Skip to Content

Wiki source code of Users and roles

Version 5.1 by Boris Folgmann on 2026/05/11 14:33
Show last authors
1
2
3 {{toc depth="1"/}}
4
5 = Role Model =
6
7 Each user who is a member of a project has to be in //exactly one// Project Role. Therefore it is not possible to have no or multiple roles in a project.
8
9 Different roles have different sets of permissions. Possible roles are:
10
11 |=(((
12 Role
13 )))|=(((
14 Decription
15 )))
16 |(((
17 Admin
18 )))|(((
19 Full access, even to potentially dangerous operations like User and Project Provisioning. Can administer Project Members and Roles.
20 )))
21 |(((
22 Master
23 )))|(((
24 Limited full access to avoid accidental data loss or other unrevertable changes.
25 )))
26 |(((
27 Developer
28 )))|(((
29 Read-write access to contribute to the Project
30 )))
31 |(((
32 Viewer
33 )))|(((
34 Read-only access to all not security-relevant data in the Project
35 )))
36
37 Currently, the role assignment is applied for all tools within one project.
38
39 {{info}}
40 Note:
41 To ensure the integrity of the applications in the context of the managed service, no customer user is allowed to get system admin permissions for the tools. The maximum permissions for a customer user is the "Project Admin" role as described here
42 {{/info}}
43
44 = User Permissions in DevOps Portal =
45
46 |=(((
47 Role Type
48 )))|=(% colspan="3" rowspan="1" %)(((
49 Portal Role
50 )))|=(% rowspan="23" %) |=(% colspan="4" %)(((
51 Project Role
52 )))
53 |(((
54 **Role Name**
55 )))|(((
56 **User**
57 )))|(((
58 **Admin**
59 )))|(((
60 **Creator **
61 )))|(((
62 **Viewer**
63 )))|(((
64 **Developer**
65 )))|(((
66 **Master**
67 )))|(((
68 **Admin**
69 )))
70 |Login to DevOps Portal|✅|✅|✅|✅|✅|✅|✅
71 |Logout from DevOps Portal|✅|✅|✅|✅|✅|✅|✅
72 |Change my password|✅|✅|✅|✅|✅|✅|✅
73 |Reset forgotten password|✅|✅|✅|✅|✅|✅|✅
74 |Display list of users|✅|✅|✅|✅|✅|✅|✅
75 |Search for user |✅|✅|✅|✅|✅|✅|✅
76 |Add or remove "Corporate Admin" role to user |❌|✅|❌|❌|❌|❌|❌
77 |Create User|❌|✅|✅|❌|❌|❌|❌
78 |Delete User|❌|✅|❌|❌|❌|❌|❌
79 |Lock User|❌|✅|❌|❌|❌|❌|❌
80 |Unlock User|❌|✅|❌|❌|❌|❌|❌
81 |Send invitation mail for first login|❌|✅|❌|❌|❌|❌|❌
82 |Display list of projects |❌|✅|❌|⚠ Only his projects|⚠  Only his projects|⚠  Only his projects|⚠  Only his projects
83 |Search for project |❌|✅|❌|⚠  Only his projects|⚠  Only his projects|⚠  Only his projects|⚠  Only his projects
84 |Create project |❌|✅|✅|❌|❌|❌|❌
85 |Delete project|❌|✅|❌|❌|❌|❌|❌
86 |Retire project |❌|✅|❌|❌|❌|❌|⚠  Only his projects
87 |Reactivate project|❌|✅|❌|❌|❌|❌|⚠  Only his projects
88 |Add User to Project|❌|✅|❌|❌|❌|❌|⚠  Only his projects
89 |Remove User from Project|❌|✅|❌|❌|❌|❌|⚠  Only his projects
90 |Display used storage by project/tool or total|❌|✅|❌|⚠  Only his projects|⚠  Only his projects|⚠  Only his projects|⚠  Only his projects
91
92 = JIRA Project Roles / Permission Scheme =
93
94 In JIRA the Project Roles are first added to Security / Project Roles and then they get their Permissions assigned in the SDCloud Permission Scheme which has to associated later with the Jira Projects.
95
96 |=(((
97 Permission / Role
98 )))|=(((
99 Admin
100 )))|=(((
101 Master
102 )))|=(((
103 Developer
104 )))|=(((
105 Viewer
106 )))
107 |=(% colspan="1" %)(((
108 Project Permissions
109 )))|(% colspan="1" %)(((
110
111 )))|(% colspan="1" %)(((
112
113 )))|(% colspan="1" %)(((
114
115 )))|(% colspan="1" %)(((
116
117 )))
118 |Administer projects
119 Enabled Extended project administration|✅|❌|❌|❌
120 |Browse projects|✅|✅|✅|✅
121 |Manage sprints|✅|✅|❌|❌
122 |Service Desk Agent|✅|✅|✅|❌
123 |View development tool|✅|✅|✅|✅
124 |View (read-only) workflow|✅|✅|✅|✅
125 |=Issue Permissions| | | |
126 |Assign issues|✅|✅|✅|❌
127 |Assignable user|✅|✅|✅|❌
128 |Close issues|✅|✅|❌|❌
129 |Create issues|✅|✅|✅|❌
130 |Delete issues|✅|❌|❌|❌
131 |Edit issues|✅|✅|✅|❌
132 |Link issues|✅|✅|✅|❌
133 |Modify reporter|✅|✅|❌|❌
134 |Move issues|✅|✅|❌|❌
135 |Resolve issues|✅|✅|✅|❌
136 |Schedule issues|✅|✅|❌|❌
137 |Set issues security|✅|❌|❌|❌
138 |Transition issues|✅|✅|✅|❌
139 |=(% colspan="1" %)Voters & watchers permissions|(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %)
140 |Manage watcher list|✅|✅|❌|❌
141 |View voters and watchers|✅|✅|✅|❌
142 |=(% colspan="1" %)Comments permissions|(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %)
143 |Add comments|✅|✅|✅|❌
144 |Delete all comments|✅|❌|❌|❌
145 |Delete own comments|✅|✅|✅|❌
146 |Edit all comments|✅|❌|❌|❌
147 |Edit own comments|✅|✅|✅|❌
148 |=(% colspan="1" %)Attachments permissions|(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %)
149 |Create attachments|✅|✅|✅|❌
150 |Delete all attachments|✅|❌|❌|❌
151 |Delete own attachments|✅|✅|✅|❌
152 |=(% colspan="1" %)Time-tracking Permissions|(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %)
153 |Work on issues|✅|✅|✅|❌
154 |Delete all worklogs|✅|❌|❌|❌
155 |Delete own worklogs|✅|✅|✅|❌
156 |Edit all worklogs|✅|❌|❌|❌
157 |Edit own worklogs|✅|✅|✅|❌
158
159 * Service Desk Agent is only available if the software was added to JIRA
160
161 = Confluence Project Roles =
162
163 See vendor documentation for the exact meaning: [[https:~~/~~/confluence.atlassian.com/doc/space-permissions-overview-139521.html>>url:https://confluence.atlassian.com/doc/space-permissions-overview-139521.html]].
164
165 |=(((
166 Space
167 )))|=(% colspan="2" %)(((
168 All
169 )))|=(% colspan="2" %)(((
170 Pages
171 )))|=(% colspan="2" %)(((
172 Blog
173 )))|=(% colspan="2" %)(((
174 Attachments
175 )))|=(% colspan="2" %)(((
176 Comments
177 )))|=(((
178 Restrictions
179 )))|=(((
180 Mail
181 )))|=(% colspan="2" %)(((
182 Space
183 )))
184 |=(% colspan="1" %)Role/Operation|(% colspan="1" %)View|(% colspan="1" %)Delete Own|(% colspan="1" %)Add|(% colspan="1" %)Delete|(% colspan="1" %)Add|(% colspan="1" %)Delete|(% colspan="1" %)Add|(% colspan="1" %)Delete|(% colspan="1" %)Add|(% colspan="1" %)Delete|(% colspan="1" %)Add/Delete|(% colspan="1" %)Delete|(% colspan="1" %)Export|(% colspan="1" %)Admin
185 |=Admin|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅
186 |=Master|✅|✅|✅|❌|✅|❌|✅|❌|✅|✅|✅|❌|✅|❌
187 |=Developer|✅|✅|✅|❌|❌|❌|✅|❌|✅|❌|❌|❌|❌|❌
188 |=Viewer|✅|❌|❌|❌|❌|❌|❌|❌|❌|❌|❌|❌|❌|❌
189
190 = Bitbucket Project Roles =
191
192 |=(((
193
194 )))|=(((
195 Browse
196 )))|=(((
197 Clone / Pull
198 )))|=(% colspan="1" %)(((
199 Create, browse, comment on pull request
200 )))|=(% colspan="1" %)(((
201 Merge pull request
202 )))|=(% colspan="1" %)(((
203 Push
204 )))|=(% colspan="1" %)(((
205 Create repositories
206 )))|=(% colspan="1" %)(((
207 Edit settings / permissions
208 )))
209 |Admin|✅|✅|✅|✅|✅|✅|✅
210 |Master|✅|✅|✅|✅|✅|✅|❌
211 |Developer|✅|✅|✅|✅|✅|❌|❌
212 |Viewer|✅|✅|✅|❌|❌|❌|❌
213
214 //Repository permissions are inherited from project permissions.//
215
216 = Jenkins Project Roles =
217
218 |=(% colspan="1" %)(((
219 Permission
220 )))|=(((
221 Role
222 )))|=(((
223 Admin
224 )))|=(((
225 Master
226 )))|=(((
227 Developer
228 )))|=(((
229 Viewer
230 )))|=(% colspan="1" %)(((
231 Authenticated Users
232 )))|=(% colspan="1" %)(((
233 Anonymous Users
234 )))|=(% colspan="1" %)(((
235 Prometheus Tech User
236 )))
237 |=(% rowspan="5" %)Credentials|Create|✅|✅|❌|❌|❌|❌|❌
238 |Delete|✅|❌|❌|❌|❌|❌|❌
239 |Manage Domains|✅|❌|❌|❌|❌|❌|❌
240 |Update|✅|✅|❌|❌|❌|❌|❌
241 |View|✅|✅|✅|❌|❌|❌|❌
242 |=(% rowspan="10" %)Job|Build|✅|✅|✅|❌|❌|❌|❌
243 |Cancel|✅|✅|❌|❌|❌|❌|❌
244 |Configure|✅|✅|❌|❌|❌|❌|❌
245 |Create|✅|✅|❌|❌|❌|❌|❌
246 |Delete|✅|❌|❌|❌|❌|❌|❌
247 |Discover|✅|✅|✅|✅|❌|❌|❌
248 |ExtendedRead| | | | | | |
249 |Move|✅|❌|❌|❌|❌|❌|❌
250 |Read|✅|✅|✅|✅|❌|❌|❌
251 |Workspace|✅|✅|✅|❌|❌|❌|❌
252 |=(% rowspan="3" %)Run|Delete|✅|❌|❌|❌|❌|❌|❌
253 |Replay|✅|✅|✅|❌|❌|❌|❌
254 |Update|✅|✅|✅|❌|❌|❌|❌
255 |=Job Config History|DeleteEntry| | | | | | |
256 |=SCM|Tag|✅|✅|❌|❌|❌|❌|❌
257 |=Metrics|HealthCheck| | | | | | |
258 | |ThreadDump| | | | | | |
259 | |View| | | | | | |
260
261 = GitLab =
262
263 Users are assigned to Groups in GitLab with the following roles assignment.  Permissions within subordinated Subgroups and GitLab Projects are inherited.
264
265 |=(((
266 Project Role
267 )))|=(((
268 GitLab Group Members Permission
269 )))
270 |(((
271 Viewer
272 )))|(((
273 Reporter
274 )))
275 |(((
276 Developer
277 )))|(((
278 Developer
279 )))
280 |(% colspan="1" %)(((
281 Master
282 )))|(% colspan="1" %)(((
283 Maintainer
284 )))
285 |(% colspan="1" %)(((
286 Admin
287 )))|(% colspan="1" %)(((
288 Owner
289 )))
290
291 Regarding permissions for Group Permissions in GitLab, see [[https:~~/~~/docs.gitlab.com/ee/user/permissions.html#group-members-permissions>>url:https://docs.gitlab.com/ee/user/permissions.html#group-members-permissions]].
292
293 = Harbor Project Roles =
294
295 Harbor manages images through projects. You provide access to these images to users by including the users in projects and assigning one of the following roles to them:
296
297 |=(((
298 Harbor
299 )))|=(((
300 Portal
301 )))|=
302 |=Role Name|=Role Id|=Project Role
303 |Project Admin|1|ADMIN
304 |Maintainer|4|MASTER
305 |Developer|2|DEVELOPER
306 |Guest|3|VIEWER
307
308 === Harbor Roles Permissions ===
309
310 |=(((
311 Action
312 )))|=(((
313 Limited Guest
314 )))|=(((
315 Guest
316 )))|=(((
317 Developer
318 )))|=(((
319 Maintainer
320 )))|=(((
321 Project Admin
322 )))
323 |See the project configurations|✅|✅|✅|✅|✅
324 |Edit the project configurations|❌|❌|❌|❌|✅
325 |See a list of project members| |✅|✅|✅|✅
326 |Create/edit/delete project members|❌|❌|❌|❌|✅
327 |See a list of project logs|✅|✅|✅|✅|❌
328 |See a list of project replications|❌|❌|❌|✅|✅
329 |See a list of project replication jobs|❌|❌|❌|❌|✅
330 |See a list of project labels|❌|❌|❌|✅|✅
331 |Create/edit/delete project labels|❌|❌|❌|✅|✅
332 |See a list of repositories|✅|✅|✅|✅|✅
333 |Create repositories|❌|❌|✅|✅|✅
334 |Edit/delete repositories|❌|❌|❌|✅|✅
335 |See a list of images|✅|✅|✅|✅|✅
336 |Retag image|❌|✅|✅|✅|✅
337 |Pull image|✅|✅|✅|✅|✅
338 |Push image|❌|❌|✅|✅|✅
339 |Scan/delete image|❌|❌|❌|✅|✅
340 |Add scanners to Harbor *|❌|❌|❌|❌|❌
341 |Edit scanners in projects|❌|❌|❌|❌|✅
342 |See a list of image vulnerabilities|✅|✅|✅|✅|✅
343 |Create list of project vulnerabilities|❌|❌|✅|✅|✅
344 |Read list of project vulnerabilities|❌|❌|✅|✅|✅
345 |Export list of project vulnerabilities|❌|❌|✅|✅|✅
346 |See image build history|✅|✅|✅|✅|✅
347 |Add/Remove labels of image|❌|❌|✅|✅|✅
348 |See a list of helm charts|✅|✅|✅|✅|✅
349 |Download helm charts|✅|✅|✅|✅|✅
350 |Upload helm charts|❌|❌|✅|✅|✅
351 |Delete helm charts|❌|❌|❌|✅|✅
352 |See a list of helm chart versions|✅|✅|✅|✅|✅
353 |Download helm chart versions|✅|✅|✅|✅|✅
354 |Upload helm chart versions|❌|❌|✅|✅|✅
355 |Delete helm chart versions|❌|❌|❌|✅|✅
356 |Add/Remove labels of helm chart version|❌|❌|✅|✅|✅
357 |See a list of project robots|❌|❌|❌|✅|✅
358 |Create/edit/delete project robots|❌|❌|❌|❌|✅
359 |See configured CVE allowlist|✅|✅|✅|✅|✅
360 |Create/edit/remove CVE allowlist|❌|❌|❌|❌|✅
361 |View webhook events|❌|❌|❌|✅|✅
362 |Add new webhook events|❌|❌|❌|❌|✅
363 |Enable/deactivate webhooks|❌|❌|❌|❌|✅
364 |Create/delete tag retention rules|❌|❌|✅|✅|✅
365 |Enable/deactivate tag retention rules|❌|❌|✅|✅|✅
366 |Create/delete tag immutability rules|❌|❌|❌|✅|✅
367 |Enable/deactivate tag immutability rules|❌|❌|❌|✅|✅
368 |See project quotas|✅|✅|✅|✅|✅
369 |Edit project quotas *|❌|❌|❌|❌|❌
370 |Delete Project|❌|❌|❌|❌|✅
371
372 ~* Only the Harbor system administrator can edit project quotas and add new scanners.
373
374 = Gitea =
375
376 Please note, that some terms used in DevOps-as-a-Service have different names in Gitea. Please check the following table to avoid any confusion.
377
378 |=(((
379 DevOps Portal
380 )))|=(((
381 Gitea
382 )))
383 |(((
384 Project
385 )))|(((
386 Organization
387 )))
388 |(((
389 Project Role
390 )))|(((
391 Team
392 )))
393 |(((
394 Git Repository
395 )))|(((
396 Repository
397 )))
398 |(((
399 Artifact Repository
400 )))|(((
401 Package
402 )))
403 |(((
404 Issue Tracking
405 )))|(((
406 Project (currently disabled)
407 )))
408
409 The **Owner** team has full admin permission in the Organization. This is a technical user used by the DevOps Portal for auto-provisioning.
410
411 |=(((
412 Gitea Role
413 )))|=(((
414 Portal Project Role
415 )))|=Permissions
416 |(((
417 Viewer
418 )))|Viewer|Read
419 |(((
420 Developer
421 )))|(((
422 Developer
423 )))|Read, Write
424 |(% colspan="1" %)(((
425 Master
426 )))|(% colspan="1" %)Master|Read, Write
427 |(% colspan="1" %)Admin|(% colspan="1" %)Admin|Read, Write, Repository create
428
429 = Nexus Project Roles =
430
431 For each role in a project a role in Nexus is created which includes one Privilege for each repository in the project.
432
433 |=(((
434 Role
435 )))|=(((
436 Admin
437 )))|=(((
438 Master
439 )))|=(((
440 Developer
441 )))|=(((
442 Viewer
443 )))
444 |(((
445 ID
446 )))|(((
447 PROJECTKEY-admin
448 )))|(((
449 PROJECTKEY-master
450 )))|(((
451 PROJECTKEY-developer
452 )))|(((
453 PROJECTKEY-viewer
454 )))
455 |(((
456 Name
457 )))|(((
458 PROJECTKEY-admin
459 )))|(((
460 PROJECTKEY-master
461 )))|(((
462 PROJECTKEY-developer
463 )))|(((
464 PROJECTKEY-viewer
465 )))
466 |(((
467 Privilege
468 )))|(((
469 PROJECTKEY-docker-admin
470
471 PROJECTKEY-maven-admin
472
473 PROJECTKEY-//repotype//-admin
474 )))|(((
475 PROJECTKEY-docker-master
476
477 PROJECTKEY-maven-master
478
479 PROJECTKEY-//repotype//-master
480 )))|(((
481 PROJECTKEY-docker-developer
482
483 PROJECTKEY-maven-developer
484
485 PROJECTKEY-//repotype//-developer
486 )))|(((
487 PROJECTKEY-docker-viewer
488
489 PROJECTKEY-maven-viewer
490
491 PROJECTKEY-//repotype//-viewer
492 )))
493
494 For each role in a project a **Privilege of type Repository Content Selector** is created which combines Content Selector (Project), Repository (Docker Registry) and Actions depending on the role.
495
496 |=(((
497 Privilege / Role
498 )))|=(((
499 Admin
500 )))|=(((
501 Master
502 )))|=(((
503 Developer
504 )))|=(((
505 Viewer
506 )))
507 |(((
508 Name
509 )))|(((
510 PROJECTKEY-docker-admin
511 )))|(((
512 PROJECTKEY-docker-master
513 )))|(((
514 PROJECTKEY-docker-developer
515 )))|(((
516 PROJECTKEY-docker-viewer
517 )))
518 |(((
519 Content Selector
520 )))|(((
521 PROJECTKEY-docker
522 )))|(((
523 PROJECTKEY-docker
524 )))|(((
525 PROJECTKEY-docker
526 )))|(((
527 PROJECTKEY-docker
528 )))
529 |(((
530 Repository
531 )))|(((
532 docker-registry
533 )))|(((
534 docker-registry
535 )))|(((
536 docker-registry
537 )))|(((
538 docker-registry
539 )))
540 |(((
541 Actions
542 )))|(((
543 delete, add, edit, browse, read
544 )))|(((
545 add, edit, browse, read
546 )))|(((
547 add, edit, browse, read
548 )))|(((
549 browse, read
550 )))
551
552 See [[https:~~/~~/help.sonatype.com/repomanager3/security/privileges>>url:https://help.sonatype.com/repomanager3/nexus-repository-administration/access-control/privileges]] for available Actions.
© 2018-2026 T-Systems International GmbH