3.4.0-alpha0002 "Tenant aware Users"

Matt_Sheeley · 3 June 2016 12:58

Hi Guys,
Thanks again for publishing another EAP. It really is helpful to get an early look at how this feature set is being developed.

I have a Question / Feedback about User security and Tenants.

for example:
I Have Created Multiple Tenants and projects in 3 environments (Dev,Test and Prod)
I have a Tenant (ABC Bank) and a user (Ana Smith).
ABC Bank Has a single Project (IdScanner) and 2 Environments (Dev and Prod)
Ana Smith is a Member of a Team (ABC Bank Team) that is scoped to the ABC Bank Tenant
Using the Octopus.Client I make The Following (Linqpad)

string ApiKey = "API-QTYC8DUOJFTIEDE8VQCXMZRMYY"; //Anna Smith
OctopusRepository repo = new OctopusRepository(new OctopusServerEndpoint("http://localhost:8080", ApiKey));
repo.Environments.FindAll().Dump();
repo.Projects.FindAll().Dump();

This will return all the Environments (Dev,Test and Prod) as well as all the Projects.

Now, If I Scope the ABC Bank Team to IdScanner and the Dev and Prod Environments that are scoped to the Tenant, Then I only see the one project and those 2 environments. If I Scope the Team To a different project and the Test environment, Then I only see that Information.

If I attempt to create a deployment into the environment that Ana Has permissions far according to her Team membership (When They are different from the Tenant), I get an Octopus Security Exception due to missing the permission DeploymentCreate.

I guess I was hoping that Applying a Tenant Restriction to a Team, Would make the team inherit all the restrictions that go along with that Tenant, without having to duplicate effort by also adding the project and Environments to the Team as well…

Hopefully I have explained my thoughts and findings in a manner that makes sense to you

Thanks

Matt.

anon61686641 · 6 June 2016 00:06

Hi Matt,
Its great to hear that you have started exploring the alpha builds containing the multi tenancy feature. We have been so excited to get feedback from our users that we thought it would be a good opportunity to provide pre-beta builds for you to add your thoughts and suggestions.

In this case it looks as though you have started exploring an area we had not yet fully implemented for this alpha build. Although we set up the UI and the schema to store tenant related information against teams, we had not actually started using it anywhere! When completed we would expect it to work in much the way that you are expecting it to (if I understand your scenario correctly);

Assuming tenant ABC Bank is assigned to the team ABC Bank Team which has the (for arguments sake) TaskView permission and that team is also scoped to the IDScanner project. Then any user who is on that team will be able to see all tasks for that project that were for that tenant, regardless of the environment. By scoping that team to the IDScanner project, their access will also be limited to that project. (Remember that with permissions a blank filter constitutes a wildcard match). Does this meet your expectations of how permissions would be applied?

We hope to have a build out that implements all these permission restrictions in the next few weeks. Be sure to give it a try and let us know what you think!

Thanks again for your feedback, I hope this helps clarify the direction we are going with including tenants in the permissions framework.
Cheers,
Rob