How to be able to do admin task on all environments except production

(Rsp Archi Ext) #1

Hello,

We’re using Octopus 2018.7.4 OnPremise

We would like to be able to strictly segregate dev and ops in the Octopus instance so that dev cannot target production machines or deploy to production environment.

In other words, lets say we have 4 environments : 1 dev, 1 int, 1 pre and finaly 1 prod

We need to setup teams like ‘TEAM DEV’ and ‘TEAM OPS’ where TEAM DEV can do everything on the dev/int but only readonly and not deploy on pre/prod while TEAM OPS will be the opposite.

We cant’ figure out how to achieve that. We didn’t find any way to avoid creation of “fake” machine targeting production in a “fake” environment from TEAM DEV which can then use the “fake” environment to deploy on production.

  • we are trying to find the roles/permissions matrix with no luck so far.

Especially this [https://octopus.com/docs/security/users-and-teams/creating-teams-for-a-user-with-mixed-environment-privileges#Creatingteamsforauserwithmixedenvironmentprivileges2018-12] did not help that much.

Any suggestion/solution will help.

Kind regards.

(Derek Campbell) #3

Hello @rsp_archi_ext,

Welcome to the Octopus Community!

This is a fairly standard configuration, and I’ve set up an example locally that should get you what you’re after.

First, we will want to set up the users and the groups for the Project. For this, I’ve created a couple of Users for your roles.

image

I’ve then gone ahead and created four separate Teams attached permissions and scoped to the TestPermissions Project and it’s associated Environments with the below:

Dev Team - Prod View.

Dev Team - Full Access Dev/Int

Ops Team - Dev/Int Viewer

Ops Team - Full Access Pre/Prod

You’ll notice that I’ve added the Project Lead to the Full Access Teams but also mapped it to just the environments they own. The reason for this is I assume you want them to be able to Create a Release.

When I logon as the Dev User, I select to Create the Release and then select to Deploy to Dev. It will proceed with the Deployment to Dev.

Post Deployment:

I then Deploy to Int:

It deploys to Int, but you will notice that the Deploy to Pre-Prod button is not present.

At this point, if you browse to the Overview page, you will see that the Deploy button is not present.

At this point, I logged out from the DevUser and logged in as the OpsUser. You will notice that the Deploy button is activated.

From here, deploy to Pre-Prod. When completed, you will see that the User can then deploy to Prod.

Select Deploy to Prod as the OpsUser, and the deployment should complete successfully.

We don’t have a permissions matrix, but you can browse the User Roles, and see what is contained in the permission. If you want the teams to add Infrastructure for each environment, then they are going to need the Environment Manager User Role.

Please let me know how you get on and if we can help further.

Thanks,

Derek

(Rsp Archi Ext) #4

Hello,

Thank you so much for this detailed answer.

We’ll check this out and update you asap.

Kind regards.

(Derek Campbell) #5

Hi,

I’d love to hear how you get on.

All the best,

Derek