Here are the facts:
• We are using Octopus 2.6.0.778
• We use active directory for logging into Octopus and only those who have been put into a group can access it.
• We have a number of teams.
• Some of our teams have multiple Roles
• Some of our Roles have been customized
• The “Everyone” team has the Role “Event Viewer” and that is all. This Role has the permission “VariableView” (amongst a number of other viewing variable) with the scope of this Team set to all Projects and all Environments.
• We have another team “Application Development Team – Developers” and this Team has a custom Role set which has the permission “VariableEdit” (amongst and number of others) with the scope of this Team set to Debug, Test and PPTE and all Environments.
• Obviously any user that is in the “Application Development Team – Developers” Team is also in the “Everyone” Team.
What we want is:
We want anyone who is put in our AD group to go into the “Everyone” Team and (amongst other things) be able to view all variables for all projects and all environments BUT not be able to edit them in any way. Then if we choose to we assign then to the “Application Development Team – Developers” Team and then they should be able to view and edit variables up to the PPTE environment (amongst other things), But still be able to view (but not edit) variables for Prod and DR.
The problem is:
This is not what is happening. With our settings configured as above Users assigned to the “Application Development Team – Developers” Team can view all variables in all environments but cannot edit variables at all.
We have found that if we remove the Role “Event Viewer” from the “Everyone” team, or the permission “VariableView” from the Role “Event Viewer” in this team users in the “Application Development Team – Developers” Team are then able to view edit variables if we add the “VariableView” permission to the Role associated with that team. But of course this only lets them view variables up to PPTE and not beyond.
We have tried:
Removing all roles from the “Everyone” team and then creating a whole new team with the Role “Event Viewer” with the permission “VariableView” and scoped to PROD and DR and then adding everyone to it but this did not work either.
It seems as soon as the permission “VariableView” is assigned to the same users that are in the “Application Development Team – Developers” Team they lose their ability to edit variables.
Any light you can shed on this would be appreciated.