Roles Management.

To enable the setting, select the Enabled option and save the settings.

Travis CI Roles #

New Travis CI Users are created via the “sign-in with…” functionality, linking a third-party application (GitHub, Assembla, BitBucket, or GitLab) to Travis CI. See the Onboarding guide for more information.

In Travis CI, user access to Travis CI repositories and accounts functionalities and the following are the different types of user roles:

• Admin:
  • Repository: manages repository settings, triggers builds, and can utilize various functions around builds.
  • Account: able to activate repositories in Travis CI and billing.
• Push (Write) User:
  • Repository: triggers builds and can utilize various functions around builds.
  • Account: able to request repository activation in Travis CI.
• Pull (Read) User:
  • Repository: cannot trigger builds and has limited functionality around builds
  • Account: able to request repository activation in Travis CI
• Owner: an owner is an admin user for the owned Repository and accounts. An owner can be a user or an organization.

This feature authorizes admin users to handle regular users to their liking. Regular users must still log in using a version control system (VCS). Therefore, the User Management functionality allows admin users to identify regular user roles for those with access to Travis CI.

Member Management Tab #

The Member Management tab presents a list of users with their respective roles.

Travis CI admin users are presented with a list of users and have access to change or assign the roles of regular users. Admin users can use the “Sync org” or “Sync users” to update the list of users.

The following are the available fields where each user can be associated with several roles.

• Name: displays the user’s name.
• Login: displays the login email for the user.
• Old Role: displays the previous authorization permissions for the selected user.
• New Role: Shows the role or number of roles assigned to the selected user. Allows admin users to choose or change the role or roles for the selected user.
  • All: Enables all four options.
• Admin: Has all account and repository permissions.
• Account Settings Editor: Access to create and edit account settings.
• Account Settings Admin: Unlimited access to manage the account and can manage account plans, billings, and contacts.
• Account Plan Viewer: Can invoice, use, and view the account plans.
• Can Build: Check the checkbox to authorize the selected user to build.

User Management Tab #

The User Management tab lists the users who have access to the repository, and Travis CI admin users can assign repository connection roles.

The following are the available fields where each user can be associated with several roles.

• Name: displays the user’s name.
• Login: displays the login email for the user.
• New Role: Shows the role or number of roles assigned to the selected user. Allows admin users to choose or change the role or roles for the selected user.

The available roles and their current permissions are shown in the table below:

Travis Admin and extended VCS synchronization logic #

All Travis CI Admin users can access the additional Repository and Account (personal or organizational) settings screen, where they can configure the new roles and permissions assigned to a single user, either at the Account or the Repository level.

The new permission system implemented in Travis CI updates the modified roles and permissions after every synchronization with the version control system (VCS). The goal of the new permission system is to upgrade any modifications made by Admin users with access to these settings to single users’ roles and permissions.

The process for the new permission system is as follows:

1. Synchronization with a version control system. Occurs daily or on-demand.
2. The new systems’ mapping assigns a correct Travis CI role according to the existing role from the VSC provider.
3. The new roles and permission system records new roles and permission updates in the database and checks for any modification to user settings.
4. The new roles and permission system assigns each existing system user the default set of settings (roles and permissions) obtained from the VSC access rights during the VCS synchronization.
5. The new roles and permissions service creates or updates the new roles and permissions.

Note: If errors occur, unprocessed requests are queued to retry sync with VCS, and error logs are registered.

Note: Suspending or unsuspending a user’s repository access removes the user’s build-triggering access and assigns the respective Repository Reader role.

Note: Suspending or unsuspending a user’s account access removes the user from all Admin and editing roles and allows the user to be only a Plan Viewer and Billing Viewer.

When existing Travis CI users log in, the user’s current membership and permissions are checked against the new permissions service to check for any role or permission modifications.

The following table displays the action executed for each specific modification of settings for user accounts and repositories.

Roles and Permissions #

The following tables display the new roles and permissions for repositories and accounts.

Roles #

Accounts #

The following tables show the Travis CI roles and permissions corresponding to those taken from each version control system.

GitHub #

The following table displays GitHub repository roles.

The following table displays GitHub organization roles.

Assembla #

GitLab #

Bitbucket #

Contact Enterprise Support #

To get in touch with us, please write a message to enterprise@travis-ci.com. If possible, please include as much of the following as you can:

• Description of the problem - what are you observing?
• Which steps did you try already?
• A support bundle (see table below on how to obtain it)
• Log files from all workers (They can be found at /var/log/upstart/travis-worker.log - please include as many as you can retrieve).
• If a build failed or errored, a text file of the build log

Since the announcement in Q3 2020, the most up to date version of Travis CI Enterprise is 3.x line. There are not any new releases for version 2.2 and the support patches has been limited since March 2021 as well. For existing users of Travis CI 2.x we strongly recommend upgrading to the latest Travis CI Enterprise 3.x.

Have you made any customizations to your setup? While we may be able to see some information (such as hostname, IaaS provider, and license expiration), there are many other things we cannot see which could lead to something not working. Therefore, we would like to ask you to also answer the questions below in your support request (if applicable):

• How many machines are you using / what is your Kubernetes cluster setup?
• Do you use configuration management tools (Chef, Puppet)?
• Which other services do interface with Travis CI Enterprise?
• Which Version Control system (VCS) do you use together with Travis CI Enterprise (e.g. github.com, GitHub Enterprise, or BitBucket Cloud)?
• If you are using GitHub Enterprise, which version of it?

We are looking forward to helping!