We have a pipeline that works well. Development team is separate from business Team. Business team approves the deployment to PROD and this satisfies the requirement that the same person who committed code is not deploying to prod. However, there is one exception. The space administrator. This person can approve whatever step. On one hand we need this user as this is someone who drives the entire dev-ops of the team but from another hand this opens up the issue above. In our case there is no dedicated dev-ops team and it is all one technical team that does everything.
Outside of removing the person with git access from space administrator role is there anything else that can be done here?
Hi @kshatalov,
Are you using Manual Intervention steps to control who deploys to PROD or are you controlling this by other permissions around environments currently?
Wow sorry about not replying. This totally skipped my mind.
Currently we control it by Manual Intervention step which is assigned to a team that has rights to approve.
The user I’m logged in as is Space Manager and Octopus Manager (not on the QA team), and when deploying to prod, this user is not able to approve or assign the intervention to themselves.
Can I please ask what version of Octopus you’re currently running? I’m wondering if your version potentially has a bug in this area.
Can you also please let me know which teams the Admin is in that you don’t want to be able to approve the intervention?
Thank you for reply. I just tested and it does indeed work as expected. We are on latest version now 2022.4 (Build 8319) and I think server was upgraded from much older version recently.
However, what about the actual deploy action?
I created a new project and have it a lifecycle
When I create a release I see “deploy” button ’
I checked and as far as I can see the only group that would give me this access would be space admin.
Whilst the space admin might be able to initiate a deployment unless they are also members of the specific team listed in the intervention step, they wouldn’t be able to approve it, and the deployment wouldn’t go anywhere.
Are you wanting to prevent this user from ever deploying?
If not, then it may be a case of examining the other available user roles to see if any of the ones without the DeploymentCreate permission also have the other permissions the user requires (Project Lead, for example). Or you could create a custom role with the exact permissions the role needs.
Thank you, I understand. So, it sounds like there is no way to stop space admin from deployment. However, the user can be stopped by making sure he has no access to approve (via some team).
