Is it possible to give stage or environment based access?

[danihodovic]

I would like to restrict deployment access per stage or environment. An example use case is to allow junior developers to deploy to staging and senior developers to deploy to production.

Is this possible? I've looked around in the docs and played with the UI and I found nothing.

[grosser]

not possible, sounds like an interesting feature, but might take a lot of new logic/UI to add :/

/cc @zendesk/bre

[jason-rutherford]

One possible workaround might be to lock the stage and use the PRODUCTION_STAGE_LOCK_REQUIRES_ADMIN=1 feature here . I'm not sure if that helps in your situation but I thought it is worth mentioning.

[danihodovic]

@jason-rutherford That would require us to lock production on every deploy which is not ideal.

[grosser]

Possible solutions:

• add an option to only allow admins to deploy to production (effort: low / hackyness: medium)
• add a new 'production-deployer' role between deployer and admin (effort: medium / hackyness: medium)
• overhaul the permission system to be finer-grained / allow random things like "deploy production" / "manage secrets" etc (effort: high / hackyness: low)

[danihodovic]

overhaul the permission system to be finer-grained / allow random things like "deploy production" / "manage secrets" etc (effort: high / hackyness: low)

Sounds like the best option, but if we're the only team with this use-case it might be better to leave it as is and not introduce additional complexity.

[grosser]

yeah ... we've come a long way with this simple system and reworking it to accommodate 1 new usecase seems a bit extreme

…

On Sat, Sep 8, 2018 at 5:15 AM Dani Hodovic ***@***.***> wrote: overhaul the permission system to be finer-grained / allow random things like "deploy production" / "manage secrets" etc (effort: high / hackyness: low) Sounds like the best option, but if we're the only team with this use-case it might be better to leave it as is and not introduce additional complexity. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#2840 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAAsZw5l8OlCQ-SG2XFNn3HfexOVWpaFks5uY7TTgaJpZM4VHXki> .

[ibrahima]

Hmm, I'd be interested in this for the same reason. The current state is fine as long as you trust your teammates to not do stuff they shouldn't be doing, but it'd make me feel a little safer if junior developers couldn't deploy to production (this is more of an issue when adding new teammates IMO).

Hmm. Another option is to make the staging environment a separate project, and then set up project-specific roles for that project. It's a little uglier I guess but it would solve the problem without any new features.

[grosser]

can enable BUDDY_CHECK_FEATURE=1 so nobody can deploy to prod alone :)

[ibrahima]

Hmm, does that apply to admins too? We aren't using buddy checks but that could be useful for us, I just wouldn't want admins to be restricted to that.

[grosser]

applies to everyone ... since it's kinda good practice ... can be bypassed for emergencies, then need to setup email for notification