3

The particular example I'm pursuing here is a having a deployment officer role. Typically, this would be performed by one particular employee, but that employee can get sick, fired, go on vacation, etc. So from a Windows security perspective, this is simple - create a Deployers role, and bang, you're done.

The problem is that a number of tools don't support role-based security for access, and some don't even support AD integration, i.e., they require an entirely custom set of credentials.

The simple way to handle this is just have every Tom, Dick and Harry with logins, but that defeats the Deployment Officer role I'm trying to create.

A slightly less bad approach is to have the Deployment Officer transfer the control to another employee, but that runs into problems if he forgets, gets sick, or especially if he's fired.

Any thoughts? I haven't been able to come up with any magic bullets for this.

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
Chris B. Behrens
  • 671
  • 1
  • 6
  • 12
  • It sounds like you are talking about things that 3rd party software tries to solve. Products like ActiveRoles by Quest or Cyberark fall into this to some extent. – TheCleaner Feb 13 '15 at 19:14

1 Answers1

0

Have you considered manual rather than automated controls, and a policy that just says you can't deploy code you wrote yourself, but have to get someone else to do it? That gives you isolation of roles for each deployment, but not globally.

Mike Scott
  • 7,993
  • 31
  • 26
  • 1
    That's exactly what we're trying to do. We're working with Octopus Deploy, and we've got a kind of wide-open staging server anybody can deploy to, but then only a single Deployment Officer can deploy to Production. But a manual, human-being enforced way to do this is going to be brittle and fail the first time things get under pressure. – Chris B. Behrens Feb 13 '15 at 20:04