Hi Ge,
These sound pretty sensible to me. What I’m torn about is whether to treat the Everyone Team in Octopus as a special case, thereby changing how we interpret the External Groups associated that team.
In today’s interpretation, if an Octopus Team is associated with two AD groups, these groups are combined as an OR: “AD Users who are members of ANY of these groups will be automatically added to this Octopus Team.” Put in another way it’s interpreted as an “inclusive allow”.
Option 1: We make the Everyone Octopus Team even more “special” than it is today. If the Everyone Team is associated with two AD groups, these groups are still combined as an OR, but treated as a requirement to even get in the door: “AD Users who are members of ANY of these groups will be considered as members of the Everyone Team. AD Users who are NOT members of ANY of these groups will be DENIED access to Octopus altogether.”
Option 2: We leave the Octopus Team + AD Group association alone, but add an extra option to the Active Directory Authentication Provider (Configuration > Settings > Active Directory) like this:
Members of the following Active Directory Groups will be granted access to Octopus:
Everyone (default)
OR
Members of the following Active Directory Groups will be granted access to Octopus:
SpecialGroup1, SpecialGroup2
I’m leaning towards Option 2, making sure there’s appropriate pointers for people to find this configuration from the Everyone Team if that’s where they start looking.
What do you think?
Mike