Environments vs. Roles / Machine role security

Hi,

We have multiple applications across multiple business units (BUs). It seems as though the only good way to enforce security so that one application from one BU does not get deployed to another BU’s servers is by creating separate environments, as security can be enforced by project or environment.

For example, what we’d like to have is the following lanes (environments): Development, QA, UAT, Prod. What we end up with is BU1 Development, BU2 Development, BU1 QA, BU2 QA and so on.

I’ve read some discussions indicating that we should be leveraging specific machine roles to better target our deployments, but it doesn’t look as though Octopus Deploy allows security based on machine role. During our POC, we took this route - we had a single Development environment housing servers from all BUs, and each one was tagged with one or more very specific roles. Unfortunately, someone had a typo in their deployment process and was able to easily deploy to a server that was not theirs.

So… I’m looking for a little guidance on best practice here, along with hoping that someone can tell me that machine role security trimming is somewhere on the backlog.

Any advice would be welcome.

Thanks,
Ben

Hi Ben,

Thanks for reaching out. On this case the best from a security perspective would be to have one Octopus Environment per BU and Environment like you mentioned: BU1 Development, BU2 Development, BU1 QA, BU2 QA and so on.

You might not have the prettiest sight on the Environments menu (as you’ll have many environments with few machines on them) but it’ll be the best from a security and deployment orchestration perspective (specially when you start configuring your lifecycles).

We don’t have plans to support security based on roles, but you can create a Uservoice suggestion for it over here http://octopusdeploy.uservoice.com/ . If it gets enough love from the community, we’ll see what we can do about it on future releases.

Thanks!

Dalmiro

I believe this uservoice request is quite similar (I voted for it) - http://octopusdeploy.uservoice.com/forums/170787-general/suggestions/5731904-scope-environment-permissions-to-machine-roles