Thank you for your questions.
When it comes to editing variables in they way you have described, you could in theory have a custom user role that can either modify environment scoped variables and/or also modify any un-scoped variables within a project to a scoped environment within a team. With the ‘Update Variables’ feature it is an all or nothing permission as part release and not tied to an environment.
Assuming your developers only work in your Development environment, you could look to create a custom role for your Developers so they can only perform certain actions scoped to a specific environment (including scoped variables).
However there are some caveats here, my above comments are not taking into consideration what your current permissions model are for your teams as I am unclear of what this looks like within your set up.
If your Development team are assigned to other user roles that allow these actions within other environments, for example they have the ‘Project Deployer’ role (un-scoped) attached to a team where the permissions to edit variables are included, Octopus will allow users to modify variables within all environments.
Octopus is inclusive when it comes to permissions and not exclusive, so if a role is attached to a team where an action is allowed, Octopus will include this within the permissions for the role/team where it has been applied (which may be what you are seeing after creating your custom role).
User Roles can be quite granular but also can become complex quickly so you need to consider the right approach for you and your organization.
However saying this, my initial thoughts for an idea to try would be looking to create custom roles per environment and manage this at a variable level.
So for example a concept to split this out may work for you (Test and Prod may have the same permissions, which could be 1 role):
- Developer Role - Dev
- Developer Role - Test
- Developer Role - Prod
You can add these roles to your development team and scope the roles to a specific environment (some roles may be duplicated).
However, the downside is that users can only modify variables they are scoped to so the solution may not fit your needs if they need to modify variables for other environments as part of your deployment process.
This means that the developers can only update the variables they are allowed to modify using the ‘Update Variables’ feature.
I hope this helps