Editing project variables for tenant and environment


I have four environments: Dev -> Test -> Staging -> Production. I want to have two group of people:

  • Group A has to be able to:
    • create releases and deploy to Dev and Test
    • observe Staging and Production
  • Group B has to be able to:
    • observe Dev and Test
    • deploy to Staging and Production

I have a tenanted project and some project variables which I want Group A and B to be able to edit. In order to that though I need to grant them the TenantEdit permission. Which leads to the following two problems:

  • Group A and B are able to edit the whole tenant (e.g. connect it to another project and change its name)
  • Group A is able to edit the project variables for Staging and Production. The same applies with B and Dev and Test.

Is there some way to avoid this?

Guys, any feedback about this?


Sorry for the late reply here. For Group A being able to edit the project variables for Staging and Production, and Group B with Dev and Test, you will need to look closely at how your teams are scoped.
A team will only be able to access the environments that it has been scoped to unless the team has not been scoped to an environment at all.

We do have a really good documentation on configuring mixed environment permissions that will give you all the information you need to do this.

With Tenants, if you give the TenantEdit permission to a team, users in the team will have full control over any Tenant the user is scoped to. Sadly we do not have different levels of Tenant edit.

I recommend using our test permissions feature to easily identify all the permissions that a particular user has. (Instructions below)
If you have read the documentation and checked your scoping, yet are still having issues. You are more than welcome to do an export on your permissions and attach them to this ticket. I would be more than happy to have a look at them to identify any issues that you may still be having.

You can access the Test Permissions page and also export your permissions by selecting Configuration -> Teams -> Test Permissions -> (Selecting a team) -> Export


Daniel, what I meant was that the problem occurs only when the variables of the project have their values set in the tenant. If their values are set in the project itself everything works as expected. I had already read those sections of the documentation you’re sending me.

What I am stating is that if a user has EnvironmentView, ProjectView, TenantView and TenantEdit permissions he can actually edit all variables in the environments, projects and tenants he is associated with.

Additionally - in the Audit log you’re not able to see the changes for those variables/tenants! Which is an issue, too.

BTW I am using version 3.4.5. Please let me know if any of these have already been addressed in a new release. Thanks!


Thanks for getting back and clarifying that! This behavior has us a little confused. To understand why this is happening we are going to need an export of the your user permissions.

To recap how this is done, you can access the Test Permissions page and also export your permissions by selecting Configuration -> Teams -> Test Permissions -> (Selecting a team) -> Export

Looking forward to hearing from you. :slight_smile:



Not only I tested the permissions with a custom role, team and user. I also gave you the explicit list of the permissions after I saw which are the ones required. What was needed is to do the same and confirm or reject my findings. Instead of that you still persist with your request for the .csv file.

Since uploading the file gives me the following error:

There was a problem with your uploaded files.
Please fix the problem and upload the file again.
Permissions_export_2016_09_20__11_19_37_UTC.csv (128 Bytes)
has contents that are not what they are reported to be'

I am pasting here the content of the file:


You will learn nothing new though because I already gave you the same information in my previous response.

I am expecting an answer from you about how I should restrict the access to the variables inside a tenant for specific environments.


It is important, which I am sure you understand as a developer, that you have all the required information to attempt to replicate something. We asked for the export, which you did not provide, as we need to confirm any project or environment restrictions, and this is the easiest way for us to do this. We also looked at the code and need to confirm the settings to replicate or dig further. I do not think it is to much for us to ask for all the information. It would also confirm any further team permissions or anything that could possibly be mixed.

Are your tenants restricted to any specific projects or have you given them all projects? Have you also given them all environments for those projects.

We can only help when given the information that we require to replicate and look into issues. Sometimes you may think that you give us everything but we need to confirm and we don’t ask for no reason at all. When you do not acknowledge what we have asked for, what can we do but ask again?

While we do try our best, we really are trying to help you here, and cannot guess the information. The environment and project settings are an important combination to replicating this.



I did not initially upload the .csv file, because uploading was giving me an error as I already showed you. Furthermore there needs to be some element of trust. I saw the permission list from the Test permissions page. And since the upload was not working I gave you a list of the permissions because that’s what you asked for. I would strongly advise you to fix your website functionality first and then force your customers to use it.

Moving on… Let me answer your questions:

I am not aware of tenant-to-project restrictions. I have connected my tenant to two projects. The connection is defined for all environments. The team is restricted to one of those two connected projects. It is only restricted to some environments. The environment and project restrictions are working correctly since the project variable templates shown inside the tenant Variables page shows only the restricted project and environment combinations. What is not working is that the user is able to modify all the variables and click Save successfully. I do hope now you have all the information in order to replicate the issue…

If there are any other questions - please let me know. Let me reiterate that it is an issue for us considering my initial explanation of the responsibilities between the different teams.


Sorry for the late reply. I have the dreaded words that the behavior where you can edit the Tenant variables without variable edit is by design.
We do agree that this should not be the case, so we are looking to change the permissions up. But we couldn’t decide if we needed to create our own permission or if VariableEdit was enough.

We could new permission like TenantVariableEdit to keep consistency with projects requiring LibraryVariableSetEdit despite having VariableEdit.
Or if we could require TenantEdit & VariableEdit together to enable access to these variables.

I have opened up a UserVoice suggestion to see what the community think about this as Tenants are a new feature and we want to get this right and understand the use case better.
Link to UV Suggestion: https://octopusdeploy.uservoice.com/forums/170787-general/suggestions/16378753-extend-granular-permissions-for-tenant-variable-ed

Let me know what you think.


That’s great, Daniel! Thanks for the feedback. I will look at the UV link and close this discussion.