Prevent unauthorized access to systems

Cyberattacks and other forms of unauthorized access pose a constant threat to IT systems. Fortunately, many tools are available to counter these threats and shield your infrastructure.

Authenticate users and devices

Continuous Delivery uses password-based authentication to control user access to the application and a combination of certificate, password, and token-based authentication to authorize application services to communicate. For details, see Manage access. You can also configure authentication that relies on the Security Assertion Markup Language (SAML) or Lightweight Directory Access Protocol (LDAP), as described in the following sections.

Authenticate public APIs

The Continuous Delivery application programming interface (API) supports authentication via personal access tokens associated with Continuous Delivery accounts. Authentication tokens are tied to the permissions granted to the user through role-based access control (RBAC). Tokens provide the user with appropriate access to APIs. For enhanced security, ensure that tokens provide only the required permissions and only for required tasks. See Manage personal access tokens and Authenticate public APIs.

Configure SAML

Continuous Delivery supports authentication from a SAML identity provider. After you configure your SAML identity provider to integrate with Continuous Delivery, you can use your chosen single sign-on tool to authenticate users to Continuous Delivery. See Configure SAML.

Configure LDAP

Continuous Delivery supports use of LDAP for managing user authentication. After configuring LDAP, use group mapping to associate your LDAP groups with role-based access control (RBAC) groups in Continuous Delivery. For details, see Configure LDAP.

Grant access and permissions

The process of granting access rights and permissions is designed to ensure that only authorized users, user groups, devices, and other entities can access a system, application, or network. Commonly used authorization mechanisms include role-based access control (RBAC), attribute-based access control (ABAC), and access control lists (ACLs).

Continuous Delivery has two primary forms of role-based access: workspace access and group permissions.

Manage workspaces

Use workspaces to share access to key Continuous Delivery resources, such as control repos, modules, and jobs, with the other members of your team. After setting up a workspace, add your team members to the workspace and grant them the permissions required for their work. For details, see Manage workspaces.

Manage user and group permissions

Use the management tools in Continuous Delivery to ensure that all users, from read-only to super users, have the access and permissions appropriate to their role on the team. For details, see Manage access.

Implement firewalls

Firewalls serve as a barrier between a trusted internal network and untrusted external networks, such as the internet. For Continuous Delivery, you must open specific firewall ports to support operations. See Continuous Delivery architecture.

Implement logging

Logging can be implemented to gather operational and security data for a system, identify performance and security issues, and minimize the risk of data breaches.

In Continuous Delivery, logging is centralized to help prevent tampering. Log information consists primarily of operational services data between endpoints. You can specify the info level or the debug level for logging. The debug level provides more detailed information. For this reason, debug-level log files require extra protection. For many organizations, the most sensitive data is internal hostname and IP address information. If you must provide log files to Perforce Support for troubleshooting, you can request a redaction tool to mask sensitive data before you share the files.

Across Continuous Delivery services, log files can be viewed only by the system administrator by using the console or command-line interface. For instructions, see Logs.