Unauthorized user can add [PRODUCTION]Token to a task
Article ID: 189683
Updated On:
Products
Continuous Delivery Director SAAS
Continuous Delivery Director
Issue/Introduction
As I understand, [PROD] tokens can only be added to a task in a non-prod phase if the user is assigned the permission: Can manage production
However, as a non-prod user:
- I cannot edit the token directly
- I can assign it to the output field of task
I discovered this is allowable in any task that has an assignable output parameter, such as: Ansible Tower Run Template, Jenkins Build or REST.
Environment
Release : SaaS
Component : Continuous Delivery Director
Cause
This was a bug. A user that does not have the "Can manage production" should not have been able to add a [PROD] token.
Resolution
This has been fixed in SaaS.
A [PROD] token cannot be added to a non-production phase/task. This is based on the Environment that the Phase is configured to use.
If a phase is set to use two (or more) environments and one of the environment are configured as a "Production" environment then:
A [PROD] token cannot be added to a non-production phase/task. This is based on the Environment that the Phase is configured to use.
If a phase is set to use two (or more) environments and one of the environment are configured as a "Production" environment then:
- A user with the "Can manage production" permission can add a [PROD] token throughout the tasks in its phase.
- A user without "Can manage production" permission will be locked out of managing that phase.
Additional Information
More information on using the "Can manage production" permission see here: Production Environment Protection
Feedback
Yes
No
Powered by
