Hi Michael,
Sorry for the delay here. The reason behind it is that I wanted to ask around the team for a few opinions about some of the points you brought up. I’m gonna answer them 1 by 1:
Query about segregating permissions for the Audit log
This is something that has been discussed before in the team, and we even have a Github issue created to implement this enhancement. We haven’t started to work on it, but we will do it eventually (probably after we ship 3.4
). You can track its progress on this link: https://github.com/OctopusDeploy/Issues/issues/2526
1) going to a project and clicking releases I see nothing. (See attached) In order to view a release, I can only go through the dashboard.
The Dashboard shows the releases, deployments and their status. When the users tries to see the same info from the Project Overview page (/app#/projects/[Project Name]
), even though that seems as if it was the same info as in the dashboard, it also shows the Channel for which that release was created. So to be able to see info in the Overview page, the user needs to be able to see the channels as well. We don’t have segragated permissions for channels and they are bundled along with ProcessView
2) Similarly, still on the VariableView permission, I have given the same Reviewers team that permission only to be told I actually needed the ProcessView permission. (See attached)
Variables can be scoped to Machines, Environments, Roles, Channels and Steps. For the user to be able to see the steps, it needs ProcessView
. Hence this error message.
Viewing the processing implies you can add a step even though you do get an error about needed the FeedView permission. Similarly, apparently having access the Library tab at all gives you access to see script modules. On that Reviewers team, on none of its roles have I told it that I want to see that but it’s given anyway. Similarly, simply having FeedView apparently means I can add external feeds even though it is a “view” permission. I don’t want just anyone being able to bring in outside packages just because they can test to make sure the packages they need are available to Octopus. The AdministerSystem permission is apparently required to actually add them which is confusing why that action was lumped with that permission.
I’ve discussed this with our UI/UX person and she took note of it to improve the overall experience in these cases. While I definitely share your thoughts on “why showing a button if you don’t actually have permissions for it?”, I was also once learning about Octopus and messages such as “You are missing X permission” were really helpful to get the grasp of which permissions I actually needed. Right now we do have some different behaviors depending on the page you are standing, and we are currently working on choosing 1 path/set of rules and going forward with it on the entire site.
Best regards,
Dalmiro