Policies and Roles Issues

[Funkycybermonk]

Hello! 

I'm sure I'm missing something simple, but I'm trying to lock down access to certain tasks. We'll have some temporary users accessing our system and I want to control what they can and can't do. I get the whole allow/deny and I'm hoping that the View/Administer will be flexible enough to let me limit what users can do to pipelines, but my initial test goal is to have a working permissions set that does anything with pipelines. 

when I set a system administrator everyone gets their permissions dropped as expected. But once I start adding them to a role containing a policy that says for example Allow - Administer - Environments - *, I get the ability as that user to see all environments but I can't see pipelines in those environments. 

Setting Allow - Administer - All - * also doesn't let me see pipelines. 

How can I use roles/policies to give users permissions to basic items in the system such as: I want a user to be able to run pipelines containing a certain wildcarded name filter or I want them to be able to view all but only execute certain environments, say only pipelines assigned in the environment labeled TEST. 

The documentation doesn't give specific cases that are helpful in this case. For example it says that Admnister on UI gives list, create, update, delete, agent status and elastic profiles usage but the closes I can see in the policy is the allow administer * * which doesn't let my user see any pipelines.

I'm running 22.3 with LDAP as my authentication provider if that helps/affects anything.

Any tips on how to get permissions set up to filter what can and can't be accessed by non-systemadmins?

Thanks!

[Funkycybermonk]

Making progress! I found a link in the console that explained attaching roles to pipelines which works, but I'd like to be able to say that I want a user to have permissions on a pipeline group through a role, but I only want them to run pipelines with TEST in the name and not and PROD pipelines. In the role I've tried adding deny to administer * *  but the role permission on the pipeline group doesn't get modified. 

Is this just a fringe case we've put ourselves into and its not possible to manage things in this way? We've been using pipeline groups to contain all pipelines using a particular template type so PROD and TEST both are in the same pipeline group. If this isn't possible we can probably just split our groups out into 2x with a prod and dev/test group separately. 

I'm just confused on what I can and can't do with roles since its not a centrally managed feature but the roles can be reused for membership.

Thanks!