Only allow certain people to view and edit variables

Legacy Security
1

Is there a way to only allow certain people to view and edit variables. We would like the DBA to be able to login and change connectionstrings but no one else. We would like others to be able to use the variable.

2

Ref: https://github.com/OctopusDeploy/Issues/issues/4390

There used to be some limited control via role permissions, but 2019.x kinda messed that up. There is an effort to unify and improve variable handling in the github project. Maybe go there and explain your use case, so OD can make sure the revamped approach can support it.

4

Hi Lance,

Thanks for getting in touch. I’ll build upon Aaron’s answer to clarify things a bit more. This is possible to an extent by scoping project variables by environment and creating a team with role(s) that are scoped to the same environment. For example, you could scope your production database connection string variables to your Production environment and create a DBA team that includes a role (like Project Contributor) restricted to Production as well. This means that team can only edit production variables. For project variables this approach will work. For variables inside Library Variable Sets you must also make use of the EnvironmentView permission combined with environment scoping to control access to variables. This isn’t an ideal solution as people in that team can also edit any other production variables and environment scoping is relatively broad.

This is the best option at the moment but we’re aware of the limitations. I’d recommend you add some votes towards this suggestion on our User Voice site. https://octopusdeploy.uservoice.com/forums/170787-general/suggestions/6986441-permission-attributes-for-variable-sets-library-v

Lastly, I’ll mention that variable permissions hasn’t really change since Octopus 3.0. We’ve iterated a bit with the introduction of spaces (2019.1) but the fundamentals are still there. :slight_smile:

Hope this helps!

Thanks

Rob

5

Hi @robpearson by changes in 2019.x I was referring to things like in 2019.3.5 the LibrarySetView permission is required for ProjectView, which wasn’t the case in 2018.x. On a separate topic @nick told me this is a 2019.x bug and will be fixed in a future release.

2 Likes
6

Thanks for the clarification @Aaron_R. :+1:

7

The ‘LibrarySetView’ bug introduced in 2019.x where it was wrongly required for Project View has been fixed in 2019.9.0 :partying_face:

Now if Process View could just display Step icons with out full ActionStepView access, I could get back to my 2018.x happy place :smile: