Sorry, your pipeline modelling isn't very clear so it's very difficult to help. Please describe which configuration of roles you have in which locations and the expected vs actual behaviour, so I'm not guessing.
For my last guess, as the message you screenshot indicates, the "stage level" permissions can restrict further the permissions from the wider pipeline group, but you cannot entirely remove the pipeline group permissions; i.e dev and qa (and maybe some other roles) would need to have operate permissions for the entire group which means all pipeline stages that DO NOT have overridden stage permissions. In other words, if you have a two-stage pipeline and want to have a user/role be able to trigger manual-approval stage 1 but NOT stage 2, you'd need to define manual approval permissions for every stage with different overridden roles (which exclude dev/qa) OR remodel the stages into multiple pipelines in different pipeline groups. On Tue, 9 Sept 2025, 19:01 SHWETHA H R, <shwetharamesh...@gmail.com> wrote: > Attaching the screenshot of the template permission added using the yaml > file. > > On Tue, Sep 9, 2025 at 4:25 PM SHWETHA H R <shwetharamesh...@gmail.com> > wrote: > >> I see the permissions are added in the template stages in the console >> with the syntax we have. >> >> But it is not working as expected. It is forcing us to add the operate >> permission on the pipeline group. >> >> >> >> On Tue, Sep 9, 2025 at 3:02 PM Chad Wilson <chad.lee.wil...@gmail.com> >> wrote: >> >>> So does it work correctly with the different syntax I mentioned? Is the >>> YAML you mentioned being directly processed by a GoCD YAML config repo? If >>> so, your syntax is definitely wrong and will likely be ignoring the entire >>> `authorization` block. >>> >>> It's not possible for anyone else to debug your proprietary/manual >>> conversion logic unless you provide exact steps to replicate, with specific >>> APIs or UIs used. >>> >>> The *configuration repo* plugin formats (YAML, JSON etc) are similar, >>> but *not* the same as the JSON-based APIs so if you are trying to go: >>> >>> GoCD UI-defined pipeline/template --> pipeline/template config API JSON >>> --> manual YAML conversion --> yaml config repo -> GoCD >>> >>> ...you're going to have problems. It will need manual >>> intervention/translation and review against docs. There are specific >>> APIs/UIs to export UI-defined pipelines in a given 'config repo' format >>> that do the necessary translations, but not possible to directly convert >>> GoCD UI-defined templates, since they are not supported in config repo >>> plugins. >>> >>> -Chad >>> >>> On Tue, 9 Sept 2025 at 16:54, SHWETHA H R <shwetharamesh...@gmail.com> >>> wrote: >>> >>>> Hi Chad, >>>> >>>> We are creating these template yaml files inside our BitBucket and we >>>> have a job within GoCD to convert the template yaml to json format and then >>>> pass it to the API call to create a template. >>>> >>>> Initially we created a template from the console and we fetched the >>>> json template using the API and then we converted that to yaml and started >>>> using the same yaml format for all the templates. That’s how we got this >>>> syntax for the template. >>>> >>>> Regards, >>>> Shwetha >>>> >>>> On Tue, Sep 9, 2025 at 2:02 PM Chad Wilson <chad.lee.wil...@gmail.com> >>>> wrote: >>>> >>>>> Which plugin are you using to specify your pipelines? That syntax >>>>> doesn't look valid for the GoCD Yaml plugin, so it's a bit hard to >>>>> determine what is happening. >>>>> >>>>> The permissions on an individual stage *should* overwrite anything >>>>> from the pipeline group (as specified via the GoCD UI configuration) so >>>>> what you are trying to do should be possible, so there is possibly an >>>>> issue >>>>> with your syntax. >>>>> >>>>> Normally with the YAML plugin the syntax would look like the below, >>>>> according >>>>> to the docs >>>>> <https://github.com/tomzo/gocd-yaml-config-plugin?tab=readme-ov-file#approval> >>>>> . >>>>> approval: >>>>> type: success >>>>> allow_only_on_success: false >>>>> roles: >>>>> - dev >>>>> - qa >>>>> users: [] >>>>> >>>>> -Chad >>>>> >>>>> On Tue, 9 Sept 2025 at 15:50, SHWETHA H R <shwetharamesh...@gmail.com> >>>>> wrote: >>>>> >>>>>> Hello, >>>>>> >>>>>> We are trying to restrict users from triggering all the stages in a >>>>>> GoCD pipeline. We tried adding permission within the templates like >>>>>> below: >>>>>> approval: >>>>>> type: success >>>>>> allow_only_on_success: false >>>>>> authorization: >>>>>> roles: >>>>>> - dev >>>>>> - qa >>>>>> users: [] >>>>>> >>>>>> This is forcing us to add operate permission on the pipeline groups >>>>>> for both qa and dev roles. If we add operate permission, then dev and qa >>>>>> groups are able to trigger any stage even though there is a restriction >>>>>> within the template stage permissions. >>>>>> >>>>>> Please let me know if there is a way where we can restrict users to >>>>>> trigger only the required stages without giving operate access on the >>>>>> pipeline group. >>>>>> >>>>>> Thank you, >>>>>> Shwetha >>>>>> >>>>>> >>>>>> -- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "GoCD Users" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to go-cd+unsubscr...@googlegroups.com. >>>>>> To view this discussion visit >>>>>> https://groups.google.com/d/msgid/go-cd/CALFHbX%2Bt-9wWiAhfwzRUvB2tW41M5eO6U92upF6AxuinJjWqfw%40mail.gmail.com >>>>>> <https://groups.google.com/d/msgid/go-cd/CALFHbX%2Bt-9wWiAhfwzRUvB2tW41M5eO6U92upF6AxuinJjWqfw%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>> . >>>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "GoCD Users" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to go-cd+unsubscr...@googlegroups.com. >>>>> To view this discussion visit >>>>> https://groups.google.com/d/msgid/go-cd/CAEe7TByCZxMRGP_ANMHs-%2Bjs-2pT2RrcRra-2L%3D%2BisWqKiY85g%40mail.gmail.com >>>>> <https://groups.google.com/d/msgid/go-cd/CAEe7TByCZxMRGP_ANMHs-%2Bjs-2pT2RrcRra-2L%3D%2BisWqKiY85g%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "GoCD Users" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to go-cd+unsubscr...@googlegroups.com. >>>> >>> To view this discussion visit >>>> https://groups.google.com/d/msgid/go-cd/CALFHbXKmt%3D6%3D5_LFPJz1jWiOe2JpOPq2Jf3zQEOx8BB8i922NQ%40mail.gmail.com >>>> <https://groups.google.com/d/msgid/go-cd/CALFHbXKmt%3D6%3D5_LFPJz1jWiOe2JpOPq2Jf3zQEOx8BB8i922NQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "GoCD Users" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to go-cd+unsubscr...@googlegroups.com. >>> To view this discussion visit >>> https://groups.google.com/d/msgid/go-cd/CAEe7TBy15KpaEVYm2nPj%2B9SLAtgmgzvvX9zXRWwAkOg5d-fGyQ%40mail.gmail.com >>> <https://groups.google.com/d/msgid/go-cd/CAEe7TBy15KpaEVYm2nPj%2B9SLAtgmgzvvX9zXRWwAkOg5d-fGyQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- > You received this message because you are subscribed to the Google Groups > "GoCD Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to go-cd+unsubscr...@googlegroups.com. > To view this discussion visit > https://groups.google.com/d/msgid/go-cd/CALFHbXLf2u-kk3nFGmcT1u20ZEMk8DM7E6U1TVHpB02oYtTO7A%40mail.gmail.com > <https://groups.google.com/d/msgid/go-cd/CALFHbXLf2u-kk3nFGmcT1u20ZEMk8DM7E6U1TVHpB02oYtTO7A%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "GoCD Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to go-cd+unsubscr...@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/go-cd/CAEe7TBzMAqzkPQhA%3DoH3eDxMQZ7k7Synrbs_oeUYAjat54rUQg%40mail.gmail.com.
