Fix overlapping roles in AzureDevOps that leads to unexpected permissions
julie-ng opened this issue · 1 comments
Problem
There is a bug in the concept as it currently exists. As of today we rely on 2 AAD groups for actors, e.g. for the "Veggies" team, we have:
AAD Group name | Membership |
---|---|
veggies |
All developers in team |
veggies-admins |
A subset of users who have elevated permissions |
Expected Result
The veggie admins have elevated privileges, e.g. Administrator Access even if they have overlapping role assignments (due to membership in multiple groups).
Actual Result
-
As expected: for Azure Resource Manager,
veggie-admins
will have Administrative permissions due to ARM's additive permissions model -
Unexpectedly: in Azure DevOps,
veggie-admins
will only have Contributor access because Azure DevOps uses least permissions model, as this doc describes:User accounts that are assigned to more than one security group are restricted to those permissions granting the least access.
Solution
To get the behavior expect, we need to have three AAD groups per domain, for example:
- veggies-all
- veggies-dev
- veggies-admin
In this way, we can avoid overlapping role assignments that result in unexpected behavior in Azure DevOps.
Tasks
- Terraform: create 3 AAD groups per domain
- Terraform: update assignments, paying extra attention to "supermarket" collaboration scenario
- Concept: update text