User, team, and registry permissions

Customers on the Buildkite Pro and Enterprise plans can manage registry permissions using the teams feature. This feature allows you to apply access permissions and functionality controls for one or more groups of users (that is, teams) on each registry throughout your organization.

Enterprise customers can configure registry permissions for all users across their Buildkite organization through the Security page. Learn more about this feature in Manage organization security for registries.

Manage teams and permissions

To manage teams across the Buildkite Packages application, a Buildkite organization administrator first needs to enable this feature across their organization. Learn more about how to do this in the Manage teams and permissions section of Pipelines documentation.

Once the teams feature is enabled, you can see the teams that you're a member of from the Users page, which:

As a Buildkite organization administrator, you can access by selecting Settings in the global navigation > Users.
As any other user, you can access by selecting Teams in the global navigation > Users.

Organization-level permissions

Learn more about what a Buildkite organization administrator can do in the Organization-level permissions section of the Pipelines documentation.

As an organization administrator, you can access the Organization Settings page by selecting Settings in the global navigation, where you can do the following:

Add new teams or edit existing ones in the Team section.
- After selecting a team, you can view and administer the member-, pipeline-, test suite-, registry- and team-level settings for that team.
Enable Buildkite Packages for your Buildkite organization.
Configure private storage for your Buildkite Packages registries.

Enabling Buildkite Packages

To do this:

As a Buildkite organization administrator, access the Organization Settings page by selecting Settings in the global navigation.
In the Packages section, select Enable to open the Enable Packages page.
Select the Enable Buildkite Packages (Beta) button, then Enable Buildkite Packages in the Ready to enable Buildkite Packages confirmation dialog.

Once Buildkite Packages is enabled, the Enable link on the Organization Settings page changes to Enabled and Buildkite Packages can only be disabled by contacting support.

Team-level permissions

Learn more about what team members are and what team maintainers can do in the Team-level permissions section of the Pipelines documentation.

Registry-level permissions

When the teams feature is enabled, any user can create a new registry, as long as this user is a member of at least one team within the Buildkite organization, and this team has the Create registries team member permission.

When you create a new registry in Buildkite:

You are automatically granted the Read & Write permission to this registry.
Any members of teams to which you provide access to registry are also granted the Read & Write permission.

The Full Access permission on a registry allows you to:

View and download packages, images, or modules from the registry.
Publish packages, images, or modules to the registry.
Edit the registry's settings.
Delete the registry.
Provide access to other users, by adding the registry to other teams that you are a team maintainer on.

Any user with Full Access permissions to a registry can change its permission to either:

Read & Write, which allows you to publish packages, images, or modules to the registry, as well as view and download these items from the registry, but not:
- Edit the registry's settings.
- Delete the registry.
- Provide access to other users.
Read Only, which allows you to view and download packages, images, or modules from the registry only, but not:
- Publish such items to the registry.
- Edit the registry's settings.
- Delete the registry.
- Provide access to other users.

A user who is a member of at least one team with Full Access permissions to a registry can change the permissions on this registry. However, once this user loses this Full Access through their last team with access to this registry, the user then loses the ability to change the registry's permissions.

Another user with Full Access to this registry or a Buildkite organization administrator is required to change the registry's permissions back to Full Access again.

Manage organization security for registries

Enterprise customers can configure registry action permissions for all users across their Buildkite organization. These features can be used either with or without the teams feature enabled.

These user-level permissions and security features are managed by Buildkite organization administrators. To access this feature:

Select Settings in the global navigation to access the Organization Settings page.
Select Security > Packages tab to access your organization's security for Packages page.

From this page, you can configure the following permissions for all users across your Buildkite organization:

Create registries—if the teams feature is enabled, then this permission is controlled at a team-level and therefore, this option will be unavailable on this page.
Delete registries
Delete packages

Manage an agent's access to registries

To configure the rules by which a Buildkite Agent can access a registry, you'll need to configure the OpenID Connect (OIDC) policy within the registry to allow the Buildkite Agent to request an OIDC token (using the buildkite-agent oidc request-token command).