Permissions System Improvements

[NickJosevski]

The permission system code has become difficult to manage, and would benefit from an overhaul.

Considerations

• Migrating of existing permissions
• Improved interrogation of permissions for a user or team
• More comprehensive tests for larger permutation of combinations

Complexity examples:

• https://help.octopusdeploy.com/discussions/problems/53952

new environment is showing up on the deployment dashboard, and I can create a release for it, but when I expand on Advanced section of the deployment page, Preview section is empty

• https://help.octopusdeploy.com/discussions/problems/55279

If I leave the project section in the team unscoped they are able to edit the variables hard coded to the project along with the variable sets attached HOWEVER if I put a project list in here they are only able to edit the hardcoded variables for staging inside of the projects only. When they go into the associated variable sets that are attached to the project the Staging variables are missing from view completely

Implied / Extending Permissions

• UserInvite and who it's granted to. This one resulted in a CVE as it was deemed a permission escalation: Further restrict UserInvite action to those with TeamEdit and TeamCreate permissions #3864

Going Forward

Permissions computed server side

This calculation impacts the set of API actions delivered to the requester. example: The Links collection would not contain the resource/{id}/delete action if the requester didn't have the delete permission.

[MichaelJCompton]

I couldn't find any doco on how the permissions are supposed to work, or what permissions imply others etc.

From the UI, here's some examples:

• A user with the UserView permission can't see any way to navigate to .../configuration/users, but can go there via the url if they know it.

• A user with AccountView can't see anyway to navigate to users accounts, and can't successfully visit a url like .../configuration/users/User-50

• A user with TeamView, UserView and AccountView can't do the above either

• A user with AccountDelete (who thus also have AccountView) can't navigate to accounts and can't delete them

• Only AdministerSystem seems to allow doing these things - so what do AccountView etc do?

[MichaelJCompton]

I see now I misunderstood Account*.

Still, I guess that implies some docs are needed for UserView and other permissions.

[NickJosevski]

More Examples:

• Permission tries to restrict, but leaking information

[NickJosevski]

Empty groups and their impacts, this is a complex scenario we've had bugs related to empty groups and what people can do, would be good to not have that part of permissions be fragile / confusing.

Related customer report here: https://help.octopusdeploy.com/discussions/problems/64481#comment_44233830

Empty projects groups can cause confusing, and make them think permission scoping is working as expected.

[NickJosevski]

Example of confusion listing permissions when by Projects (/Groups):

Summary: User had EventView and ArtifactView but scoped to Projects (via groups) and was trying to view health checks. They don't come in the search, but you can navigate directly to them, they report you don't have permission to see events and artifacts, because those are scoped by Environment in this case.

Discussion here: https://help.octopusdeploy.com/discussions/problems/65213-410-permissions-are-required-to-view-artifacts-and-history-for-checking-health-of-a-tentacle#comment_44240403

[NickJosevski]

Closing: we have newer issues / trello cards to cover specific requirements not already handled in 2019.1.0

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. If you think you've found a related issue, please contact our support team so we can triage your issue, and make sure it's handled appropriately.