Feature Request

What challenge are you facing?

We want to adopt Concourse in our big team (actually, many small teams).
We use Github OAuth for authenticating and authorizing users.
The challenge is as follows:
If there are teams TeamA and TeamB, and TeamA owns a pipeline Pipeline1, we will need to restrict access in the following way:

• users logged in to TeamA has full access to Pipeline1 - triggering, modifying etc. - this is already implemented in Concourse.
• users logged in to TeamB can see Pipeline1, but cannot trigger and otherwise modify it.
• unlogged users cannot see Pipeline1.

This will enable TeamA accept pull requests from TeamB and let them see the results of builds.

A Modest Proposal

Current implementation allows to expose a pipeline for both unautenticated users and users in other teams. This is not fine-grained enough for our use case.

I didn't carefully think it through, but I guess it can be implemented by adding --internal flag to expose-pipeline subcommand:

$ fly expose-pipeline -t foo -p helloworld --internal

This should make helloworld pipeline visible only to logged-in users.

If there is already some solution to this, please point me to the docs, as I was not be able to find anything.

Thanks in advance.