I’m having problems giving non System Admins access to the Library Variable Sets.
I’ve created a new role and given it the following rights (LibraryVariableSetCreate, LibraryVariableSetDelete, LibraryVariableSetEdit, LibraryVariableSetView). They already have VariableView from another role but still they are unable to access the library list, they do get the following error message.
“You do not have permission to perform this action. Please contact your Octopus administrator. Missing permission: VariableView
This action requires permission to view variables belonging to a project or library variable set. At least one of your teams has this permission in a limited scope, but this doesn’t cover the project or environment in question. Teams that have enough permission include: Octopus Administrators.”
If I use the test permissions feature it doesn’t show that these permissions (LibraryVariableSetCreate, LibraryVariableSetDelete, LibraryVariableSetEdit, LibraryVariableSetView) have been assigned to them even though they are assigned the new role.
Thanks for reaching out. They key is in this line of the error message
At least one of your teams has this permission in a limited scope, but this doesn't cover the project or environment in question
The team that grants users the roles related to VariableSets has to be scoped to all the projects on the instance. The reason behind this is that Variable Sets can be used by all of the projects (and there’s no way to limit that at the moment).
What we recommend to do in these cases is to create a specific team (lets call it “VariableSetUsers”), which grants all the library variable set roles (LibraryVariableSetCreate, LibraryVariableSetDelete, LibraryVariableSetEdit, LibraryVariableSetView) and which is scoped to All projects.
Could you please try that and let me know how it goes?
Unfortunately I’m not able to provide you a scrreenshot at the moment of my configuration.
I can give an example.
User A is in Team A. Team A is limited on “Test” environment and certain projects he/she is working on. Team A has “Project Deployer” and “Project Lead”.
Now as suggested, I created a Team “VariableSetUsers”. I created a custom role and assigned all these permissions (LibraryVariableSetCreate, Delete, Edit and View.) I added User A to this team, yet he is still not eligble to perform these actions.
I will be able to share some screenshots later. Can I PM you this?
Thanks for the description of your configuration. I’ve tried what you have described in the latest 3.4 version and it seems to work. What version are you currently running?
I’ve send out an email to the support email (https://octopus.com/support).
I’ve send the details in a document of our current structure in Octopus and the version as well.
In order to view and edit the variables in a library variable set the user will also need VariableView and VariableEdit. You can scope those permissions to an environment and the user will only be able to view the variables in the Dev environment, for example. It will not work if the permission is also scoped to something else (like a project).