stage | group | info | type |
---|---|---|---|
Release |
Release Management |
To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#designated-technical-writers |
concepts, howto |
Introduced in GitLab Premium 11.3.
Environments can be used for different reasons:
- Some of them are just for testing.
- Others are for production.
Since deploy jobs can be raised by different users with different roles, it is important that specific environments are "protected" to prevent unauthorized people from affecting them.
By default, a protected environment does one thing: it ensures that only people with the right privileges can deploy to it, thus keeping it safe.
NOTE: Note: A GitLab admin is always allowed to use environments, even if they are protected.
To protect, update, or unprotect an environment, you need to have at least Maintainer permissions.
To protect an environment:
- Navigate to your project's Settings > CI/CD.
- Expand the Protected Environments section.
- From the Environment dropdown menu, select the environment you want to protect.
- In the Allowed to Deploy dropdown menu, select the role, users, or groups you
want to give deploy access to. Keep in mind that:
- There are two roles to choose from:
- Maintainers: will allow access to all maintainers in the project.
- Developers: will allow access to all maintainers and all developers in the project.
- You can only select groups that are already associated with the project.
- Only users that have at least Developer permission level will appear in the Allowed to Deploy dropdown menu.
- There are two roles to choose from:
- Click the Protect button.
The protected environment will now appear in the list of protected environments.
A user may be granted access to protected environments as part of group membership. Users with Reporter permissions, can only be granted access to protected environments with this method.
Users with Developer permissions can be granted access to a protected environment through any of these methods:
- As an individual contributor, through a role.
- Through a group membership.
If the user also has push or merge access to the branch deployed on production, they have the following privileges:
Users granted access to a protected environment, but not push or merge access to the branch deployed to it, are only granted access to deploy the environment.
NOTE: Note: Deployment-only access is the only possible access level for users with Reporter permissions.
Maintainers can:
- Update existing protected environments at any time by changing the access in the Allowed to Deploy dropdown menu.
- Unprotect a protected environment by clicking the Unprotect button for that environment.
NOTE: Note: After an environment is unprotected, all access entries are deleted and must be re-entered if the environment is re-protected.
For more information, see Deployment safety.