Unauthorized user can add [PRODUCTION]Token to a task
search cancel

Unauthorized user can add [PRODUCTION]Token to a task


Article ID: 189683


Updated On:


Continuous Delivery Director SAAS Continuous Delivery Director


As I understand, [PROD] tokens can only be added to a task in a non-prod phase if the user is assigned the permission: Can manage production
However, as a non-prod user:

  • I cannot edit the token directly
  • I can assign it to the output field of task

I discovered this is allowable in any task that has an assignable output parameter, such as: Ansible Tower Run Template, Jenkins Build or REST.


Release : SaaS

Component : Continuous Delivery Director


This was a bug. A user that does not have the "Can manage production" should not have been able to add a [PROD] token.


This has been fixed in SaaS.

A [PROD] token cannot be added to a non-production phase/task. This is based on the Environment that the Phase is configured to use.

If a phase is set to use two (or more) environments and one of the environment are configured as a "Production" environment then:
  • A user with the "Can manage production" permission can add a [PROD] token throughout the tasks in its phase.
  • A user without "Can manage production" permission will be locked out of managing that phase. 

Additional Information

More information on using the "Can manage production" permission see here: Production Environment Protection