►
Description
This video explains the Group-level Protected Environments feature that will be released in GitLab 14.3.
See the documentation for more information. https://docs.gitlab.com/ee/ci/environments/protected_environments.html#group-level-protected-environments
00:00 Intro
00:52 Admin | Preparation
03:49 Developer | Create a new project and pipeline
06:44 Admin | Set up Group-level Protected Environments
08:57 Admin | Reporter setup
10:23 Operator | Execute a production deployment
A
A
So
simply
this
feature
is
about
segregation
of
duties
between
operators
and
the
developers.
So,
typically
in
large
organizations,
they
want
developers
to
only
write
code
and
they
they
shouldn't
touch
production
environments,
whereas
operators
they
shouldn't,
touch
code
base,
but
they
have
an
access
to
the
production
environments
and
the
managing
infrastructure.
A
So
basically,
this
feature
helps
this
authorization
scheme
in
enterprise
organization.
So
let's
get
started
the
quick
demonstration
so
at
first
we're
going
to
create
a
new
group.
It's
called
demo
orgy.
A
Okay,
so
I
just
created
a
demo
rg.
This
is
a
root
group
that
typically
represents
a
company
name
or
an
organization
name,
and
then
we're
going
to
create
the
two
groups.
One
is
a
developer
group
and
then
the
other
one
is
operator
group.
So
I
click
a
new
subgroup,
create
a
group
developer
group
like.
A
Okay,
the
other
one
is
operator
group
public
credit
group.
Okay.
So
we
now
see
these
two
groups
under
the
root
group
and
we're
going
to
add
users
to
each
group.
We
need
to
assign
developers
to
developer
group
and
the
operator
still
operator
group,
so
I'm
gonna
go
into
the
operator
group
and
then
members.
A
A
By
the
demo
user,
this
takashista
is
a
developer
in
this
world
developer,
developer
role
in
this
demonstration,
then
I
just
assigned
to
developer
group
as
a
maintainer.
So,
let's,
let's
talk
about
a
hypothetical
situation
that
the
one
of
the
developers
is
going
to
create
a
new
project
and
a
developer
group
and
then
create
a
ci
cd
pipeline
that
deploys
to
production
environment.
So
I'm
going
to
switch
my
user
account.
A
Please
keep
in
mind
that
I'm
not
administrator,
I'm
just
pretending
as
a
developer
and
then
as
a
developer,
I'm
going
to
create
a
new
project,
and
that
is
the
developer
group,
create
a
brown
project.
Let's
say
all
sum
up
in
public.
A
A
Let's
see
left
slack,
so
this
job
means
the
review
job
is
going
to
deploy
the
application
to
a
demonstration
server.
A
It's
also
called
review
app,
it's
not
production
and
then
we're
going
to
create
a
similar
job,
but
it's
going
to
deploy
to
production,
server
and
then
production,
and
then
we
set
production
since
we
don't
want
to
do
continuous,
continuous
deployment,
but
we
do
continuous
daily
value,
which
means
the
manual
process
to
deploy.
A
A
Okay,
okay,
so
as
I
as
a
developer,
I
just
created
a
new
pipeline
which
has
a
test
java
and
a
deploy
drop
and
then
looking
at
this
deploy
drop.
A
Actually,
I
can
trigger
this
manual
action
to
regard
this
production
deployment.
So
this
is
a
problematic
in
larger
enterprise
organization,
because
they're
they
basically
want
developers
not
to
touch
production
environment
at
all,
but
as
a
developer.
A
I
can
do
this
right
now,
so
this
is
a
problem
to
solve
and
then
group
level
protected
environments
can
solve
this
situation.
So
what
we're
going
to
do
is
basically.
A
Create
a
new
configuration
at
this
root
variable
that
only
like
all
production
environments
under
this
group
can
be
deployed
by
people
in
operator
group.
So
to
do
so,
we
have
to
execute
this
api
to
create
an
entry,
and
this
is
a
like.
I
create
a
new
rule
at
this
root
level
that
what
I
just
said,
so
I'm
we're
going
to
execute
this
call
we're
going
to
create
a
new
entry
that
the
request
was
successful.
A
Let's
see
the
pipelines
now,
as
I
sign
in
as
a
developer,
impersonate
developer
checking
the
deployment
drop.
Now
the
play
button
is
gone.
I
cannot
trigger
this
job.
A
So
that's
the
point
of
this
feature
that
now,
since
we
created
a
rule
that
only
production
deployment
jobs
can
be
deployed
can
be
executed
by
operator
group.
A
I
cannot
do
this
as
a
developer,
let's
sign
in
as
the
operator
and
then
what
they're
going
to
see.
Okay,
so
I
just
signed
in
as
operator
I
impersonate
operator
in
right
now.
A
So
as
an
operator
I
want
to
deploy,
I
want
to
execute
the
production
deployment
job,
so
I'm
going
to
pipeline
page
and
then
clicking
the
production
job,
but
still
it's
not
executable,
even
I'm
operator.
So
there's
a
there's.
An
additional
configuration
is
needed
that,
in
order
to
execute
a
pipeline
job
in
this
project
in
this
developer
project,
this
operator
has
to
at
least
be
a
reporter
role
or
above
to
do
so.
We
are
going
to.
A
This
developer
group
and
then
subjection
from
members.
So
what
are
we
going
to
do
is
basically
add
operator
people
into
debug
book
loop
as
reporter
so
operator.
Operators
do
not
have
a
permission
to
write
code
under
developer
group,
but
they
only
can
audit
pipeline
jobs
and
then
execute
deployment
jobs
to
the
production.
A
Demo
and
then
reporter
invite
okay.
Now
people
in
operator
group
are
ready
to
develop
a
group
as
reporter,
which
means
now
I'm
impersonating
as
operator.
A
I
can
execute
the
production
job
which
wasn't
available
previously
so
now,
as
an
operator
as
I
said,
I
cannot
edit
the
code
base
like,
even
if
I
try
to
edit
that's
disallowed,
but
I
can
only
execute
the
production
job.
A
And
now
it's
running
so
that's
the
whole
point
of
this
feature.
I
hope
hope
it
worked
well
in
your
organizations.
So
thank
you
for
watching
see
you.