Restrict editing variables in Variable Set by Environment

I am trying to restrict editing variables in a Variable Set by the scoped Environment, but the permissions do not seem to work.

For example, I have the VariableEdit permission for our Dev environment, but do not have VariableEdit for Prod. I also have LibraryVariableSetEdit for Dev, but not for Prod.

I cannot edit a Prod scoped variable in a Project, but can still edit a Prod scoped variable in a Variable Set.

Are these permissions working as intended? If so, how would I manage variables using a Variable Set and prevent users from editing Prod variables?

We have setup some variables (like the DB password) as “sensitive” variables. This prevents people from reading them in the Octopus interface – but would be easy to get around by assigning that variable to the Dev scope, deploying the project, and then viewing the config file on the Dev server.

Do you have any suggestions for allowing developers to add/edit variables as needed for Dev/Test environments, while protecting the values scoped to Prod?

Hi @bbeard,

Thanks for getting in touch! It looks like you are hitting the following issue here:

This has been a persisting problem for a while now and is absolutely not working as we would like. It seems like a fairly simple permissions fix at a glance, but the resolution is not so straight forward. We understand that it causes a big gap in our permissions, especially with scenarios such as yours where you would like to restrict sensitive values in your library set variables.

We are actively working towards a resolution for this issue and hope to have this resolved soon, though I am not able to give you a timeline or clearer definition of “soon”.

If you have any further questions about this, please do not hesitate to let me know.

Best regards,
Daniel

Hello @Daniel_Fischer,

This seems like a major security issue if we can’t restrict access to sensitive variable values by Environment. Do you have any suggestions for mitigating this while we are waiting for a more optimal solution?

Thanks,
-Brian

Hi Brian,

Thanks for getting back. Currently this only applies to Library Set Variables, you are still able to scope Project Variables by environment correctly. We do understand that this is a big security issue for our Library Variable Sets.

The only option we can suggest at this time is to use Project Variables for your sensitive values until this is resolved.

Best regards,
Daniel

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.