Missing permission AdministerSystem when modify script module

Hi guys,

We run Octopus 3.8.8. We have a team called Variables editor. This team has these permissions:

• Edit non-environment scoped variables belonging to a project or library variable set (restrictable to projects)
• Edit variables belonging to a project or library variable set (restrictable to projects, environments)
• View non-environment scoped variables belonging to a project or library variable set (restrictable to projects)
• View variables belonging to a project or library variable set (restrictable to projects, environments)

All these permissions are not scoped by environment or projects.

And we today faced an issue that user from Variables editor team could not edit Script Modules.

When user opens script module he sees only a dummy script (see an attached screenshot). I have done a little investigation. When I open that script, I see everything normally (600 lines of Powershell), and when I press Save button Octopus run those requests:

• GET api/upgradeconfiguration
• GET api/variables/variableset-LibraryVariableSets-362
• POST api/variables/variableset-LibraryVariableSets-362
• GET api/variables/variableset-LibraryVariableSets-362

I asked users from Variables editor team to run all those actions. Here is the result:

• GET api/upgradeconfiguration. Octopus returns an error Request .../api/upgradeconfiguration Request Method:GET Status Code:403 { "ErrorMessage": "You do not have permission to perform this action. Please contact your Octopus administrator. Missing permission: AdministerSystem", "HelpText": "This action requires permission to perform system-level configuration tasks and access control. None of your teams have this permission. Teams that have enough permission include: Bots: ThugKiller and Octopus Administrators." }
• GET api/variables/variableset-LibraryVariableSets-362. Runs normally. User get json with all 600 lines of Powershell.
• POST api/variables/variableset-LibraryVariableSets-362. Didn’t try, but I think it should work fine too.

I think that there is a bug that variable editors doesn’t have permissions to change script modules. This is also strange as only Administrator can change script modules.

I’m not sure if these issues are related, but I’ve found on Github bug which could bring this behaviour: https://github.com/OctopusDeploy/Issues/issues/3038

Kind regards,
Denis Titusov

photo_2017-02-15_11-58-13.jpg1101×493 29.2 KB

Hi Denis,

Thanks for getting in touch, below I’ve listed out the permissions needed to view/edit/create script modules:

• To see the Script modules menu requires VariableView permission
• To create a new Script module requires 'LibraryVariableSetCreate` permission
• To view an existing Script module requires LibraryVariableSetView, VariableView and VariableViewUnscoped permissions
• To edit an existing Script module requires LibraryVariableSetEdit permission

As a side note, we have been discussing an overhaul (and hopefully simplification) of the permissions logic as part of a bigger piece of work to make it much easier to configure users access to the system.

Unfortunately, we introduced a bug (in 3.8.7) that caused unscoped variables to not be returned in variable sets and this will cause the script body of the script module to default to the Hello, Octopus script.

We have a fix in the pipeline for this and will ship it as soon as we can.

My sincere apologies for the inconvenience caused by this issue.

Thank you and warm regards,
Henrik

Hi Henrik,

Thank you very much for your response.
Do you have information about milestone version which will include this fix?

Kind regards,
Denis Titusov

Hi Denis,

My apologies, I forgot to reply to you earlier. The fix for this was included in 3.10.1 that we released today.

Please let me know if you upgrade and it still isn’t working as expected.

Side note: the user must have the VariableView permission that isn’t limited to any team or environment to see the Script Modules menu.

Thank you and best regards,
Henrik