Still evaluating here and I am now looking into a specific part of our deploy process where deploying to our production environment requires an extra elevation step. (An AD user is added to a group with more access rights for a limited time during the deploy)
Technically that is not how deploy using OD will work, but we would like to preserve the authorization part so that you have to do the elevation to get access to the production environment in OD. Setting up multiple teams with different AD groups in them was easy (and I have tested that previously) and works but I could not get it to work with the elevation. OD did not seem to pick up on the changed group membership for the test user. Signing out and the in again had no effect until I had been away doing other things for 2-3 hours and got back to my desk and tried again.
So, is there an AD query cache somewhere in the OD authorization code that we might have to clear?
Thanks for reaching out. We do have a cache mechanism in place for AD users and Groups. A quick way to reset this cache would be to rename any of your Octopus teams which will force our cache to refresh.
Give it a try and let me know if it works for you.
My test user had lost its membership in the group that gave it Project Viewer rights through a team and that started to work after I added the user to the group and renamed that team a few times. Adding the test user to the group that belongs to the team with deployment rights and renaming that team (and adding a new team) appears to have no effect so far (did it about 15m ago now).
I think it would be a good idea to reread all rights for a user from AD on logon like Windows itself does (if it has AD access).
We have the same issue. we have added AD Groups to Active Directory, when we attempt to assign these groups to a Team in Octopus Deploy the new AD groups do not show up.
We have tried renaming the teams, adding new ones, etc… and none of these changes have forced an AD Cache rebuild. We REALLY need a way to force this thorugh the Configuration section of the web portal.
Are the teams available on other system (i.e Outlook) right after you add them to Active Directory? Sometimes AD takes its time to replicate this through the domain controllers.
Did the teams finally show up on Octopus after some time?
I’m gonna bring this topic to the team to discuss how we can approach this. We’ll be making changes on the AD authentication on 3.0 and 3.1, but i’m not sure if its gonna have an impact on this particular situation. Let me get back to you on Monday for this.