How can I check that the permissions are unchanged on built-in User Roles in Octopus Deploy?

lianne.crocker · 2 October 2020 09:19

You can check that the built-in User Roles in your Octopus instance have the same permissions assigned as a new install of Octopus by running a script to check two Octopus instances against each other.

Get a base, new instance of Octopus

You could compare any two Octopus instances, I’ve chosen to take a brand new instance by spinning up a Docker instance. You could also use a free instance of Octopus.

Set the variables in the script

Set the script to look at both the “clean” install of Octopus and the instance you’d like to check and then run it.

This script can also be found in our API script samples repository.


# the "clean" instance of Octopus, to use as the desired state.
$desiredStateOctopusURL = "https://initial-state-octopus-instance/"
$desiredStateOctopusAPIKey = "API-xxxxx"
$desiredStateHeader = @{ "X-Octopus-ApiKey" = $desiredStateOctopusAPIKey }

# the Octopus instance you'd like to check
$octopusURL = "http://your-octopus-instance/"
$octopusAPIKey = "API-xxxx"
$header = @{ "X-Octopus-ApiKey" = $octopusAPIKey }

try
{
    # Get built-in user roles from desired state (unchanged from initial install) instance of Octopus
    $desiredStateUserRoles = (Invoke-RestMethod -Method Get -Uri "$desiredStateOctopusURL/api/userroles/all" -Headers $desiredStateHeader) | Where-Object {$_.CanBeDeleted -eq $false} 
    
    # Get built-in user roles to check
    $userRoles = (Invoke-RestMethod -Method Get -Uri "$octopusURL/api/userroles/all" -Headers $header) | Where-Object {$_.CanBeDeleted -eq $false} 
    
    Write-Host "====== Starting comparison ======="

    foreach ($userRole in $userRoles) {
        $dsUserRole = $desiredStateUserRoles | Where-Object { $_.Id -eq $userRole.Id }

        $comparisonResult = Compare-Object -ReferenceObject $dsUserRole.GrantedSpacePermissions -DifferenceObject $userRole.GrantedSpacePermissions 

        if ($comparisonResult.Length -gt 0){
            
            Write-Host "$($userRole.Name): "

            foreach ($result in $comparisonResult) {
                if ($result.SideIndicator -eq "<="){
                    Write-Host "      - $($result.InputObject)  MISSING"
                } else {
                    Write-Host "      - $($result.InputObject)  ADDED"
                }
            }
        }
    }

    Write-Host "====== Comparison complete. ======="

}
catch
{
    Write-Host $_.Exception.Message
}

Results:

====== Starting comparison =======
Build server: 
      - BuildInformationPush  MISSING
      - BuildInformationAdminister  MISSING
Package publisher: 
      - LifecycleView  ADDED
      - LifecycleDelete  ADDED
      - LifecycleCreate  ADDED
      - FeedView  MISSING
Project deployer: 
      - ArtifactCreate  MISSING
      - ArtifactView  MISSING
====== Comparison complete. =======

Check User Roles that are not built-in

If you’d like to compare all User Roles on two different instances, not just built-in roles, remove the filtering on the two API requests - | Where-Object {$_.CanBeDeleted -eq $false}