Nathan Fish thanks Nathan...is there a place to look for documentation on this or is that coming?

Justin Wiley absolutely! Should have included that in the first place. https://circleci.com/docs/contexts/#expression-restrictions

Nathan Fish We can see that the expression based context restrictions has exceptions to pipeline.trigger_parameters.* pipeline values.

Just want to confirm if we can use trigger parameters in the expressions.

Manish Vyas trigger_parameters are all the metadata from the inbound webhook. We don't allow access because a bad actor could spoof those parameters and they are generally unbounded. If there is a specific parameter you are interested in or use case you can provide we can evaluate options to make that possible.

Nathan FishWe were checking on using the expressions based on the github metadata to restrict the users to use rerun ssh feature. Let us know if that is possible using the expressions.

Manish Vyas: One option would be to create a context with restriction "not job.ssh.enabled" and then require that context in the workflow as documented in the contexts overview https://circleci.com/docs/contexts/#overview. This would effectively prevent ssh rerun access. You could get more complicated by layering your rules based on branch, etc.

Nathan Fish Thanks for the reply, we can have workflow to use a separate context to prevent ssh. But even in that case it will restrict the existing admins to not use the workflow because same context it used by security groups of developers and admins.

Manish Vyas: Thanks for the additional information. We will continue to look at additional options for this problem.

Nathan Fish: Thank you very much!!!

Nathan Fish: Thanks for the effort,

Is there a working example where you can configure a CircleCI project so that only a specific (github) role (e.g. admins) can do SSH access?

As I understand it, that was the requirement of the feature request. I have gone through the API calls and cannot recognise the function. Maybe I'm missing something? Thank you!

Nathan Fish:Thank you for providing us the api for updating project settings but on setting disable_ssh to true, it also disables the rerun ssh for admin users, do we have any flag which only enables rerun ssh for admin users?

Igor Buchmueller: We also added an "admin" only option to project settings so you can limit whom can edit project settings.

Manish Vyas: Not yet. We are looking at ways to limit SSH rerun to a group of users. No timeline yet on when that will be completed.

Nathan Fish: It's a big security issue, please prioritize this feature, the community and customers need this !

Daniel Castronovo: We plan to offer the ability to limit SSH reruns to a group of users. No timeline yet but we are working on it.

Nathan Fish Do we have any update on the tentative time when this feature will be available

Manish Vyas We don't have a current timeline. We did just introduce expression based context restrictions which does allow you to not make contexts available within an SSH rerun. It address some of the concerns around SSH rerun but doesn't directly address the desire to limit SSH reruns to just admins.