Is there a way to restrict access to a deployment target to certain users/teams?
Here’s the scenario to give you a better idea of why I’m asking:
My company has the Octopus Enterprise edition, so one Octopus server used by multiple teams to deploy applications out to many different targets. Team A wants to deploy applications out to a group of servers, but they don’t want to make those servers available to others teams. Is there a way that we can restrict that group of servers so that only projects that Team A has permissions for can use those servers?
I know we can use target roles to group servers together, say by giving them all a “Team A” role. But from what I can tell, that doesn’t prevent someone in Team B from having a deployment step run on the “Team A” role. Are there any permissions surrounding targets or target roles that would prevent Team B users from deploying to Team A targets?
Thanks for reaching out. You cannot restrict permissions by targets, but you can do it by environments by scoping the team that grants permission to specific (environments).
Would that work for you?
Thanks for the quick response. Please correct me if I’m wrong, but if I understand correctly, are you saying then that Team A could be granted permissions to deploy to Production (where the group of servers are located) but Team B would only have permission to deploy to development/test environments? If that is the case, then what if Team B has it’s own targets in the Production environment that it needs to deploy to?
They key here is that you can have multiple development,test and production environments. And you can also have the same targets in more than one environment at the same time.
then what if Team B has it’s own targets in the Production environment that it needs to deploy to?
Let’s say you have 4 production targets called T1-4. You want TeamA to be able to deploy to the 4 of them, so you put them on an environment called Production_A that only TeamA can deploy to.
Now you also want TeamB to be able to deploy to targets T1 and T2. For that you can also put these two machines in a new environment called Production_B that only TeamB can deploy to.
Hope that makes sense. Let me know if it doesnt
Ah I understand, that makes sense. Thank you!