Hi,
Octopus Deploy has Variable Set Variables and Variable Set Templates which can be used to set variables for a Tenant.
The problem is that Tenant Variables cannot be scoped to environments or machines etc.
I really need to scope a variable to a Tenant and Environment combination.
I know there are Tenant tags but I don’t believe these are filtered by a users access.
Could you please advise if there’s a way of achieving this?
Hi Patrick,
Thanks for getting in touch,
It’s currently possible to scope Tenant Variables to specific environments as shown below;
The environments present in this scoping come from the associated environments specified when connecting a particular project;
One method can be to have multiple Tenants each connected to the same project but providing scoping to specific environments, for example in the screenshots provided below;
Project C1 - Tenant Project is connected to the Tenant Blue Octopus which scoped to the Testing Environment.
Project C1 - Tenant Project is also connected to the Tenant Red Octopus which is scoped to the UAT Environment.(This can be repeated for multiple environments in my own setup I have Green Octopus setup for my Production environment, for example.)
As you eluded to in your query, from a user access perspective you can scope specific Tenants within the logged-in Users Team to restrict access to these Tenants, (as an example, perhaps some users are allowed to configure variables for the Testing environment (i.e. Blue Octopus) but are not allowed to change variables within the UAT Environment (i.e. Red Octopus))
I’ve also included a link to our documentation regarding Tenant specific variables, I’d recommend having a read through this information if unfamiliar.
By implementing this method you are able to scope Tenant variables to specific environments as you highlighted.
If I’ve misunderstood your query in any way or have missed something critical, please let me know 
Kind Regards,
Reece
Hi @reece.walsh thanks so much for the thoughtful response. Octopus support is amazing as usual.
Unless I have misunderstood (and I’m sorry if I have), your example is for Project Template variables?
I need to be able to provide this scoping via Library Variable Sets as the variables are reused across many projects. Declaring them separately for each project just wouldn’t be practical from a support perspective and would be error prone. Is this possible?
Hi Patrick,
Thanks for getting back to me, I appreciate the kind words!
In my previous example I was indeed referring to Project Template variables, however, I now understand after re-reading your original comment in tandem with your most recent reply that scoping is required via the Library Variable Sets, apologies for the confusion. (I definitely agree that this could be error prone relying on this, however, I originally interpreted this for use in a single project)
The information provided previously, however, is still directly relevant regarding the usage of Tenant Tags/Environments.
Within the Library Variable Sets you can also create Variable Templates that define variable values that are required for each tenant connected to the associated project. They are defined in the library variable sets which allow Tenants to provide a common variable value that is shared across projects/environments.
I’ve included some screenshots of this below;
You can also change these values on the Tenant level if they are required to be unique for specific environments, which ties into the User permissions by having only certain users have access to this Tenant via Team-scoping
I hope this helps!
Again, if I’ve misunderstood please let me know and I’ll endeavor to get back to you ASAP. Your patience is greatly appreciated
Kind Regards,
Reece
Thanks @reece.walsh thanks again for such a detailed response.
However, I think I may still not be explaining my self very well so I have uploaded a screen cast to demonstrate.
This issue poses a very large security floor for us which is further magnified by the security implications of this issue. Unfortunately this means we’ve had to completed disable Tenant based access to Octopus.
Again… sorry if I am misunderstanding your response 
Thanks heaps for you help!
Hi Patrick,
Thanks for getting back to me,
I greatly appreciate your patience and your time invested in putting this video together, this really helps out!
I’m going to have a chat with the team regarding this and mull this over, I’ll get back to you ASAP, however, I wanted to let you know that this is indeed something i’m actively looking into.
If you require any further assistance in the interim, please let me know 
Kind Regards,
Reece
Hi Patrick,
Thanks for your patience,
I went away and had a chat with the team regarding this and it turns out we currently have an existing Github issue regarding this very concern, which I’ve linked below;
This Github issue is a piece of a larger improvement of Tenant Variables enhancement which I’ve linked below also;
Thanks again for your video explanation, this really helped me understand and highlight your concern.
Moving forward from here, I’d recommend keeping up to date with the progress of these issues at the aforementioned links.
Please let me know your thoughts, I look forward to hearing from you 
Kind Regards,
Reece
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.
