Forbid password decryption/edition/creation for some environments #157
Description
Firstly, is there a way to forbid password decryption for some environments ?
For example, in an enterprise organisation, only ops can view the production passwords...
As it stands, I have activated Access Control Management in my repository. I have created a team that have a Read/Write access only if environment is not "production". It works fine but the problem is that the members of this team can decrypt production passwords.
A simple solution to implement : Only decrypt passwords that the user have a Read/Write access
What do you think of that ?
Secondly, is there a way to allow editing "production" scoped non-encrypted config and forbid editing "production" scoped encrypted config ?
Always in an enterprise organisation, we can imagine easily that the developers can manage all its application configuration except for the production passwords which are reserved to ops.
The RBAC management don't allow to differenciate non-encrypted config from encrypted.
I have found a way to manage that by creating a new scope called "edit_access" which can be valued to "*" or "ops". Thanks to RBAC rules, developers can edit all configuration except the one which the "edit_access" scope is valued to "ops"
Not very user-friendly
I think my issue is linked to this issue : #70