Using permissions/other features to limit deployment in Azure DevOps

2
votes

I need to configure permissions and make use of native features to limit deployment within Azure DevOps, so that those with limited access can only release to dev/test environments and those with privileged access can deploy to all environments, including staging/prod, for example.

I'd like to achieve this without splitting release pipelines up - is it best just to use pre-deployment approvals or is there a better way to remove the ability for those with limited access to deploy into prod, at all?

Can this be done by limiting access to service connections, for example? So a limited user would have 'User' access to the dev/test service connections but not staging/prod, as a safety net?

Just looking for some tips/best practice advice.

Thanks..

1
azure-devops

1 Answers

0
votes

You could use deployment groups to handle this.

A deployment group is a logical set of deployment target machines that have agents installed on each one. Deployment groups represent the physical environments; for example, "Dev", "Test", "UAT", and "Production". In effect, a deployment group is just another grouping of agents, much like an agent pool.

When authoring an Azure Pipelines or TFS Release pipeline, you can specify the deployment targets for a job using a deployment group. This makes it easy to define parallel execution of deployment tasks.

Deployment groups:

  • Specify the security context and runtime targets for the agents. As you create a deployment group, you add users and give them appropriate permissions to administer, manage, view, and use the group.
  • Let you view live logs for each server as a deployment takes place, and download logs for all servers to track your deployments down to individual machines.
  • Enable you to use machine tags to limit deployment to specific sets of target servers.

enter image description here

Besides, suggest you also take a look at this blog: Configuring your release pipelines for safe deployments which include multiple points:

  1. Gradual rollout to multiple environments
  2. Uniform deployment workflow for all environments
  3. Manual approval for rollouts
  4. Segregation of roles
  5. Health check during roll out
  6. Branch filters for deployments
  7. Secure the pipelines