Users access issue for Octopus Deploy

(Ramana Rainn) #1

I’ve two questions reg users access for Octopus Deploy

  1. We are using Teams tab in configuration to manage users access for different portfolios in Octopus Deploy. We’ve observed that authenticated users in AD are able to access the Octopus Web by default and they were added to Everyone group. Since Everyone group doesn’t have any roles assigned and they can’t see the any existing groups or projects. But this issue was raised by our auditors on why users are listed in application even though they are not part of any specific groups. We had to delete users manually every time if we find any unauthorized users in Everyone group.

is there any specific reason why you are allowing authenticated users to access Octopus web by default?. Ideally it should show some type of access denied error when unauthorized users try to access Octopus Web. Let me know your thought on this.

  1. We would like to control the users access to global variables in variable sets in Library. Initially we had only one team so there was no problem. Now we are expanding to different departments in our company to consume Octopus Deploy. I was able to control the access to Projects and Environments by using Groups so that they can see only their own groups and projects. But I don’t see any option to control the access for Variable set in Library. Its very important that users should not see any other groups variables as we use variable set for common database names and instances for our projects. Is there any workaround for this issue or any future enhancement in pipeline?. I’m sure that our auditors will not allow this access. Let me know on this.
(Daniel Fischer) #3

Hi @ranraq,

Thanks for getting in touch! For your first question, Octopus does not allow users to not be a member of the Everyone group. In order to stop Octopus creating a user for each AD user who logs in, you can disable the Allow Auto User Creation button under Settings -> Active Directory on your Octopus server, or run the below command.

Octopus.Server.exe configure --activeDirectoryAllowAutoUserCreation=false

We have a documentation page with some further details on this.

As for your second question, we do not currently have the ability to scope individual Library Variable Sets this way. Currently the only way to segregate the Library variable sets is to use our Spaces feature and have each set in a different space. This option is not exactly a great workaround though.

Hopefully we can address this in the future, but at the moment the functionality for restricting access here is a bit limited.

Let me know if you have any further thoughts or questions here.

Best regards,
Daniel

(Ramana Rainn) #4

Thanks Daniel for response.

I’ve scoped environments to all Global variables for each group and advised users to scope environment for new variable in Global variable set. This way they can see only their environments from Groups.

Let me know if this approach is ok.