search cancel

Unauthorized user can add [PRODUCTION]Token to a task

book

Article ID: 189683

calendar_today

Updated On:

Products

Continuous Delivery Director SAAS Continuous Delivery Director

Issue/Introduction

As I understand, [PROD] tokens can only be added to a task in a non-prod phase if the user is assigned the permission: Can manage production
However, as a non-prod user:

  • I cannot edit the token directly
  • I can assign it to the output field of task

I discovered this is allowable in any task that has an assignable output parameter, such as: Ansible Tower Run Template, Jenkins Build or REST.

Cause

This was a bug. A user that does not have the "Can manage production" should not have been able to add a [PROD] token.

Environment

Release : SaaS

Component : Continuous Delivery Director

Resolution

This has been fixed in SaaS.

A [PROD] token cannot be added to a non-production phase/task. This is based on the Environment that the Phase is configured to use.

If a phase is set to use two (or more) environments and one of the environment are configured as a "Production" environment then:
  • A user with the "Can manage production" permission can add a [PROD] token throughout the tasks in its phase.
  • A user without "Can manage production" permission will be locked out of managing that phase. 

Additional Information

More information on using the "Can manage production" permission see here: Production Environment Protection