If you want everyone in the team to deploy to production using ci/cd only, do you give them limited permissions on production? I mean, everyone in my team has the Administrator role. So you can't really make sure if everyone will stick to that rule.

I mean it depends on why you're doing it, I've never a found a custom role that works for everything a dev wants to have access to, so you'll be making their life difficult in some way if you remove admin access. you can't just TELL them to stick the rule and they will? rather than enforcing it with roles, you could setup a saved search on the contents of the SuiteScript folder where last edited = today and last modified by is not <ci/cd tool> and then you can reprimand any offenders and know when its happening?

Umm, if deployment to production is via CD only, then it doesn't matter what access the devs have - devs will never be deploying, only the CD system would deploy and it can have whatever permissions you need.

the issue is that devs with admin role COULD deploy to prod instead of using the CD tool

no devs should have admin role on PROD if CD is the only entity allowed to deploy. Whatever role they do have on prod it would not have deployment permissions in this model.

Will see if I can enforce that or not. I hope it works.

Decent devs understand the value of NOT having admin permissions on a production system. Others in your organization may not be so understanding. It's possible to have a bigger challenge with non-devs that have Administrator role on prod 🙂

I think you're painting with a pretty broad brush there, Shawn. There's value in not having admin permission in prod, sure, but there's a cost too. Decision makers should be aware of both. There's things you can do to minimize those costs, but if you're not aware of them that isn't going to happen.

Agreed - I'm only theorizing above - I think very few clients do strict CI/CD, or even strict computer controlled deployments on NS.

at my last job we implemented it because it was the engineering orgs standard practice, and rather than fight the power to carve out some exception for NS, we just went along, the results were... mixed. technically it was fun to implement but I'm not sure it was a net benefit in the end 🙂

exactly, if there's not a clear benefit don't do it! NS is certainly unlike greenfield development where you own all the bits. I would think applying traditional software development techniques blindly would result in headaches.

couldn't have put it better myself!