We have a tenanted setup with multiple projects linked to the tenants. We have a support-engineer which needs to be able to change tenant-variables (which are derived from libraryVariableSets).
This works for him nicely on the environment-scoped tenant variables, but if he changes common variable for this tenant he is faced with a error:
“You do not have permission to perform this action. Please contact your Octopus administrator. You can’t modify Common Variables because you don’t have access to all projects and/or all environments this tenant is connected to.”
Does this really mean he needs access to all projects? I only want him to be able to change 1 specific project to which his permissions are scoped to. If they are common, it should not matter right or is there some background logic that needs to update all projects when changing a common variable?
His VariableEdit and VariableEditUnscoped permissions are given only on the projects he’s working on.
Thanks for reaching out and I’m sorry to see you’re having issues.
It does look like common variables will have to have access to all projects that those variables would use.
We have some documentation here outlining that: Tenant variables - Octopus Deploy
One reason the user needs access to all projects is in the doco here:
However, we don’t take a snapshot of tenant variables. This enables you to add new tenants at any time and deploy to them without creating a new release. This means any changes you make to tenant-variables will take immediate effect.
I did some quick testing and it does look like you could create a new role and scope it to have access to all projects that use those common variables, but limit them to only 1 tenant instead . This should give the Team access to the common variables as needed for this tenant based on my test.
Please let me know if you have any further questions.
