Missing permission: ProjectView for a single user on a Team

vdehaven · 28 October 2021 20:10

Hi all,

(ver. 2021.1.7738) We have an AD group hooked to a team having project edit and view rights via the Project Deployer role to a project (Projects-182). All users except one (Users-603) we have just added to the group can view this project. This issue persists through manual addition of the user to the team.
The result, regardless of our actions, is:

You do not have permission to perform this action.  Please contact your Octopus administrator.  Missing permission: ProjectView

The API (and UI) show the permissions exist:

{
    "Id": "userpermissionsets-users-603",
    "SpacePermissions": {
        "ProjectEdit": [
            {
                "RestrictedToProjectIds": [
                    "Projects-1",
                    "Projects-182",
                    "Projects-67",
                    "Projects-66",
                    "Projects-181",
                    "Projects-63",
                    "Projects-62"
                ],
                "RestrictedToEnvironmentIds": [
                    "environments-unrelated"
                ],
                "RestrictedToTenantIds": [
                    "tenants-unrelated"
                ],
                "RestrictedToProjectGroupIds": [
                    "projectgroups-unrelated"
                ],
                "SpaceId": "Spaces-1"
            }
        ],
        "ProjectView": [
            {
                "RestrictedToProjectIds": [
                    "Projects-1",
                    "Projects-182",
                    "Projects-67",
                    "Projects-66",
                    "Projects-181",
                    "Projects-63",
                    "Projects-62"
                ],
                "RestrictedToEnvironmentIds": [
                    "environments-unrelated"
                ],
                "RestrictedToTenantIds": [
                    "tenants-unrelated"
                ],
                "RestrictedToProjectGroupIds": [
                    "projectgroups-unrelated"
                ],
                "SpaceId": "Spaces-1"
            }
        ], ...

Regards,
Vern

patrick.smergut · 28 October 2021 20:57

Hi Vern,

Thanks for posting your question, and welcome to the community.

I’m not sure yet what might be causing that, but I have a few questions I hope you don’t mind answering.

First, is there any orchestration in your Project-182 process whereby this project has a “Deploy a Release” step to another project Users-603 potentially doesn’t have permissions to?

If that isn’t it, then I was wondering if you see any errors in the ‘Synchronize external security groups’ task when it last ran? You can find this under Tasks > Show Advanced Filters option > Include system tasks > Synchronize external security groups:

The Task Log should break things down by user, and you can search for the user here:

Looking forward to hearing what you find!

Best,

vdehaven · 28 October 2021 23:31

Hi Patrick,

Yes, there are five Deploy a Release steps in the project to which Users-603 does not have access, but the same goes for everyone else in the same team. I can give the team view access to those projects and have the user try again, if you think that is a plausible solution.

There are errors when synchronizing external groups, but not for this user. Those accounts which have been removed from Active Directory are 100% of the errors.

Regards,
Vern

patrick.smergut · 28 October 2021 23:57

Hi Vern,

Thanks for getting back to me with those details.

That’s interesting the other users aren’t experiencing this issue, but do they perhaps belong to other groups with roles that have ProjectView assigned or possibly the Project Deployer role for the referenced projects?

Regardless, yes, you could try giving the team view access to the other projects or you could also create another team with a role that has TeamView scoped to these projects and assign just this user to it, if that sounds better.

The AD sync errors shouldn’t be much to worry about though you might consider disabling these accounts in Octopus if you haven’t already.

Let me know how it goes!

Best,
Patrick

vdehaven · 29 October 2021 14:03

All but two users have this team as their sole membership outside of the Everyone team. I did find three users who hadn’t been deactivated in the list of AD sync failures, thank you.

I added project view rights for the five projects referenced in Deploy a Release steps to the team’s permissions, and Users-603 was able to view the parent project!

Thanks for all the help!

system · 29 November 2021 14:08

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.