Wednesday 11 July 2018

Securing Release Definitions When Multiple Teams Work on a Single Team Project

We have explored “Securing Build Definitions When Multiple Teams Work on a Single Team Project” in a previous post. Now the folders to group release definitions and applying permissions to isolate each team’s release definitions is also a possibility in VSTS. As we discussed in the “Securing Build Definitions When Multiple Teams Work on a Single Team Project” it is important to create the Build/Release admins VSTS permission group for each of the teams in the team project. Using the same admins group and the team we can setup permissions for release definitions folders. Let’s look at the steps in detail.

The new releases hub allows you grouping with folders. You need to enable the preview feature to get the new release hub access. In your VSTS profile menu click on preview features.image

Then enable the New Releases Hub.image

In the Build and Releases tab go to Releases* to view the new releases hub.image

You can click on menu for All folders and click New Folder to create a new folder to group your release definitions.image

Provide a name and create a folder.image

You can create child folders and create a tree structure if you need multiple levels for grouping.image

Once required folder structure ready you can move the existing release pipelines (definitions) to new folders.image

By default all release definitions are manageable by contributors group. You cave to click Security menu on All pipelines and set the contributors group permissions to “Not Set” to prevent all contributors from inheriting permissions to all release pipelines. If you want view releases and view definitions can be allowed for contributors.image

image

Then for a folder you can setup permissions to a given team’s build admins access to create new definitions or edit existing definitions in the folder and to manage, approve deployment etc.image

image

You might want to create multiple groups in a team such as release approvers for a particular environment etc.Using the permissions and folders in new release hub will allow you to effectively control permissions as per your team needs and isolate each team’s releases from one another. However there is no better way to isolate each teams service end points within a single team project as of now.


No comments:

Popular Posts