Permissions: Restriction Based on Project Doesn't Work

Hi all,

When trying to restrict an Octopus team to only be able to create releases & deploy for 1 specific project, the restriction is not being applied and the members of the team are free to deploy whichever projects they want.

Restrictions by environments work as expected.

Our setup is the following:
We got a custom Deployer Role, which only allows to create & deploy releases (with also various ‘view’ permissions).
Deployer Role is granted to our Deployer Team. From the edit team UI, we restricted Deployer Team to have power over 1 single project. However, said team is still able to deploy all projects.

We must be doing something wrong, unless this is a bug?

Thanks for your kind help, guys.
Guillaume

Hi Guillaume,

Thanks for getting in touch! We will need to grab a bit more information from you before we can get to the bottom of this.
Would you be able to confirm what version of Octopus you are currently running?

Could you also please attach an export of the permissions for a user who is experiencing this?
You can export a users permissions by selecting Configuration->Teams->Test Permissions and selecting a user, then export.
Here is a link to our documentation that has more information on this.

Looking forward to hearing from you. :slight_smile:

Best Regards,
Daniel

Hi Daniel,

Thanks for the quick reply.
We’re using Octopus 3.11.11
See attached file for requested permission info.

Cheers,
Guillaume

Permissions_export_2017_03_23__13_54_07_UTC.csv (1 KB)

Hi Guillaume,

Thanks for getting back! You mention in your initial scenario:

we restricted Deployer Team to have power over 1 single project.

I can see from your export that the user you gave me an export for is a member of a team(s) that is scoped to projects with the following names.

Reacts Testing|Reacts Server|Reacts for iOS|Reacts for Windows|Reacts Sentry

Our scoping works as a restrictive method, scoping your Deployer Team to the above projects will give them access to all the above projects and nothing else. Are you able to confirm that they can deploy projects outside of these projects listed?

Looking forward to hearing from you.

Best regards,
Daniel

Hi Daniel,

If I look at the permission screen in Octopus (see attached), I can see that I only allowed “Reacts Testing” project for the team. The goal was to prevent said team from deploying other projects than the one listed. I don’t understand why the other projects show up in the export.

Guillaume

Hi Guillaume,

Thanks for getting back. On the screen where you perform the permissions export, after you have selected a user, you will be shown all the teams that the user is a member of.

Is it possible that the user has been added to a team/teams that would be providing access to the extra projects listed?

See screenshot1.jpg for example.

Best regards,
Daniel

The user is only member of the “Automatic Testing” team and “Everyone”.
From my understanding, the “Everyone” team doesn’t provide any permissions at all.
See screenshots.

2017-03-28_09_47_35-Test_Permissions_-_Octopus_Deploy.png

Hi Guillaume,

Daniel is off sick today, so I am just filling in. I am seeing your screenshot includes a project group as part of the scope for that team.
When you scope groups and projects, it means this project group (and all of its projects) and these specific projects. I would say that project group includes the projects that the user is seeing additionally.

Could you confirm that for me?
Vanessa

Hi Vanessa,

Yes, you are absolutely right.

Because of the way it’s presented in the interface, I actually thought that an AND filter was applied (ie: scoped to projects within the Project Group AND within any explicitly listed projects); where in reality, an OR filter is applied (ie: scoped to projects within the Project Group OR within any explicitly listed projects).

When you leave the project group text field empty, it says “Any Project Group”, which created the confusion for me. Maybe your development team would like to make the UI even more obvious to avoid such misunderstandings in the future. Just a friendly thought!

In any case, this resolves the issue for me. Many thanks to you and Daniel for your great support!
Have yourself a splendid day, and my best wishes to Daniel, hopefully he gets better soon.

Warm regards,
Guillaume

Hi Guillaume,

Thanks for getting back! And I am feeling much better! Thanks for your wishes. :slight_smile: The permissions area is something we are going to be heavily looking at in Octopus 4.0, we are aware that it can be quite confusing at times and really needs some TLC. Thanks for the feedback though, I have passed it to the team to keep in mind.

Please feel free to get in touch if you run into any further issues in the future or have any questions. :slight_smile:

Best regards,
Daniel