Skip to main content
Version: 2.0 🆕

Show Only Permitted Pipelines

Who Can Perform This Action?

ActionRequired Permission
Enable the flag via Helm upgradeSuper Admin

Introduction​​

By default, when a sub-user opens the Build & Deploy tab of an application in Devtron, they see all pipelines — including pipelines for environments they have no access to. While they cannot trigger or interact with those restricted pipelines, the volume of visible pipelines can be overwhelming in large organizations with many environments (e.g., dev, qa, staging, canary, prod-us, prod-eu).

To solve this, Devtron provides a configuration flag in the Orchestrator service ConfigMap:

CAN_ONLY_VIEW_PERMITTED_ENV_ORG_LEVEL: "true"

When this flag is enabled, any sub-user (non-super-admin) will only see the pipelines for environments they have been explicitly permitted to access. Super admins are unaffected and continue to see all pipelines.

This feature helps you:

  • Reduce visual noise for developers, testers, and other sub-users
  • Prevent confusion caused by visible but inaccessible pipelines
  • Enforce a cleaner, role-scoped view of the CI/CD workflow
  • Improve focus and productivity for large teams with fine-grained access control

Prerequisites​​

Before enabling this feature, ensure the following:

  • You have Super Admin access on Devtron.
  • User permissions have already been configured correctly under Global Configurations → Authorization → User Access. The flag only filters what is displayed — it relies on permissions being accurately set up beforehand.
  • You are familiar with editing Helm values via the Helm CLI

How It Works​​

Devtron's permission model ties each user's access to specific projects, applications, and environments. When CAN_ONLY_VIEW_PERMITTED_ENV_ORG_LEVEL is set to "true", the platform uses these permission bindings to filter the pipeline view at render time.

ScenarioDefault Behavior (flag off)With Flag Enabled
Sub-user has access to dev onlySees all pipelines (dev, qa, staging, prod, …)Sees only the dev pipeline
Sub-user has access to dev and qaSees all pipelinesSees only dev and qa pipelines
Super AdminSees all pipelinesSees all pipelines (unaffected)
note

The flag filters visibility only — it does not change underlying permissions. A user who previously could not trigger a production pipeline still cannot trigger it; they simply no longer see it.

Enabling the Flag​​

  • Via Helm — for direct updates using the Helm CLI

Via Helm​​

Use this path when you manage the Devtron installation directly via the Helm CLI.

Step 1 — Update the Helm Values​​

In your Helm values file for the Devtron chart, add or update the key under devtron.components.devtron.customOverrides:

devtron:
components:
devtron:
customOverrides:
CAN_ONLY_VIEW_PERMITTED_ENV_ORG_LEVEL: "true"

If the key already exists with the value "false", update it to "true".

Step 2 — Apply the Helm Upgrade​​

Run the following command to apply the updated values:

helm upgrade devtron devtron/devtron-enterprise \
--namespace devtroncd \
--reuse-values \
-f your-values.yaml
info
  • Replace your-values.yaml with the path to your custom values file.
  • --reuse-values ensures all existing Helm values are preserved and only the overrides in your values file are applied.

Step 3 — Restart the Orchestrator Deployment​​

After the Helm upgrade, restart the Orchestrator deployment for the ConfigMap change to take effect:

kubectl rollout restart deployment/devtron -n devtroncd

Once the deployment restarts successfully, the flag is active.

Troubleshooting​​

IssuePossible CauseResolution
Sub-users still see all pipelines after enabling the flagOrchestrator deployment was not restartedRun kubectl rollout restart deployment/devtron -n devtroncd
Sub-users see no pipelines at allUser has no permissions assignedVerify user permissions in Global Configurations → Authorization → User Access
Super Admin cannot see all pipelinesUser is not correctly assigned as Super AdminConfirm the Super Admin toggle is enabled for the user in User Access
Flag key is not being picked upHelm upgrade was not run after updating values, or wrong namespace usedVerify the key exists in your Helm values file and re-run helm upgrade with the correct namespace
Change was lost after a Devtron upgradeFlag was set directly on the ConfigMap instead of via Helm valuesAlways set this flag in your Helm values file and apply via helm upgrade — direct ConfigMap edits are overwritten on redeploy or pod restart