Member roles per environment

Legacy Scale
1

Hi,

We are currently having an issue with a user who is a member in two teams, one having the Project Deployer role and the other having the Project Viewer role. The user is unable to deploy, even to tenants unique to the team with the Project Deployer role. Here is a breakdown of the two teams:

Team 1
Role: Project Deployer
Project Group: NONE
Project: Proj1
Environments: Env1, Env2, Env3, Env4
Tenants: Ten1, Ten2, Ten3, Ten4

Team 2
Role: Project Viewer
Project Group: NONE
Project: Proj1
Environment: Env1, Env2, Env3,
Tenants: Ten1, Ten2, Ten3

Our user is a member of both teams. I understand that since Team 2 has more limited rights, that the user will only have view rights for Env1, Env2, and Env3 as well as the overlapping tenants. However, since Env4 and Ten4 are unique to the Project Deployer team, we were under the impression that the user would be able to deploy to Ten4 in Env4. However, the user is unable to deploy to any tenants at all. Is this a defect or is there something wrong with our setup?

Any help is greatly appreciated.

2

Hi Lauren,

You are correct. In your scenario that user should be able to deploy to any of the environment\tenant combinations granted by Team 1.

How are they prevented? Is an error message shown?

Regards,
Michael

3

Hi Michael,

Thanks for getting back to me. When the user goes to deploy they select the environment and then the tenant list is simply blank. Only once I remove the member from Team2 do any tenants become available to deploy to.

Thanks,
Lauren

4

Hi Lauren,

I have attempted to recreate your scenario, but I was unable to replicate the issue.
May I ask for a little more information:

Which version of Octopus are you using?

Are there any error messages in your server log files at the corresponding time?

Could you possibly go to Configuration -> Teams -> Test Permissions, enter the affected user and export the results? You can upload the file here.

5

Hi Michael,

Lauren and I are working together on this one.

On login, for anyone not in the Octopus Administrators team, the following is logged :

You do not have permission to perform this action. Please contact your Octopus administrator. Missing permission: AdministerSystem (user@domain.com requesting https://octopus/api/upgradeconfiguration)

All users come from Active Directory. I haven’t found any documentation on this endpoint, so would you know why this permission is being requested?

I’ve uploaded an export of the permissions test, but many are missing from the export. None of the tenant permissions are listed.

Regards,
Vern

6

Hi Vern (and Lauren),

The error accessing https://octopus/api/upgradeconfiguration is unrelated. We appreciate you mentioning it though. We will make a change to ensure that error no longer appears.

One of my colleagues has also attempted to replicate your issue, and unfortunately they were also unable.

If you would like to schedule a support call, we are happy to see if we can determine the problem via a screen-share?

7

Michael,

We can go ahead and schedule a support call. I followed the link, but it looks like there are no business hours available to select from? Feel free to e-mail me and we can get something set up.

Thanks,
Lauren

8

Lauren & Vern,

Thanks to the information from the call we were able to replicate and (hopefully) squash the issue.

This will be in our next release (3.8.2) which should be available in the next day or so.

Thanks again for your patience.

Happy Deployments!
Michael

9

Michael,

That’s great. I’m glad you were able to find the issue and grateful for your prompt attention to the matter.

Thank you so much for all of your help. We will let you know if the update fixes the issue as soon as we are able.

Thanks!
Lauren