What permissions are needed to allow users to delete deployments?

Hi,
We’re trying to give some users permissions to delete deployments (Octopus Server, 2022.1.2744). We created a new custom role with two permissions - “DeploymentDelete” and “DeploymentView” (the latter which is automatically selected when selecting DeploymentDelete). Then we added this role to a team with scope set for our dev/staging environments. However, the members of that team still cannot delete deployments for these environments. The option to delete doesn’t show up (it does for the admins, so I know we’re looking at the right place).

Is there any other permissions that are also required for DeploymentDelete to function properly? Or is this a bug? We do plan to upgrade to the latest version of Octopus Deploy soon, so if it’s fixed in later versions then I apologize.

Thank you

Hi @hallgeir.osterbo,

Thanks for getting in touch, and good question! Since deployments are associated with an environment and a release, and releases are associated with a project, I imagine you would need view permissions against those in addition to the DeploymentView/Delete permissions you have set. I.e. ProjectView, ReleaseView and EnvironmentView. I imagine those will be the only ones required to allow this user to delete these deployments.

I hope that helps, and please let me know how you go!

Best regards,

Kenny

Hi,
All of these permissions are already in place from other roles on the same team.
Do you think we would need ReleaseEdit as well? Since deployments are part of a release…

Hi @hallgeir.osterbo,

Kenny has finished up for the day, but I wanted to get a solution for you.

I have played around with a test user and removed all of their permissions, then slowly built them back up until I was able to delete the deployment from the Space. This is what I was required to provide the user with:

DeploymentDelete

DeploymentView
EnvironmentView
LifecycleView
ProcessVIew
ProjectGroupView
ProjectView
ReleaseView
TaskView
TenantView

Due to my permission structure the user also has the following three permissions set at a system level. I’m not sure these permissions will be required, but if the above doesn’t allow the user to view and delete deployments, then add the following three.

TeamView
UserView
UserRoleView

Custom permissions can get quite tricky, so hopefully this gets you unstuck.

Please, let me know how you go.

Regards,

Hi,
thanks for your reply on this.

I’ve checked and all of these permissions are indeed in place already, through other roles/teams for the same user.

Is there any limitations when setting DeploymentDelete for specific environments? Because we have set the scope for the role in question for only our dev/stage environments.

Hi @hallgeir.osterbo,

These will need to be set for all environments that the project has been deployed to.

To be more precise, based on some previous work around permissions, I believe some of the permissions are required for All Environments in the space, some are for all environments the project can be deployed to and some are only required for Environments the project has already been deployed to.

So all environments would be your safest option but try scope the permissions to at least any environment listed in the lifecycle connected to the project and see how that goes.

Kind Regards,