Using Octopus 3.7.10
One of our Octopus users who has AuditView and EventView for a project cannot see deployment process change records on the audit page, However someone with SystemAdministrator roles can see them.
Just after the user was using the filter page I saw these entries in the diagnostic log
1/3/2017 2:29:42 PM -05:00 [Warning] You do not have permission to perform this action. Please contact your Octopus administrator. Missing permission: EventView (firstname.lastname@example.org requesting http://octoserver/Octopus/api/events/groups)
1/3/2017 2:29:42 PM -05:00 [Warning] You do not have permission to perform this action. Please contact your Octopus administrator. Missing permission: EventView (email@example.com requesting http://octoserver/Octopus/api/events/categories)
I’m not sure if it is related. The user also doesn’t see the Event Groups and Events as items in the Audit Filter.
Is this expected behavior? Is there a permission missing that we can add to allow them to see audit records for process changes?
Regarding the permission errors on
/api/events/categories, this was a bug. I have created (and committed a resolution) for this. This should ship in the next release (sometime in the next day or so).
Regarding not being able to view Deployment Process Modified events, I was unable to replicate this. I created a user who was a member of a team with a role containing the EventView and AuditView permissions. The Team was scoped to a Project. The user had no other permissions. This user was able to view Deployment process changed events.
If you run ‘Test Permissions’ for the user, do they have
EventView for the project in question (as shown in the attached image)? If so, could you possibly Export the permissions for the user (the ‘Export’ button in also shown in the image)?
Yes the user has AuditView and EventView for a project. There are two EventView lines in the file based on permissions being different in production and non-production primarily the ability to deploy in non-prod.
Could you send me a secure way to upload the export to you rather than post on the forum?
You can upload the export here.
If you could please also update this thread once you have uploaded the file, then I shall investigate further.
I’ve uploaded the file.
Using your exported permissions, I was able to replicate the issue.
The issue is, because your Team is scoped to Projects and Environments, our authorization-engine is restricting the viewing of events to those scoped appropriately. DeploymentProcessModified events aren’t scoped to an Environment, so aren’t being shown.
I have created an issue for this, which we will resolve as soon as possible.
In the meantime, may I suggest a work-around?
You could split the Team/s that grant that permission into two. e.g.
- Team A: All current permission except EventView (restricted to both Project/s and Environment/s)
- Team A - Events: EventView (restricted to Project/s, no Environment restrictions), and AuditView
Team A - Events would grant permission view events for the scoped projects, for all environments. As long as this is acceptable, this solution should work.
I hope that makes sense. Please let me know if it does not.
We apologize for any inconvenience.
Thanks Michael for opening the issue and suggesting the workaround.
We’ll review and figure out the best way to grant permissions on the projects without scoping the permission to environment we may just wait to see what happens with the issue rather than create more groups.