Minimum permissions for a service account role

Trevor_Crosse · 2 June 2014 21:17

I’ve created a new Service Account (API only user) for use from our TeamCity server and a corresponding custom role. I want this account to be only able to create releases and deploy them to our Development environment. I attempted to add just ‘create release’ and ‘deploy release’ but Octo.exe also needed access to view some information about the project steps and packages in order to actually perform the deployment. I ended up adding several ‘view’ permissions but I’m not sure if I’ve covered everything a deployment may need, or if I’ve added anything unnecessary. The permissions assigned to the role are:

@@@
BuiltInFeedDownload
BuiltInFeedPush
DeploymentCreate
DeploymentView
EnvironmentView
FeedView
ProcessView
ProjectView
ReleaseCreate
ReleaseView
VariableView
VariableViewUnscoped
@@@

Paul_Stovell · 3 June 2014 00:36

Hi Trevor,

Thanks for sharing! I think you may need to add MachineView to that list if you plan to use the --specificMachines support in Octo.exe. Otherwise, this looks like all that is needed. Thanks again!

Paul

peter_m_mcevoy · 3 June 2014 13:26

Thanks for this - was having perms issues getting build server to create releases

Vanessa_Love · 2 September 2014 04:37

Anyone stumbling on to this thread, also add TaskView to the list of required permissions.

Thanks!
Vanessa