Octopus accounts and certificates - custom role who can use them

Hello,

We facing with security issue on Octopus. We restricted roles CertificateView and AccountView to limited group of people. This was done, because We have some very important secrets, that must be only used by defined group (view role allow to assign this object in variable view). If developer go to Variable view of project, see error and also in Diagnostic view We see error about lack of privileges.

In our opinion there are should be possibility to see this accounts and certificates, but only defined group of people can assign It with project in variable view. For our research this cannot be made now. Could you help us with this issue ?

Best regards
Piotr

Hi Piotr,

Thank you for contacting Octopus Support.

For context, could you show me a screenshot of what your affected users are seeing on the variable page?

I look forward to hearing back from you.

Best Regards,
Donny

Hello @donny.bell,
thanks for quick response.

Developers see this hint:
image

In our opinion they shouldn’t see error, can see the account or certificate - but cannot use them in different project.

Hi @Piotr,

Thank you for getting back to me.

Just to confirm, the users that are seeing this message are unable to see any of the Project Variables on this page, correct?

Can you tell me what version of Octopus Server you are currently using? I would like to reproduce this in a test environment to confirm this behavior.

Let me know at your earliest convenience.

Best Regards,
Donny

@donny.bell

  • Developers can see others variables, but this error is little confusing.
  • Currently We using this version: Version 2021.2 (Build 7580)

Hi @Piotr,

Thank you for the quick response.

I am currently attempting to reproduce this behavior in my test environment.

I hope to be done shortly.

Best Regards,
Donny

Hi @Piotr,

Thank you for your patience. I was able to reproduce this in my test environment.

Despite the warning message, it does appear that users in this scenario would be able to adjust the Variable name and Scoping so long as they have Variable Editing permissions. However, without CertificateView, they will not be able to change the assigned Certificate.

Is the goal to have the VariableEdit users be able to see the names of the Certificates without having CertificateView assigned to the Team’s Role? I apologize if I’m quite understanding. Please feel free to provide more details about your usage scenario.

I look forward to hearing back from you.

Best Regards,
Donny

Hello @donny.bell,
thanks for your support! I try to provide more details.

However, without CertificateView, they will not be able to change the assigned Certificate.

You have right, but then error is rising. Our teams have Variable Editing permission, without Certificate View and Account View, because this permission allow them to edit assigned certificate or account. Our main goal is reduce false positive errors, reported in Diagnostic view and for project view - where developers report, that something wrong occurred, when they visiting Variables page. In our opinion permission View shouldn’t be identified as Use permission.
If you have any questions, fell free to ask.

Best
Piotr

Hi @Piotr,

Thank you for getting back to me. I think I now fully understand this issue and how it is affecting you.

I have created a GitHub issue that you may follow here:

If you have any additional questions, please let me know.

Best Regards,
Donny

Hello @donny.bell,
I’m very glad to see this issue.

Please also take into consideration by engineering team to split current View roles for Certificates and Accounts. View permission shouldn’t be identifies as Use role also. More gradual permission allow to fulfills more restrict polices in companies. For example there are should be permission to list and see this objects and separated role - Use role - that allow to use them in context of Variable Set.

Best regards,
Piotr

Hi @Piotr,

Thank you for getting back to me.

I understand the use case for creating a new tier of permission. For this, I would recommend posting this feature request to our UserVoice forums.

If there is anything else I can assist with, please let me know.

Best Regards,
Donny

1 Like