Skip to Content

Wiki source code of Users and roles

Version 6.2 by Boris Folgmann on 2026/05/20 12:43
Show last authors
1 {{toc depth="1"/}}
2
3 = Role Model =
4
5 Each user who is a member of a project has to be in //exactly one// Project Role. Therefore it is not possible to have no or multiple roles in a project.
6
7 Different roles have different sets of permissions. Possible roles are:
8
9 |=(((
10 Role
11 )))|=(((
12 Decription
13 )))
14 |(((
15 Admin
16 )))|(((
17 Full access, even to potentially dangerous operations likeΒ User and Project Provisioning.Β Can administer Project Members and Roles.
18 )))
19 |(((
20 Master
21 )))|(((
22 Limited full access to avoid accidental data loss or other unrevertable changes.
23 )))
24 |(((
25 Developer
26 )))|(((
27 Read-write access to contribute to the Project
28 )))
29 |(((
30 Viewer
31 )))|(((
32 Read-only access to all not security-relevant data in the Project
33 )))
34
35 Currently, the role assignment is applied for all tools within one project.
36
37 {{info}}
38 Note:
39 To ensure the integrity of the applications in the context of the managed service, no customer user is allowed to get system admin permissions for the tools. The maximum permissions for a customer user is the "Project Admin" role as described here
40 {{/info}}
41
42 = User Permissions in DevOps Portal =
43
44 |=(((
45 Role Type
46 )))|=(% colspan="3" rowspan="1" %)(((
47 Portal Role
48 )))|=(% rowspan="23" %) |=(% colspan="4" %)(((
49 Project Role
50 )))
51 |(((
52 **Role Name**
53 )))|(((
54 **User**
55 )))|(((
56 **Admin**
57 )))|(((
58 **Creator **
59 )))|(((
60 **Viewer**
61 )))|(((
62 **Developer**
63 )))|(((
64 **Master**
65 )))|(((
66 **Admin**
67 )))
68 |Login to DevOps Portal|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…
69 |Logout from DevOps Portal|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…
70 |Change my password|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…
71 |Reset forgotten password|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…
72 |Display list of users|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…
73 |Search for user |βœ…|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…
74 |Add or remove "Corporate Admin" role to user |❌|βœ…|❌|❌|❌|❌|❌
75 |Create User|❌|βœ…|βœ…|❌|❌|❌|❌
76 |Delete User|❌|βœ…|❌|❌|❌|❌|❌
77 |Lock User|❌|βœ…|❌|❌|❌|❌|❌
78 |Unlock User|❌|βœ…|❌|❌|❌|❌|❌
79 |Send invitation mail for first login|❌|βœ…|❌|❌|❌|❌|❌
80 |Display list of projects |❌|βœ…|❌|⚠ Only his projects|⚠  Only his projects|⚠  Only his projects|⚠  Only his projects
81 |Search for project |❌|βœ…|❌|⚠  Only his projects|⚠  Only his projects|⚠  Only his projects|⚠  Only his projects
82 |Create project |❌|βœ…|βœ…|❌|❌|❌|❌
83 |Delete project|❌|βœ…|❌|❌|❌|❌|❌
84 |Retire project |❌|βœ…|❌|❌|❌|❌|⚠  Only his projects
85 |Reactivate project|❌|βœ…|❌|❌|❌|❌|⚠  Only his projects
86 |Add User to Project|❌|βœ…|❌|❌|❌|❌|⚠  Only his projects
87 |Remove User from Project|❌|βœ…|❌|❌|❌|❌|⚠  Only his projects
88 |Display used storage by project/tool or total|❌|βœ…|❌|⚠  Only his projects|⚠  Only his projects|⚠  Only his projects|⚠  Only his projects
89
90 = JIRA Project Roles / Permission Scheme =
91
92 In JIRA the Project Roles are first added to Security / Project Roles and then they get their Permissions assigned in the SDCloud Permission Scheme which has to associated later with the Jira Projects.
93
94 |=(((
95 Permission / Role
96 )))|=(((
97 Admin
98 )))|=(((
99 Master
100 )))|=(((
101 Developer
102 )))|=(((
103 Viewer
104 )))
105 |=(% colspan="1" %)(((
106 Project Permissions
107 )))|(% colspan="1" %)(((
108
109 )))|(% colspan="1" %)(((
110
111 )))|(% colspan="1" %)(((
112
113 )))|(% colspan="1" %)(((
114
115 )))
116 |Administer projects
117 Enabled Extended project administration|βœ…|❌|❌|❌
118 |Browse projects|βœ…|βœ…|βœ…|βœ…
119 |Manage sprints|βœ…|βœ…|❌|❌
120 |Service Desk Agent|βœ…|βœ…|βœ…|❌
121 |View development tool|βœ…|βœ…|βœ…|βœ…
122 |View (read-only) workflow|βœ…|βœ…|βœ…|βœ…
123 |=Issue Permissions| | | |
124 |Assign issues|βœ…|βœ…|βœ…|❌
125 |Assignable user|βœ…|βœ…|βœ…|❌
126 |Close issues|βœ…|βœ…|❌|❌
127 |Create issues|βœ…|βœ…|βœ…|❌
128 |Delete issues|βœ…|❌|❌|❌
129 |Edit issues|βœ…|βœ…|βœ…|❌
130 |Link issues|βœ…|βœ…|βœ…|❌
131 |Modify reporter|βœ…|βœ…|❌|❌
132 |Move issues|βœ…|βœ…|❌|❌
133 |Resolve issues|βœ…|βœ…|βœ…|❌
134 |Schedule issues|βœ…|βœ…|❌|❌
135 |Set issues security|βœ…|❌|❌|❌
136 |Transition issues|βœ…|βœ…|βœ…|❌
137 |=(% colspan="1" %)Voters & watchers permissions|(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %)
138 |Manage watcher list|βœ…|βœ…|❌|❌
139 |View voters and watchers|βœ…|βœ…|βœ…|❌
140 |=(% colspan="1" %)Comments permissions|(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %)
141 |Add comments|βœ…|βœ…|βœ…|❌
142 |Delete all comments|βœ…|❌|❌|❌
143 |Delete own comments|βœ…|βœ…|βœ…|❌
144 |Edit all comments|βœ…|❌|❌|❌
145 |Edit own comments|βœ…|βœ…|βœ…|❌
146 |=(% colspan="1" %)Attachments permissions|(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %)
147 |Create attachments|βœ…|βœ…|βœ…|❌
148 |Delete all attachments|βœ…|❌|❌|❌
149 |Delete own attachments|βœ…|βœ…|βœ…|❌
150 |=(% colspan="1" %)Time-tracking Permissions|(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %)
151 |Work on issues|βœ…|βœ…|βœ…|❌
152 |Delete all worklogs|βœ…|❌|❌|❌
153 |Delete own worklogs|βœ…|βœ…|βœ…|❌
154 |Edit all worklogs|βœ…|❌|❌|❌
155 |Edit own worklogs|βœ…|βœ…|βœ…|❌
156
157 * Service Desk Agent is only available if the software was added to JIRA
158
159 = ConfluenceΒ Project Roles =
160
161 See vendor documentation for the exact meaning: [[https:~~/~~/confluence.atlassian.com/doc/space-permissions-overview-139521.html>>url:https://confluence.atlassian.com/doc/space-permissions-overview-139521.html]].
162
163 |=(((
164 Space
165 )))|=(% colspan="2" %)(((
166 All
167 )))|=(% colspan="2" %)(((
168 Pages
169 )))|=(% colspan="2" %)(((
170 Blog
171 )))|=(% colspan="2" %)(((
172 Attachments
173 )))|=(% colspan="2" %)(((
174 Comments
175 )))|=(((
176 Restrictions
177 )))|=(((
178 Mail
179 )))|=(% colspan="2" %)(((
180 Space
181 )))
182 |=(% colspan="1" %)Role/Operation|(% colspan="1" %)View|(% colspan="1" %)Delete Own|(% colspan="1" %)Add|(% colspan="1" %)Delete|(% colspan="1" %)Add|(% colspan="1" %)Delete|(% colspan="1" %)Add|(% colspan="1" %)Delete|(% colspan="1" %)Add|(% colspan="1" %)Delete|(% colspan="1" %)Add/Delete|(% colspan="1" %)Delete|(% colspan="1" %)Export|(% colspan="1" %)Admin
183 |=Admin|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…
184 |=Master|βœ…|βœ…|βœ…|❌|βœ…|❌|βœ…|❌|βœ…|βœ…|βœ…|❌|βœ…|❌
185 |=Developer|βœ…|βœ…|βœ…|❌|❌|❌|βœ…|❌|βœ…|❌|❌|❌|❌|❌
186 |=Viewer|βœ…|❌|❌|❌|❌|❌|❌|❌|❌|❌|❌|❌|❌|❌
187
188 = Bitbucket Project Roles =
189
190 |=(((
191
192 )))|=(((
193 Browse
194 )))|=(((
195 Clone / Pull
196 )))|=(% colspan="1" %)(((
197 Create, browse, comment on pull request
198 )))|=(% colspan="1" %)(((
199 Merge pull request
200 )))|=(% colspan="1" %)(((
201 Push
202 )))|=(% colspan="1" %)(((
203 Create repositories
204 )))|=(% colspan="1" %)(((
205 Edit settings / permissions
206 )))
207 |Admin|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…
208 |Master|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…|❌
209 |Developer|βœ…|βœ…|βœ…|βœ…|βœ…|❌|❌
210 |Viewer|βœ…|βœ…|βœ…|❌|❌|❌|❌
211
212 //Repository permissions are inherited from project permissions.//
213
214 = JenkinsΒ Project Roles =
215
216 |=(% colspan="1" %)(((
217 Permission
218 )))|=(((
219 Role
220 )))|=(((
221 Admin
222 )))|=(((
223 Master
224 )))|=(((
225 Developer
226 )))|=(((
227 Viewer
228 )))|=(% colspan="1" %)(((
229 Authenticated Users
230 )))|=(% colspan="1" %)(((
231 Anonymous Users
232 )))|=(% colspan="1" %)(((
233 Prometheus Tech User
234 )))
235 |=(% rowspan="5" %)Credentials|Create|βœ…|βœ…|❌|❌|❌|❌|❌
236 |Delete|βœ…|❌|❌|❌|❌|❌|❌
237 |Manage Domains|βœ…|❌|❌|❌|❌|❌|❌
238 |Update|βœ…|βœ…|❌|❌|❌|❌|❌
239 |View|βœ…|βœ…|βœ…|❌|❌|❌|❌
240 |=(% rowspan="10" %)Job|Build|βœ…|βœ…|βœ…|❌|❌|❌|❌
241 |Cancel|βœ…|βœ…|❌|❌|❌|❌|❌
242 |Configure|βœ…|βœ…|❌|❌|❌|❌|❌
243 |Create|βœ…|βœ…|❌|❌|❌|❌|❌
244 |Delete|βœ…|❌|❌|❌|❌|❌|❌
245 |Discover|βœ…|βœ…|βœ…|βœ…|❌|❌|❌
246 |ExtendedRead| | | | | | |
247 |Move|βœ…|❌|❌|❌|❌|❌|❌
248 |Read|βœ…|βœ…|βœ…|βœ…|❌|❌|❌
249 |Workspace|βœ…|βœ…|βœ…|❌|❌|❌|❌
250 |=(% rowspan="3" %)Run|Delete|βœ…|❌|❌|❌|❌|❌|❌
251 |Replay|βœ…|βœ…|βœ…|❌|❌|❌|❌
252 |Update|βœ…|βœ…|βœ…|❌|❌|❌|❌
253 |=Job Config History|DeleteEntry| | | | | | |
254 |=SCM|Tag|βœ…|βœ…|❌|❌|❌|❌|❌
255 |=Metrics|HealthCheck| | | | | | |
256 | |ThreadDump| | | | | | |
257 | |View| | | | | | |
258
259 = GitLab =
260
261 Users are assigned to Groups in GitLab with the following roles assignment.Β  Permissions within subordinated Subgroups and GitLab Projects are inherited.
262
263 |=(((
264 Project Role
265 )))|=(((
266 GitLab Group Members Permission
267 )))
268 |(((
269 Viewer
270 )))|(((
271 Reporter
272 )))
273 |(((
274 Developer
275 )))|(((
276 Developer
277 )))
278 |(% colspan="1" %)(((
279 Master
280 )))|(% colspan="1" %)(((
281 Maintainer
282 )))
283 |(% colspan="1" %)(((
284 Admin
285 )))|(% colspan="1" %)(((
286 Owner
287 )))
288
289 Regarding permissions for Group Permissions in GitLab, seeΒ [[https:~~/~~/docs.gitlab.com/ee/user/permissions.html#group-members-permissions>>url:https://docs.gitlab.com/ee/user/permissions.html#group-members-permissions]].
290
291 = Harbor Project Roles =
292
293 Harbor manages images through projects. You provide access to these images to users by including the users in projects and assigning one of the following roles to them:
294
295 |=(((
296 Harbor
297 )))|=(((
298 Portal
299 )))|=
300 |=Role Name|=Role Id|=Project Role
301 |Project Admin|1|ADMIN
302 |Maintainer|4|MASTER
303 |Developer|2|DEVELOPER
304 |Guest|3|VIEWER
305
306 === Harbor Roles Permissions ===
307
308 |=(((
309 Action
310 )))|=(((
311 Limited Guest
312 )))|=(((
313 Guest
314 )))|=(((
315 Developer
316 )))|=(((
317 Maintainer
318 )))|=(((
319 Project Admin
320 )))
321 |See the project configurations|βœ…|βœ…|βœ…|βœ…|βœ…
322 |Edit the project configurations|❌|❌|❌|❌|βœ…
323 |See a list of project members| |βœ…|βœ…|βœ…|βœ…
324 |Create/edit/delete project members|❌|❌|❌|❌|βœ…
325 |See a list of project logs|βœ…|βœ…|βœ…|βœ…|❌
326 |See a list of project replications|❌|❌|❌|βœ…|βœ…
327 |See a list of project replication jobs|❌|❌|❌|❌|βœ…
328 |See a list of project labels|❌|❌|❌|βœ…|βœ…
329 |Create/edit/delete project labels|❌|❌|❌|βœ…|βœ…
330 |See a list of repositories|βœ…|βœ…|βœ…|βœ…|βœ…
331 |Create repositories|❌|❌|βœ…|βœ…|βœ…
332 |Edit/delete repositories|❌|❌|❌|βœ…|βœ…
333 |See a list of images|βœ…|βœ…|βœ…|βœ…|βœ…
334 |Retag image|❌|βœ…|βœ…|βœ…|βœ…
335 |Pull image|βœ…|βœ…|βœ…|βœ…|βœ…
336 |Push image|❌|❌|βœ…|βœ…|βœ…
337 |Scan/delete image|❌|❌|❌|βœ…|βœ…
338 |Add scanners to Harbor *|❌|❌|❌|❌|❌
339 |Edit scanners in projects|❌|❌|❌|❌|βœ…
340 |See a list of image vulnerabilities|βœ…|βœ…|βœ…|βœ…|βœ…
341 |Create list of project vulnerabilities|❌|❌|βœ…|βœ…|βœ…
342 |Read list of project vulnerabilities|❌|❌|βœ…|βœ…|βœ…
343 |Export list of project vulnerabilities|❌|❌|βœ…|βœ…|βœ…
344 |See image build history|βœ…|βœ…|βœ…|βœ…|βœ…
345 |Add/Remove labels of image|❌|❌|βœ…|βœ…|βœ…
346 |See a list of helm charts|βœ…|βœ…|βœ…|βœ…|βœ…
347 |Download helm charts|βœ…|βœ…|βœ…|βœ…|βœ…
348 |Upload helm charts|❌|❌|βœ…|βœ…|βœ…
349 |Delete helm charts|❌|❌|❌|βœ…|βœ…
350 |See a list of helm chart versions|βœ…|βœ…|βœ…|βœ…|βœ…
351 |Download helm chart versions|βœ…|βœ…|βœ…|βœ…|βœ…
352 |Upload helm chart versions|❌|❌|βœ…|βœ…|βœ…
353 |Delete helm chart versions|❌|❌|❌|βœ…|βœ…
354 |Add/Remove labels of helm chart version|❌|❌|βœ…|βœ…|βœ…
355 |See a list of project robots|❌|❌|❌|βœ…|βœ…
356 |Create/edit/delete project robots|❌|❌|❌|❌|βœ…
357 |See configured CVE allowlist|βœ…|βœ…|βœ…|βœ…|βœ…
358 |Create/edit/remove CVE allowlist|❌|❌|❌|❌|βœ…
359 |View webhook events|❌|❌|❌|βœ…|βœ…
360 |Add new webhook events|❌|❌|❌|❌|βœ…
361 |Enable/deactivate webhooks|❌|❌|❌|❌|βœ…
362 |Create/delete tag retention rules|❌|❌|βœ…|βœ…|βœ…
363 |Enable/deactivate tag retention rules|❌|❌|βœ…|βœ…|βœ…
364 |Create/delete tag immutability rules|❌|❌|❌|βœ…|βœ…
365 |Enable/deactivate tag immutability rules|❌|❌|❌|βœ…|βœ…
366 |See project quotas|βœ…|βœ…|βœ…|βœ…|βœ…
367 |Edit project quotas *|❌|❌|❌|❌|❌
368 |Delete Project|❌|❌|❌|❌|βœ…
369
370 ~* Only the Harbor system administrator can edit project quotas and add new scanners.
371
372 = Gitea =
373
374 Please note, that some terms used in DevOps-as-a-Service have different names in Gitea. Please check the following table to avoid any confusion.
375
376 |=(((
377 DevOps Portal
378 )))|=(((
379 Gitea
380 )))
381 |(((
382 Project
383 )))|(((
384 Organization
385 )))
386 |(((
387 Project Role
388 )))|(((
389 Team
390 )))
391 |(((
392 Git Repository
393 )))|(((
394 Repository
395 )))
396 |(((
397 Artifact Repository
398 )))|(((
399 Package
400 )))
401 |(((
402 Issue Tracking
403 )))|(((
404 Project (currently disabled)
405 )))
406
407 TheΒ **Owner**Β team has full admin permission in the Organization. This is a technical user used by the DevOps Portal for auto-provisioning.
408
409 |=(((
410 Gitea Role
411 )))|=(((
412 Portal Project Role
413 )))|=Permissions
414 |(((
415 Viewer
416 )))|Viewer|Read
417 |(((
418 Developer
419 )))|(((
420 Developer
421 )))|Read, Write
422 |(% colspan="1" %)(((
423 Master
424 )))|(% colspan="1" %)Master|Read, Write
425 |(% colspan="1" %)Admin|(% colspan="1" %)Admin|Read, Write, Repository create
426
427 = Nexus Project Roles =
428
429 For each role in a project a role in Nexus is created which includes one Privilege for each repository in the project.
430
431 |=(((
432 Role
433 )))|=(((
434 Admin
435 )))|=(((
436 Master
437 )))|=(((
438 Developer
439 )))|=(((
440 Viewer
441 )))
442 |(((
443 ID
444 )))|(((
445 PROJECTKEY-admin
446 )))|(((
447 PROJECTKEY-master
448 )))|(((
449 PROJECTKEY-developer
450 )))|(((
451 PROJECTKEY-viewer
452 )))
453 |(((
454 Name
455 )))|(((
456 PROJECTKEY-admin
457 )))|(((
458 PROJECTKEY-master
459 )))|(((
460 PROJECTKEY-developer
461 )))|(((
462 PROJECTKEY-viewer
463 )))
464 |(((
465 Privilege
466 )))|(((
467 PROJECTKEY-docker-admin
468
469 PROJECTKEY-maven-admin
470
471 PROJECTKEY-//repotype//-admin
472 )))|(((
473 PROJECTKEY-docker-master
474
475 PROJECTKEY-maven-master
476
477 PROJECTKEY-//repotype//-master
478 )))|(((
479 PROJECTKEY-docker-developer
480
481 PROJECTKEY-maven-developer
482
483 PROJECTKEY-//repotype//-developer
484 )))|(((
485 PROJECTKEY-docker-viewer
486
487 PROJECTKEY-maven-viewer
488
489 PROJECTKEY-//repotype//-viewer
490 )))
491
492 For each role in a project a **PrivilegeΒ of type Repository Content Selector** is created which combines Content Selector (Project), Repository (Docker Registry) and Actions depending on the role.
493
494 |=(((
495 Privilege / Role
496 )))|=(((
497 Admin
498 )))|=(((
499 Master
500 )))|=(((
501 Developer
502 )))|=(((
503 Viewer
504 )))
505 |(((
506 Name
507 )))|(((
508 PROJECTKEY-docker-admin
509 )))|(((
510 PROJECTKEY-docker-master
511 )))|(((
512 PROJECTKEY-docker-developer
513 )))|(((
514 PROJECTKEY-docker-viewer
515 )))
516 |(((
517 Content Selector
518 )))|(((
519 PROJECTKEY-docker
520 )))|(((
521 PROJECTKEY-docker
522 )))|(((
523 PROJECTKEY-docker
524 )))|(((
525 PROJECTKEY-docker
526 )))
527 |(((
528 Repository
529 )))|(((
530 docker-registry
531 )))|(((
532 docker-registry
533 )))|(((
534 docker-registry
535 )))|(((
536 docker-registry
537 )))
538 |(((
539 Actions
540 )))|(((
541 delete, add, edit, browse, read
542 )))|(((
543 add, edit, browse, read
544 )))|(((
545 add, edit, browse, read
546 )))|(((
547 browse, read
548 )))
549
550 See [[https:~~/~~/help.sonatype.com/repomanager3/security/privileges>>url:https://help.sonatype.com/repomanager3/nexus-repository-administration/access-control/privileges]] for available Actions.
Β© 2018-2026 T-Systems International GmbH