Problem with permissions on teams and roles seeming to conflict

Here are the facts:

• We are using Octopus 2.6.0.778
• We use active directory for logging into Octopus and only those who have been put into a group can access it.
• We have a number of teams.
• Some of our teams have multiple Roles
• Some of our Roles have been customized
• The “Everyone” team has the Role “Event Viewer” and that is all. This Role has the permission “VariableView” (amongst a number of other viewing variable) with the scope of this Team set to all Projects and all Environments.
• We have another team “Application Development Team – Developers” and this Team has a custom Role set which has the permission “VariableEdit” (amongst and number of others) with the scope of this Team set to Debug, Test and PPTE and all Environments.
• Obviously any user that is in the “Application Development Team – Developers” Team is also in the “Everyone” Team.

What we want is:
We want anyone who is put in our AD group to go into the “Everyone” Team and (amongst other things) be able to view all variables for all projects and all environments BUT not be able to edit them in any way. Then if we choose to we assign then to the “Application Development Team – Developers” Team and then they should be able to view and edit variables up to the PPTE environment (amongst other things), But still be able to view (but not edit) variables for Prod and DR.

The problem is:
This is not what is happening. With our settings configured as above Users assigned to the “Application Development Team – Developers” Team can view all variables in all environments but cannot edit variables at all.
We have found that if we remove the Role “Event Viewer” from the “Everyone” team, or the permission “VariableView” from the Role “Event Viewer” in this team users in the “Application Development Team – Developers” Team are then able to view edit variables if we add the “VariableView” permission to the Role associated with that team. But of course this only lets them view variables up to PPTE and not beyond.

We have tried:
Removing all roles from the “Everyone” team and then creating a whole new team with the Role “Event Viewer” with the permission “VariableView” and scoped to PROD and DR and then adding everyone to it but this did not work either.
It seems as soon as the permission “VariableView” is assigned to the same users that are in the “Application Development Team – Developers” Team they lose their ability to edit variables.

Any light you can shed on this would be appreciated.

Here is a screen shot of the test permissions screen and this user cannot edit variables in the test environment

Hi David,

Thanks for getting in touch!

It sounds like you may have run into this issue where if a user has view only permission to a variable in an environment and edit permission in another, neither is editable. This issue was fixed in 2.6.2, are you in a position where you could upgrade to this version and see if that resolves the issue?

Hope that helps!

Thank you and best regards,
Henrik

Henrik,

We will attempt to do so asap….one question, are we able to upgrade to the latest octopus for free, I have been asked to check by my colleges. We have a licence if you need me to verify I can.

Cheers

Dave

Hi David,

I’ve checked your license, and you’re still within your support maintenance, so yes you can upgrade to latest Octopus version. Although going from 2.x to 3.x is quite a big upgrade but would be well worth it for many reasons :slight_smile: You can still upgrade to 2.6.2 as well for free though if you wanted to get around this issue before moving to 3.x

I hope that helps!

Thank you and best regards,
Henrik