I need to configure permissions and make use of native features to limit deployment within Azure DevOps, so that those with limited access can only release to dev/test environments and those with privileged access can deploy to all environments, including staging/prod, for example.
I'd like to achieve this without splitting release pipelines up - is it best just to use pre-deployment approvals or is there a better way to remove the ability for those with limited access to deploy into prod, at all?
Can this be done by limiting access to service connections, for example? So a limited user would have 'User' access to the dev/test service connections but not staging/prod, as a safety net?
Just looking for some tips/best practice advice.
Thanks..