Scoping specific variables

Hi folks, apologies for bothering you yet again.

Here’s our scenario:

We have passwords that are environment-specific that we want to store in Octopus and substitute into the config files at deploy time. Developers should have access to edit these in non-Production environments. However, access to these variables in the Production environment has to be heavily locked down (potentially even to a single user).

The problem is that when I set up the roles with permissions granted on specific environments, it means users with those roles can also edit all the other variables for those environments, with the potential to mess up the deployment process.

Is there any way to accomplish what we need here so that we can define a role that can only update specific variables, or is there any other best practice that people use for locking down access to passwords, etc?


Thank you for reaching out! The best thing to do in your case is to create 2 separate variables - one scoped to the Production environment, and one scoped to everything else (or unscoped). That will mean that only user(s) scoped to the Production environment will be allowed access to the variable in that same environment.

Let me know if you have any further questions!