We have explored “Securing Build Definitions When Multiple Teams Work on a Single Team Project” in a previous post. Now the folders to group release definitions and applying permissions to isolate each team’s release definitions is also a possibility in VSTS. As we discussed in the “Securing Build Definitions When Multiple Teams Work on a Single Team Project” it is important to create the Build/Release admins VSTS permission group for each of the teams in the team project. Using the same admins group and the team we can setup permissions for release definitions folders. Let’s look at the steps in detail.
The new releases hub allows you grouping with folders. You need to enable the preview feature to get the new release hub access. In your VSTS profile menu click on preview features.
Then enable the New Releases Hub.
In the Build and Releases tab go to Releases* to view the new releases hub.
You can click on menu for All folders and click New Folder to create a new folder to group your release definitions.
Provide a name and create a folder.
You can create child folders and create a tree structure if you need multiple levels for grouping.
Once required folder structure ready you can move the existing release pipelines (definitions) to new folders.
By default all release definitions are manageable by contributors group. You cave to click Security menu on All pipelines and set the contributors group permissions to “Not Set” to prevent all contributors from inheriting permissions to all release pipelines. If you want view releases and view definitions can be allowed for contributors.
Then for a folder you can setup permissions to a given team’s build admins access to create new definitions or edit existing definitions in the folder and to manage, approve deployment etc.
You might want to create multiple groups in a team such as release approvers for a particular environment etc.Using the permissions and folders in new release hub will allow you to effectively control permissions as per your team needs and isolate each team’s releases from one another. However there is no better way to isolate each teams service end points within a single team project as of now.
No comments:
Post a Comment