Machine Policy Check Roles

We have created a machine policy to verify that all tentacles are installed correctly and have correct user permissions.

But we also want to add ability to query if “standard” roles exist on the machine.
E.g. we have a role which is required on every machine.
Is it possible to add into the check if the machine has got a role? If so, how?

Hi Chris,

Thanks for reaching out! By “Standard Roles” you mean machine roles like the ones shown in the attached screenshot? Or are you talking about some config/setting in windows that also goes by the name of “role”?

If you are talking about a windows setting, then you’ll have to script that yourself.

If you are talking about a machine role as shown in the attached screenshot, then this script should do the trick:

Let me know if that helps,


I am talking about machine roles.

We have one to deploy our tooling to all machines through octopus called “shared” I wanted to make the health check warning if a machine was missing this octopus role.

Hi Chris,

If you add the below script to your Machine Policy and put the role “shared” in the $MandatoryRolesList collection, it should error out if the target machine doesn’t have that role.

Let me know if it works,


$OctopusParameters[‘Octopus.Machine.Roles’] is the bit i was looking for :slight_smile:

We have some other Octopus roles which are put in in certain conditions i also wanted to check for, but thanks for your help!

Glad to hear that helped :slight_smile:


I do have one extra question.

Is it possible to get the environment out.
I wanted to check if the machine is a part of certain environments and if so, perform an extra check with the roles

Hi Chris,

That one is going to be a bit tougher. The environment name/id is not available in the context of the machine policy script, so you’ll have to get your hands into the API to get that information.

You’ll need to do something like this:

  1. Do a GET call to http://YourOctopusServer/api/machines/[Current Machine ID]. This will return a JSON which will have an Environments collection with the IDs of all the environment this machine is part of.
    "Id": "Machines-2",
    "Name": "Listening1",
    "Thumbprint": "95CCA5DE51CB6475729CFA65655968552C2DA8B5",
    "Uri": "https://localhost:10933/",
    "IsDisabled": false,
    "EnvironmentIds": [
    "Roles": [
  1. Do a GET to /api/environments/all to get a collection of all the available environments(+). This will help you know which environment ID corresponds with which Environment Name.
    "Id": "Environments-1",
    "Name": "Development",
    "Description": "",
    "SortOrder": 0,
    "UseGuidedFailure": false,
    "Links": {
      "Self": "/api/environments/Environments-1",
      "Machines": "/api/environments/Environments-1/machines",
      "SinglyScopedVariableDetails": "/api/environments/Environments-1/singlyScopedVariableDetails"
  1. With the information of (1) and (2), cross reference the info to check on which environments the machine is on.

(+) Keep in mind that all these actions will implicate hitting the API by authenticating with a specific APIKey that belongs to a user. This user needs to have view access to all the machines and environments in order for this to succeed. I.e if the user can’t see the Production environment, when it runs a GET against /api/environments/all, the environment production won’t be on that list

Hope that helps,

Is it possible to get the parameters in the policy script updated in a future release to include environment names comma separated in the same way roles are?

Hi Chris,

The best way to make this happen would be to log a Uservoice request and have the community vote for it. We use this tool to prioritize the features we work on, and if enough users back this idea I don’t see why it couldn’t be implemented.

On a similar note, not sure if you heard about Octoposh, but it is an open source PS module that has a cmdlet called Get-OctopusMachine which will return an object with the list of environment names of your machine. Of course the caveat is that you’d need to have the module installed in each Tentacle.