Users and roles
- Role Model
- User Permissions in SDPortal
- JIRA Project Roles / Permission Scheme
- Confluence Project Roles
- Bitbucket Project Roles
- Jenkins Project Roles
- GitLab
- Harbor Project Roles
- Gitea
- Nexus Project Roles
Role Model
Each user who is a member of a project has to be in exactly one Project Role. Therefore it is not possible to have no or multiple roles in a project.
Different roles have different sets of permissions. Possible roles are:
Role | Decription |
|---|---|
Admin | Full access, even to potentially dangerous operations like User and Project Provisioning. Can administer Project Members and Roles. |
Master | Limited full access to avoid accidental data loss or other unrevertable changes. |
Developer | Read-write access to contribute to the Project |
Viewer | Read-only access to all not security-relevant data in the Project |
Currently, the role assignment is applied for all tools within one project.
User Permissions in SDPortal
Role Type | Global Role | Project Role | ||||
|---|---|---|---|---|---|---|
Role Name | User | Admin | Viewer | Developer | Master | Admin |
| Login to SDPortal | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Logout from SDPortal | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Change my password | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Reset forgotten password | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Display list of users | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Search for user | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Add or remove "Corporate Admin" role to user | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Create User | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Delete User | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Lock User | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Unlock User | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Send invitation mail for first login | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Display list of projects | ❌ | ✅ | ⚠ Only his projects | ⚠ Only his projects | ⚠ Only his projects | ⚠ Only his projects |
| Search for project | ❌ | ✅ | ⚠ Only his projects | ⚠ Only his projects | ⚠ Only his projects | ⚠ Only his projects |
| Create project | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Delete project | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Retire project | ❌ | ✅ | ❌ | ❌ | ❌ | ⚠ Only his projects |
| Reactivate project | ❌ | ✅ | ❌ | ❌ | ❌ | ⚠ Only his projects |
| Add User to Project | ❌ | ✅ | ❌ | ❌ | ❌ | ⚠ Only his projects |
| Remove User from Project | ❌ | ✅ | ❌ | ❌ | ❌ | ⚠ Only his projects |
| Display used storage by project/tool or total | ❌ | ✅ | ⚠ Only his projects | ⚠ Only his projects | ⚠ Only his projects | ⚠ Only his projects |
JIRA Project Roles / Permission Scheme
In JIRA the Project Roles are first added to Security / Project Roles and then they get their Permissions assigned in the SDCloud Permission Scheme which has to associated later with the Jira Projects.
Permission / Role | Admin | Master | Developer | Viewer |
|---|---|---|---|---|
Project Permissions |
|
|
|
|
| Administer projects Enabled Extended project administration | ✅ | ❌ | ❌ | ❌ |
| Browse projects | ✅ | ✅ | ✅ | ✅ |
| Manage sprints | ✅ | ✅ | ❌ | ❌ |
| Service Desk Agent | ✅ | ✅ | ✅ | ❌ |
| View development tool | ✅ | ✅ | ✅ | ✅ |
| View (read-only) workflow | ✅ | ✅ | ✅ | ✅ |
| Issue Permissions | ||||
| Assign issues | ✅ | ✅ | ✅ | ❌ |
| Assignable user | ✅ | ✅ | ✅ | ❌ |
| Close issues | ✅ | ✅ | ❌ | ❌ |
| Create issues | ✅ | ✅ | ✅ | ❌ |
| Delete issues | ✅ | ❌ | ❌ | ❌ |
| Edit issues | ✅ | ✅ | ✅ | ❌ |
| Link issues | ✅ | ✅ | ✅ | ❌ |
| Modify reporter | ✅ | ✅ | ❌ | ❌ |
| Move issues | ✅ | ✅ | ❌ | ❌ |
| Resolve issues | ✅ | ✅ | ✅ | ❌ |
| Schedule issues | ✅ | ✅ | ❌ | ❌ |
| Set issues security | ✅ | ❌ | ❌ | ❌ |
| Transition issues | ✅ | ✅ | ✅ | ❌ |
| Voters & watchers permissions | ||||
| Manage watcher list | ✅ | ❌ | ❌ | ❌ |
| View voters and watchers | ✅ | ✅ | ✅ | ❌ |
| Comments permissions | ||||
| Add comments | ✅ | ✅ | ✅ | ❌ |
| Delete all comments | ✅ | ❌ | ❌ | ❌ |
| Delete own comments | ✅ | ✅ | ✅ | ❌ |
| Edit all comments | ✅ | ❌ | ❌ | ❌ |
| Edit own comments | ✅ | ✅ | ✅ | ❌ |
| Attachments permissions | ||||
| Create attachments | ✅ | ✅ | ✅ | ❌ |
| Delete all attachments | ✅ | ❌ | ❌ | ❌ |
| Delete own attachments | ✅ | ✅ | ✅ | ❌ |
| Time-tracking Permissions | ||||
| Work on issues | ✅ | ✅ | ✅ | ❌ |
| Delete all worklogs | ✅ | ❌ | ❌ | ❌ |
| Delete own worklogs | ✅ | ✅ | ✅ | ❌ |
| Edit all worklogs | ✅ | ❌ | ❌ | ❌ |
| Edit own worklogs | ✅ | ✅ | ✅ | ❌ |
- Service Desk Agent is only available if the software was added to JIRA
Confluence Project Roles
See vendor documentation for the exact meaning: https://confluence.atlassian.com/doc/space-permissions-overview-139521.html.
Space | All | Pages | Blog | Attachments | Comments | Restrictions | Space | |||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Role/Operation | View | Delete Own | Add | Delete | Add | Delete | Add | Delete | Add | Delete | Add/Delete | Delete | Export | Admin |
| Admin | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Master | ✅ | ✅ | ✅ | ❌ | ✅ | ❌ | ✅ | ❌ | ✅ | ✅ | ✅ | ❌ | ✅ | ❌ |
| Developer | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ✅ | ❌ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Viewer | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
Bitbucket Project Roles
| Browse | Clone / Pull | Create, browse, comment on pull request | Merge pull request | Push | Create repositories | Edit settings / permissions |
|---|---|---|---|---|---|---|---|
| Admin | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| Master | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ |
| Developer | ✅ | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ |
| Viewer | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
Repository permissions are inherited from project permissions.
Jenkins Project Roles
Permission | Role | Admin | Master | Developer | Viewer | Authenticated Users | Anonymous Users | Prometheus Tech User |
|---|---|---|---|---|---|---|---|---|
| Credentials | Create | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Delete | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |
| Manage Domains | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |
| Update | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | |
| View | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | |
| Job | Build | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ |
| Cancel | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | |
| Configure | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | |
| Create | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | |
| Delete | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |
| Discover | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | |
| ExtendedRead | ||||||||
| Move | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |
| Read | ✅ | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | |
| Workspace | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | |
| Run | Delete | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Replay | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | |
| Update | ✅ | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | |
| Job Config History | DeleteEntry | |||||||
| SCM | Tag | ✅ | ✅ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Metrics | HealthCheck | |||||||
| ThreadDump | ||||||||
| View |
GitLab
Users are assigned to Groups in GitLab with the following roles assignment. Permissions within subordinated Subgroups and GitLab Projects are inherited.
Project Role | GitLab Group Members Permission |
|---|---|
Viewer | Reporter |
Developer | Developer |
Master | Maintainer |
Admin | Owner |
Regarding permissions for Group Permissions in GitLab, see https://docs.gitlab.com/ee/user/permissions.html#group-members-permissions.
Harbor Project Roles
Harbor manages images through projects. You provide access to these images to users by including the users in projects and assigning one of the following roles to them:
Harbor | Portal | |
|---|---|---|
| Role Name | Role Id | Project Role |
| Project Admin | 1 | ADMIN |
| Maintainer | 4 | MASTER |
| Developer | 2 | DEVELOPER |
| Guest | 3 | VIEWER |
Harbor Roles Permissions
Action | Limited Guest | Guest | Developer | Maintainer | Project Admin |
|---|---|---|---|---|---|
| See the project configurations | ✅ | ✅ | ✅ | ✅ | ✅ |
| Edit the project configurations | ❌ | ❌ | ❌ | ❌ | ✅ |
| See a list of project members | ✅ | ✅ | ✅ | ✅ | |
| Create/edit/delete project members | ❌ | ❌ | ❌ | ❌ | ✅ |
| See a list of project logs | ✅ | ✅ | ✅ | ✅ | ❌ |
| See a list of project replications | ❌ | ❌ | ❌ | ✅ | ✅ |
| See a list of project replication jobs | ❌ | ❌ | ❌ | ❌ | ✅ |
| See a list of project labels | ❌ | ❌ | ❌ | ✅ | ✅ |
| Create/edit/delete project labels | ❌ | ❌ | ❌ | ✅ | ✅ |
| See a list of repositories | ✅ | ✅ | ✅ | ✅ | ✅ |
| Create repositories | ❌ | ❌ | ✅ | ✅ | ✅ |
| Edit/delete repositories | ❌ | ❌ | ❌ | ✅ | ✅ |
| See a list of images | ✅ | ✅ | ✅ | ✅ | ✅ |
| Retag image | ❌ | ✅ | ✅ | ✅ | ✅ |
| Pull image | ✅ | ✅ | ✅ | ✅ | ✅ |
| Push image | ❌ | ❌ | ✅ | ✅ | ✅ |
| Scan/delete image | ❌ | ❌ | ❌ | ✅ | ✅ |
| Add scanners to Harbor * | ❌ | ❌ | ❌ | ❌ | ❌ |
| Edit scanners in projects | ❌ | ❌ | ❌ | ❌ | ✅ |
| See a list of image vulnerabilities | ✅ | ✅ | ✅ | ✅ | ✅ |
| Create list of project vulnerabilities | ❌ | ❌ | ✅ | ✅ | ✅ |
| Read list of project vulnerabilities | ❌ | ❌ | ✅ | ✅ | ✅ |
| Export list of project vulnerabilities | ❌ | ❌ | ✅ | ✅ | ✅ |
| See image build history | ✅ | ✅ | ✅ | ✅ | ✅ |
| Add/Remove labels of image | ❌ | ❌ | ✅ | ✅ | ✅ |
| See a list of helm charts | ✅ | ✅ | ✅ | ✅ | ✅ |
| Download helm charts | ✅ | ✅ | ✅ | ✅ | ✅ |
| Upload helm charts | ❌ | ❌ | ✅ | ✅ | ✅ |
| Delete helm charts | ❌ | ❌ | ❌ | ✅ | ✅ |
| See a list of helm chart versions | ✅ | ✅ | ✅ | ✅ | ✅ |
| Download helm chart versions | ✅ | ✅ | ✅ | ✅ | ✅ |
| Upload helm chart versions | ❌ | ❌ | ✅ | ✅ | ✅ |
| Delete helm chart versions | ❌ | ❌ | ❌ | ✅ | ✅ |
| Add/Remove labels of helm chart version | ❌ | ❌ | ✅ | ✅ | ✅ |
| See a list of project robots | ❌ | ❌ | ❌ | ✅ | ✅ |
| Create/edit/delete project robots | ❌ | ❌ | ❌ | ❌ | ✅ |
| See configured CVE allowlist | ✅ | ✅ | ✅ | ✅ | ✅ |
| Create/edit/remove CVE allowlist | ❌ | ❌ | ❌ | ❌ | ✅ |
| View webhook events | ❌ | ❌ | ❌ | ✅ | ✅ |
| Add new webhook events | ❌ | ❌ | ❌ | ❌ | ✅ |
| Enable/deactivate webhooks | ❌ | ❌ | ❌ | ❌ | ✅ |
| Create/delete tag retention rules | ❌ | ❌ | ✅ | ✅ | ✅ |
| Enable/deactivate tag retention rules | ❌ | ❌ | ✅ | ✅ | ✅ |
| Create/delete tag immutability rules | ❌ | ❌ | ❌ | ✅ | ✅ |
| Enable/deactivate tag immutability rules | ❌ | ❌ | ❌ | ✅ | ✅ |
| See project quotas | ✅ | ✅ | ✅ | ✅ | ✅ |
| Edit project quotas * | ❌ | ❌ | ❌ | ❌ | ❌ |
| Delete Project | ❌ | ❌ | ❌ | ❌ | ✅ |
* Only the Harbor system administrator can edit project quotas and add new scanners.
Gitea
Please note, that some terms used in DevOps-as-a-Service have different names in Gitea. Please check the following table to avoid any confusion.
DevOps Portal | Gitea |
|---|---|
Project | Organization |
Project Role | Team |
Git Repository | Repository |
Artifact Repository | Package |
Issue Tracking | Project (currently disabled) |
The Owner team has full admin permission in the Organization. This is a technical user used by the DevOps Portal for auto-provisioning.
Gitea Role | Portal Project Role | Permissions |
|---|---|---|
Viewer | Viewer | Read |
Developer | Developer | Read, Write |
Master | Master | Read, Write |
| Admin | Admin | Read, Write, Repository create |
Nexus Project Roles
For each role in a project a role in Nexus is created which includes one Privilege for each repository in the project.
Role | Admin | Master | Developer | Viewer |
|---|---|---|---|---|
ID | PROJECTKEY-admin | PROJECTKEY-master | PROJECTKEY-developer | PROJECTKEY-viewer |
Name | PROJECTKEY-admin | PROJECTKEY-master | PROJECTKEY-developer | PROJECTKEY-viewer |
Privilege | PROJECTKEY-docker-admin PROJECTKEY-maven-admin PROJECTKEY-repotype-admin | PROJECTKEY-docker-master PROJECTKEY-maven-master PROJECTKEY-repotype-master | PROJECTKEY-docker-developer PROJECTKEY-maven-developer PROJECTKEY-repotype-developer | PROJECTKEY-docker-viewer PROJECTKEY-maven-viewer PROJECTKEY-repotype-viewer |
For each role in a project a Privilege of type Repository Content Selector is created which combines Content Selector (Project), Repository (Docker Registry) and Actions depending on the role.
Privilege / Role | Admin | Master | Developer | Viewer |
|---|---|---|---|---|
Name | PROJECTKEY-docker-admin | PROJECTKEY-docker-master | PROJECTKEY-docker-developer | PROJECTKEY-docker-viewer |
Content Selector | PROJECTKEY-docker | PROJECTKEY-docker | PROJECTKEY-docker | PROJECTKEY-docker |
Repository | docker-registry | docker-registry | docker-registry | docker-registry |
Actions | delete, add, edit, browse, read | add, edit, browse, read | add, edit, browse, read | browse, read |
See https://help.sonatype.com/repomanager3/security/privileges for available Actions.