Re: Space Manager visibility of an app's environment variables

Krannich, Bernd <bernd.krannich@...>

Sorry for broadening the discussion but for us it’s the other way round for a similar use case: Having the CF admin role grants you developer rights in all orgs and spaces (for example, you could `cf env` to retrieve service instance credentials) which is something that’s IMHO not desirable from a security/compliance perspective especially when running multiple (external) customers on one CF instance. Customers typically don’t want their providers to be able to be able to see all their data per default. Sure, you can always grant yourself these roles as a CF admin but then there’s audit logging to track those changes.

I guess one could go along a similar line of argumentation for space manager and space developer.

For both cases the thing is: You can achieve the desired behavior by granting more roles but if you combine roles there’s no way to achieve separation of duties.


From: Matt Cholick <cholick(a)<mailto:cholick(a)>>
Reply-To: "Discussions about Cloud Foundry projects and the system overall." <cf-dev(a)<mailto:cf-dev(a)>>
Date: Saturday 27 February 2016 at 19:04
To: "Discussions about Cloud Foundry projects and the system overall." <cf-dev(a)<mailto:cf-dev(a)>>
Subject: [cf-dev] Re: Re: Re: Re: Space Manager visibility of an app's environment variables

This is a source of confusion for our end users as well. Users will have the space manager role, but not the space developer role, and fail when they first try to push an application.

On Sat, Feb 27, 2016 at 8:16 AM, Mike Youngstrom <youngm(a)<mailto:youngm(a)>> wrote:
For some history this is the last discussion I recall having on the subject:


On Sat, Feb 27, 2016 at 5:23 AM, Tom Sherrod <tom.sherrod(a)<mailto:tom.sherrod(a)>> wrote:
I'm glad to see this question. Why does a space manager role not include all space developer permissions?

On Thu, Feb 25, 2016 at 11:51 AM, Mike Youngstrom <youngm(a)<mailto:youngm(a)>> wrote:
I debated long ago and still believe that a space manager should be able to do everything a space developer can do. Could this be simplified just by making that change? Or are there still reasons to limit a space manager's abilities?


On Thu, Feb 25, 2016 at 3:54 AM, Dieu Cao <dcao(a)<mailto:dcao(a)>> wrote:
Hi All,

Currently only Space Developers have visibility on the /v2/apps/:guid/env end point which backs the cf cli command `cf env APPNAME`.
Please let me know if you have any objections to allowing Space Managers visibility of an app's environment variables.
This is something we would like to tackle soon to address some visibility concerns.


Join { to automatically receive all group messages.