Welcome
Managing Security
HCL DevOps Deploy (Deploy) uses a flexible team-based and role-based security model that maps to your organizational structure.
Authorization realms
Use the Authorization Realms pane to create authorization realms and user groups for the server. Groups can be imported from external systems, such as LDAP.
Creating an OpenID Connect authorization realm
You can create an OpenID Connect (OIDC) authorization realm to use Microsoft Entra ID or Okta server for authorization.

Release Notes
This section includes what's new, defect fixes, and deprecations and removals in all releases.
System Requirements
This document includes information about the hardware, containers, prerequisite software, supported operating system, and database requirements with component level detail for the HCL DevOps Deploy (Deploy).
Getting Started
Quickly become productive with HCL DevOps Deploy (Deploy).
Installing
An HCL DevOps Deploy (Deploy) installation consists of a Deploy server, a database server, and at least one agent.
Upgrading and Migrating
Stay updated with latest features and functionalities by upgrading HCL DevOps Deploy (Deploy) server, agents, and relays. This section also provides instruction on how to migrate your Deploy instance.
Integrating
HCL DevOps Deploy (Deploy) supports integrations with other IBM® and HCL products, products from others, and certain cloud systems.
Administering
Learn how to administer settings in HCL DevOps Deploy (Deploy) elements and communication between the elements.
Managing Security
HCL DevOps Deploy (Deploy) uses a flexible team-based and role-based security model that maps to your organizational structure.
- Guidelines for setting up server security
  Although there is no single best way to set up security for the server, the following steps are sufficient in most cases.
- SSL configuration
  With Secure Sockets Layer (SSL) technology, clients and servers can communicate securely by encrypting all communications. Data is encrypted before it is sent and decrypted by the recipient. This communication cannot be deciphered or modified by third-parties. In addition to encryption, SSL can also support authentication.
- Encryption key tools
  Using the encryption key tools, you can manage your encryption keys.
- Authorization realms
  Use the Authorization Realms pane to create authorization realms and user groups for the server. Groups can be imported from external systems, such as LDAP.
  - Creating an internal storage authorization realm
    Internal storage realms do not retrieve users from any external source. Instead, you add users to internal storage authorization realms manually.
  - Creating an LDAP authorization realm
    An LDAP authorization realm defines how to use an external LDAP server for group authorization.
  - Creating an SSO authorization realm
    A single sign-on (SSO) authorization realm uses an external server for authorization.
  - Creating an OpenID Connect authorization realm
    You can create an OpenID Connect (OIDC) authorization realm to use Microsoft Entra ID or Okta server for authorization.
  - Creating a security group
    You can create a group and grant permissions simultaneously to multiple users in a group. By grouping users, you can simplify the management of access control across various applications, environments, and resources.
  - Adding users to groups manually
    Authorization realms of the internal storage type can have manually created users. Others types, such as LDAP, import user groups cannot have manually created users.
- Authentication realms
  Authentication realms manage users and determine user identity within authorization realms for the server.
- Roles and permissions
  A role is a list of permissions that users have on the HCL DevOps Deploy (Deploy) server. These permissions include the ability to create, edit, and delete objects, such as applications, environments, and components. The permission also includes the parts of the server interface that users can access.
- Secret stores
  You can store user credentials in Hashicorp Vault and integrate with HCL DevOps Deploy (Deploy) to retrieve values from the Vault.
- Security teams
  Users and groups on the server are assigned roles when they are added to teams.
- Security types
  Security types define categories of objects on the server. You can put all objects into a single category, or you can put them in separate categories and give roles different access rights to different categories.
- Tokens
  Tokens provide authorization for agents, agent relays, users, and external systems or applications from the server. Agents use tokens when they run process steps and communicate with the HCL DevOps Deploy (Deploy) server and external services.
- FIPS mode enablement
  You can enable Federal Information Processing Standards (FIPS) mode on the systems that run the HCL DevOps Deploy (Deploy) server, agent, and relays to make them FIPS compliant.
Modeling Software Deployment
Modeling software deployment in HCL DevOps Deploy (Deploy) includes configuring components and component processes and adding those components to applications. Then, you use processes to deploy the components to environments.
Deploying
Learn how to deploy applications in HCL DevOps Deploy (Deploy).
Reporting
Provides several different deployment and security reports.
Extending Product Function
Learn how to extend the function of HCL DevOps Deploy (Deploy).
Troubleshooting and Support
Learn how to troubleshoot some common issues with HCL DevOps Deploy (Deploy).
Security Considerations
You can act to ensure that your installation is secure and set up user access controls.

Creating an OpenID Connect authorization realm

You can create an OpenID Connect (OIDC) authorization realm to use Microsoft Entra ID or Okta server for authorization.

Procedure

On the server, click Settings > Authorization (Groups) > Create Authorization Realm. The Create Authorization Realm dialog box opens.
Enter a name in the Name field.
Ensure that OIDC is selected in the Type list.

Select any of the following vendors:

Table 1. OIDC Vendors
Vendor name	Description
Microsoft Entra ID	To enable Application Role validation through the `roles` claim, the Microsoft Entra ID authorization realm requires specific configuration. You must ensure that the Entra ID manifest is set to `requestedAccessTokenVersion: 2` and that the application is exposed as an API. Finally, you must map the resulting API ID as a designated scope within the Deploy authentication realm settings.
Okta	To enable group-based authorization, the Okta realm validates the `groups` claim within the security token. This action requires a dedicated authorization server to be defined in Okta. Additionally, configure the application's authentication realm with the specific Issuer and associated endpoints provided by that authorization server.

Click Save.

Results

You have created an OIDC authorization realm with the selected vendor.