User, team, and pipeline permissions

Customers on the Buildkite Pro and Enterprise plans can manage registry permissions using the teams feature. This feature allows you to apply access permissions and functionality controls for one or more groups of users (that is, teams) on each pipeline throughout your organization.

Enterprise customers can configure pipeline permissions for all users across their Buildkite organization through the Security page. Learn more about this feature in Manage organization security for pipelines.

Manage teams and permissions

To manage teams across the Buildkite Pipelines application, a Buildkite organization administrator first needs to enable this feature across their organization. Learn more about how to do this in the Manage teams and permissions in the Platform documentation.

Once the teams feature is enabled, you can see the teams that you're a member of from the Users page, which:

As a Buildkite organization administrator, you can access by selecting Settings in the global navigation > Users.
As any other user, you can access by selecting Teams in the global navigation > Users.

Organization-level permissions

Learn more about what a Buildkite organization administrator can do in the Organization-level permissions in the Platform documentation.

As an organization administrator, you can access the Organization Settings page by selecting Settings in the global navigation, where you can do the following:

Add new teams or edit existing ones in the Team section.
After selecting a team, you can view and administer the member-, pipeline-, test suite-, registry- and team-level settings for that team.

Note: Registry-level settings are only available once Buildkite Package Registries has been enabled.

Team-level permissions

Learn more about what team members are and what team maintainers can do in the Team-level permissions in the Platform documentation.

Pipeline-level permissions

When the teams feature is enabled, any user can create a new pipeline, as long as this user is a member of at least one team within the Buildkite organization, and this team has the Create pipelines team member permission.

When you create a new pipeline in Buildkite:

You are automatically granted the Full Access (MANAGE_BUILD_AND_READ) permission to this pipeline.
Any members of teams to which you provide access to this pipeline are also granted the Full Access permission.

Full Access on a pipeline allows you to:

View and create builds or rebuilds.
Edit pipeline settings, which includes the ability to change the pipeline's visibility.
Archive the pipeline or delete the pipeline.
Provide access to other users, by adding the pipeline to other teams that you are a team maintainer on.

Any user with the Full Access permission on a pipeline can change its permission to either:

Build & Read (BUILD_AND_READ), which allows you to view and create builds or rebuilds, but not:
- Edit the pipeline settings.
- Archive or delete the pipeline.
- Provide access to other users.
Read Only (READ_ONLY), which allows you to view builds only, but not:
- Create builds or issue rebuilds.
- Edit the pipeline settings.
- Archive or delete the pipeline.
- Provide access to other users.

A user who is a member of at least one team with Full Access permission to a pipeline can change the permission on this pipeline. However, once this user loses Full Access through their last team with this permission on this pipeline, the user then loses the ability to change the pipeline's permissions in any team they are a member of.

Another user with Full Access to this pipeline or a Buildkite organization administrator is required to change the pipeline's permission back to Full Access again.

Manage organization security for pipelines

Enterprise customers can configure pipeline action permissions and related security features for all users across their Buildkite organization. These features can be used either with or without the teams feature enabled.

These user-level permissions and security features are managed by Buildkite organization administrators. To access this feature:

Select Settings in the global navigation to access the Organization Settings page.
Select Security > Pipelines tab to access your organization's security for pipelines page.

From this page, you can configure the following permissions for all users across your Buildkite organization:

Create Pipelines—if the teams feature is enabled, then this permission is controlled at a team-level and therefore, this option will be unavailable on this page.
Delete pipelines
Change Pipeline Visibility—Make private pipelines publicly available.
Change Notification Services—Allows notification services to be created, edited, and deleted.
Manage Agent Registration Tokens—Allows agent tokens to be created, edited, and deleted.
Stop Agents—Allows users to disconnect agents from Buildkite.