Permissions Standards for Developer Access

I need some help working out some permissions standards for our developers. Currently we allow them to deploy to dev, but we’d like them to be able to create their own projects and processes within Octopus, too. They’d need to be able to scope variables and view logs across all environments, just not deploy to them. This is the part that I get hung up on as it seems like there could be a security risk here. Especially if their process includes variables for a service account that has access to prod.

So I guess the question is what seems to be the typical access a dev would need for Octopus given the above info?

Edit: Maybe a better question is, should developers even be allow to create their own process?


Thanks for getting in touch! From support requests and general communication with customers having Devs define processes isn’t a bad thing, and that’s how many teams will do it.
But where the line tends to be drawn is the variables. The Devs can create the code and the processes and define variables that for Prod someone with Prod access would then add the variables for that the Devs can’t see.

It will all depend on your own internal processes and trust but with Octopus you can keep a Dev within environments and keep them out of Prod.

Hope that helps!