In our organization, we have one person who is in charge of managing permissions on the various platforms we use, including Octopus.
This user has no need to anything else on Octopus other than manage user permissions. He doesn’t need, nor does he want, the ability to do anything with releases or deployments.
Is it possible to give him the ability to manage user’s permissions (including Octopus admins) without being an Octopus Admin himself?
Thanks for getting in touch!
Unfortunately, this isn’t possible.
In order to prevent users from being able to elevate their own permissions within Octopus a user can only add other users to teams that have permissions of the same level or below the editing user.
Is there any work-around, besides making the permissions manager an admin himself?
This really seems to go directly against the principle of least privilege.
Or perhaps, are we approaching this incorrectly? Is there a better way to do this while still following the principle of least privilege?
Having it work the way you describe may initially seem like applying least privilege it is actually the opposite as that user would have the ability to create admin level users. Meaning that user technically is able to create a full admin user and gain access to your entire system.
The only real solution to this would be to use an external with provider such as active directory where the users and teams can be managed outside of octopus by a user who doesn’t have access to octopus themselves.
Is there any sort of audit-able automation that we could use accomplish what we’re looking for?
You could perhaps create some scripts against the API to automate the management of users and pair this with an admin level Octopus service account API key which would provide the permissions needed without being able to log in to Octopus.
Full details of the API can be found here: https://github.com/OctopusDeploy/OctopusDeploy-Api/wiki
And I would recommend using the octopus.client library to interact with the API as it is generally simpler than having to structure full REST calls.
This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.