Skip to Content

Wiki source code of Users and roles

Version 6.3 by Boris Folgmann on 2026/05/20 13:10
Show last authors
1 {{toc depth="1"/}}
2
3 = Role Model =
4
5 Each user who is a member of a project has to be in //exactly one// Project Role. Therefore it is not possible to have no or multiple roles in a project.
6
7 Different roles have different sets of permissions. Possible roles are:
8
9 |=(((
10 Role
11 )))|=(((
12 Description
13 )))
14 |(((
15 Admin
16 )))|(((
17 Full access, even to potentially dangerous operations like deleting content in the Project.Β Can administer Project Members and Roles.
18 )))
19 |(((
20 Master
21 )))|Elevated write acccess, excluding potentially dangerous operations which can lead to massive data loss or other unrevertable changes.
22 |(((
23 Developer
24 )))|(((
25 General Read-write access to contribute to the Project
26 )))
27 |(((
28 Viewer
29 )))|(((
30 Read-only access to all not security-relevant data in the Project
31 )))
32
33 Currently, the role assignment is applied for all tools within one project.
34
35 {{info}}
36 Note:
37 To ensure the integrity of the applications in the context of the managed service, no customer user is allowed to get system admin permissions for the tools. The maximum permissions for a customer user is the "Project Admin" role as described here
38 {{/info}}
39
40 = User Permissions in DevOps Portal =
41
42 |=(((
43 Role Type
44 )))|=(% colspan="3" rowspan="1" %)(((
45 Portal Role
46 )))|=(% rowspan="23" %) |=(% colspan="4" %)(((
47 Project Role
48 )))
49 |(((
50 **Role Name**
51 )))|(((
52 **User**
53 )))|(((
54 **Admin**
55 )))|(((
56 **Creator **
57 )))|(((
58 **Viewer**
59 )))|(((
60 **Developer**
61 )))|(((
62 **Master**
63 )))|(((
64 **Admin**
65 )))
66 |Login to DevOps Portal|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…
67 |Logout from DevOps Portal|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…
68 |Change my password|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…
69 |Reset forgotten password|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…
70 |Display list of users|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…
71 |Search for user |βœ…|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…
72 |Add or remove "Corporate Admin" role to user |❌|βœ…|❌|❌|❌|❌|❌
73 |Create User|❌|βœ…|βœ…|❌|❌|❌|❌
74 |Delete User|❌|βœ…|❌|❌|❌|❌|❌
75 |Lock User|❌|βœ…|❌|❌|❌|❌|❌
76 |Unlock User|❌|βœ…|❌|❌|❌|❌|❌
77 |Send invitation mail for first login|❌|βœ…|❌|❌|❌|❌|❌
78 |Display list of projects |❌|βœ…|❌|⚠ Only his projects|⚠  Only his projects|⚠  Only his projects|⚠  Only his projects
79 |Search for project |❌|βœ…|❌|⚠  Only his projects|⚠  Only his projects|⚠  Only his projects|⚠  Only his projects
80 |Create project |❌|βœ…|βœ…|❌|❌|❌|❌
81 |Delete project|❌|βœ…|❌|❌|❌|❌|❌
82 |Retire project |❌|βœ…|❌|❌|❌|❌|⚠  Only his projects
83 |Reactivate project|❌|βœ…|❌|❌|❌|❌|⚠  Only his projects
84 |Add User to Project|❌|βœ…|❌|❌|❌|❌|⚠  Only his projects
85 |Remove User from Project|❌|βœ…|❌|❌|❌|❌|⚠  Only his projects
86 |Display used storage by project/tool or total|❌|βœ…|❌|⚠  Only his projects|⚠  Only his projects|⚠  Only his projects|⚠  Only his projects
87
88 = JIRA Project Roles / Permission Scheme =
89
90 In JIRA the Project Roles are first added to Security / Project Roles and then they get their Permissions assigned in the SDCloud Permission Scheme which has to associated later with the Jira Projects.
91
92 |=(((
93 Permission / Role
94 )))|=(((
95 Admin
96 )))|=(((
97 Master
98 )))|=(((
99 Developer
100 )))|=(((
101 Viewer
102 )))
103 |=(% colspan="1" %)(((
104 Project Permissions
105 )))|(% colspan="1" %)(((
106
107 )))|(% colspan="1" %)(((
108
109 )))|(% colspan="1" %)(((
110
111 )))|(% colspan="1" %)(((
112
113 )))
114 |Administer projects
115 Enabled Extended project administration|βœ…|❌|❌|❌
116 |Browse projects|βœ…|βœ…|βœ…|βœ…
117 |Manage sprints|βœ…|βœ…|❌|❌
118 |Service Desk Agent|βœ…|βœ…|βœ…|❌
119 |View development tool|βœ…|βœ…|βœ…|βœ…
120 |View (read-only) workflow|βœ…|βœ…|βœ…|βœ…
121 |=Issue Permissions| | | |
122 |Assign issues|βœ…|βœ…|βœ…|❌
123 |Assignable user|βœ…|βœ…|βœ…|❌
124 |Close issues|βœ…|βœ…|❌|❌
125 |Create issues|βœ…|βœ…|βœ…|❌
126 |Delete issues|βœ…|❌|❌|❌
127 |Edit issues|βœ…|βœ…|βœ…|❌
128 |Link issues|βœ…|βœ…|βœ…|❌
129 |Modify reporter|βœ…|βœ…|❌|❌
130 |Move issues|βœ…|βœ…|❌|❌
131 |Resolve issues|βœ…|βœ…|βœ…|❌
132 |Schedule issues|βœ…|βœ…|❌|❌
133 |Set issues security|βœ…|❌|❌|❌
134 |Transition issues|βœ…|βœ…|βœ…|❌
135 |=(% colspan="1" %)Voters & watchers permissions|(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %)
136 |Manage watcher list|βœ…|βœ…|❌|❌
137 |View voters and watchers|βœ…|βœ…|βœ…|❌
138 |=(% colspan="1" %)Comments permissions|(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %)
139 |Add comments|βœ…|βœ…|βœ…|❌
140 |Delete all comments|βœ…|❌|❌|❌
141 |Delete own comments|βœ…|βœ…|βœ…|❌
142 |Edit all comments|βœ…|❌|❌|❌
143 |Edit own comments|βœ…|βœ…|βœ…|❌
144 |=(% colspan="1" %)Attachments permissions|(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %)
145 |Create attachments|βœ…|βœ…|βœ…|❌
146 |Delete all attachments|βœ…|❌|❌|❌
147 |Delete own attachments|βœ…|βœ…|βœ…|❌
148 |=(% colspan="1" %)Time-tracking Permissions|(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %)
149 |Work on issues|βœ…|βœ…|βœ…|❌
150 |Delete all worklogs|βœ…|❌|❌|❌
151 |Delete own worklogs|βœ…|βœ…|βœ…|❌
152 |Edit all worklogs|βœ…|❌|❌|❌
153 |Edit own worklogs|βœ…|βœ…|βœ…|❌
154
155 * Service Desk Agent is only available if the software was added to JIRA
156
157 = ConfluenceΒ Project Roles =
158
159 See vendor documentation for the exact meaning: [[https:~~/~~/confluence.atlassian.com/doc/space-permissions-overview-139521.html>>url:https://confluence.atlassian.com/doc/space-permissions-overview-139521.html]].
160
161 |=(((
162 Space
163 )))|=(% colspan="2" %)(((
164 All
165 )))|=(% colspan="2" %)(((
166 Pages
167 )))|=(% colspan="2" %)(((
168 Blog
169 )))|=(% colspan="2" %)(((
170 Attachments
171 )))|=(% colspan="2" %)(((
172 Comments
173 )))|=(((
174 Restrictions
175 )))|=(((
176 Mail
177 )))|=(% colspan="2" %)(((
178 Space
179 )))
180 |=(% colspan="1" %)Role/Operation|(% colspan="1" %)View|(% colspan="1" %)Delete Own|(% colspan="1" %)Add|(% colspan="1" %)Delete|(% colspan="1" %)Add|(% colspan="1" %)Delete|(% colspan="1" %)Add|(% colspan="1" %)Delete|(% colspan="1" %)Add|(% colspan="1" %)Delete|(% colspan="1" %)Add/Delete|(% colspan="1" %)Delete|(% colspan="1" %)Export|(% colspan="1" %)Admin
181 |=Admin|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…
182 |=Master|βœ…|βœ…|βœ…|❌|βœ…|❌|βœ…|❌|βœ…|βœ…|βœ…|❌|βœ…|❌
183 |=Developer|βœ…|βœ…|βœ…|❌|❌|❌|βœ…|❌|βœ…|❌|❌|❌|❌|❌
184 |=Viewer|βœ…|❌|❌|❌|❌|❌|❌|❌|❌|❌|❌|❌|❌|❌
185
186 = Bitbucket Project Roles =
187
188 |=(((
189
190 )))|=(((
191 Browse
192 )))|=(((
193 Clone / Pull
194 )))|=(% colspan="1" %)(((
195 Create, browse, comment on pull request
196 )))|=(% colspan="1" %)(((
197 Merge pull request
198 )))|=(% colspan="1" %)(((
199 Push
200 )))|=(% colspan="1" %)(((
201 Create repositories
202 )))|=(% colspan="1" %)(((
203 Edit settings / permissions
204 )))
205 |Admin|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…
206 |Master|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…|❌
207 |Developer|βœ…|βœ…|βœ…|βœ…|βœ…|❌|❌
208 |Viewer|βœ…|βœ…|βœ…|❌|❌|❌|❌
209
210 //Repository permissions are inherited from project permissions.//
211
212 = JenkinsΒ Project Roles =
213
214 |=(% colspan="1" %)(((
215 Permission
216 )))|=(((
217 Role
218 )))|=(((
219 Admin
220 )))|=(((
221 Master
222 )))|=(((
223 Developer
224 )))|=(((
225 Viewer
226 )))|=(% colspan="1" %)(((
227 Authenticated Users
228 )))|=(% colspan="1" %)(((
229 Anonymous Users
230 )))|=(% colspan="1" %)(((
231 Prometheus Tech User
232 )))
233 |=(% rowspan="5" %)Credentials|Create|βœ…|βœ…|❌|❌|❌|❌|❌
234 |Delete|βœ…|❌|❌|❌|❌|❌|❌
235 |Manage Domains|βœ…|❌|❌|❌|❌|❌|❌
236 |Update|βœ…|βœ…|❌|❌|❌|❌|❌
237 |View|βœ…|βœ…|βœ…|❌|❌|❌|❌
238 |=(% rowspan="10" %)Job|Build|βœ…|βœ…|βœ…|❌|❌|❌|❌
239 |Cancel|βœ…|βœ…|❌|❌|❌|❌|❌
240 |Configure|βœ…|βœ…|❌|❌|❌|❌|❌
241 |Create|βœ…|βœ…|❌|❌|❌|❌|❌
242 |Delete|βœ…|❌|❌|❌|❌|❌|❌
243 |Discover|βœ…|βœ…|βœ…|βœ…|❌|❌|❌
244 |ExtendedRead| | | | | | |
245 |Move|βœ…|❌|❌|❌|❌|❌|❌
246 |Read|βœ…|βœ…|βœ…|βœ…|❌|❌|❌
247 |Workspace|βœ…|βœ…|βœ…|❌|❌|❌|❌
248 |=(% rowspan="3" %)Run|Delete|βœ…|❌|❌|❌|❌|❌|❌
249 |Replay|βœ…|βœ…|βœ…|❌|❌|❌|❌
250 |Update|βœ…|βœ…|βœ…|❌|❌|❌|❌
251 |=Job Config History|DeleteEntry| | | | | | |
252 |=SCM|Tag|βœ…|βœ…|❌|❌|❌|❌|❌
253 |=Metrics|HealthCheck| | | | | | |
254 | |ThreadDump| | | | | | |
255 | |View| | | | | | |
256
257 = GitLab =
258
259 Users are assigned to Groups in GitLab with the following roles assignment.Β  Permissions within subordinated Subgroups and GitLab Projects are inherited.
260
261 |=(((
262 Project Role
263 )))|=(((
264 GitLab Group Members Permission
265 )))
266 |(((
267 Viewer
268 )))|(((
269 Reporter
270 )))
271 |(((
272 Developer
273 )))|(((
274 Developer
275 )))
276 |(% colspan="1" %)(((
277 Master
278 )))|(% colspan="1" %)(((
279 Maintainer
280 )))
281 |(% colspan="1" %)(((
282 Admin
283 )))|(% colspan="1" %)(((
284 Owner
285 )))
286
287 Regarding permissions for Group Permissions in GitLab, seeΒ [[https:~~/~~/docs.gitlab.com/ee/user/permissions.html#group-members-permissions>>url:https://docs.gitlab.com/ee/user/permissions.html#group-members-permissions]].
288
289 = Harbor Project Roles =
290
291 Harbor manages images through projects. You provide access to these images to users by including the users in projects and assigning one of the following roles to them:
292
293 |=(((
294 Harbor
295 )))|=(((
296 Portal
297 )))|=
298 |=Role Name|=Role Id|=Project Role
299 |Project Admin|1|ADMIN
300 |Maintainer|4|MASTER
301 |Developer|2|DEVELOPER
302 |Guest|3|VIEWER
303
304 === Harbor Roles Permissions ===
305
306 |=(((
307 Action
308 )))|=(((
309 Limited Guest
310 )))|=(((
311 Guest
312 )))|=(((
313 Developer
314 )))|=(((
315 Maintainer
316 )))|=(((
317 Project Admin
318 )))
319 |See the project configurations|βœ…|βœ…|βœ…|βœ…|βœ…
320 |Edit the project configurations|❌|❌|❌|❌|βœ…
321 |See a list of project members| |βœ…|βœ…|βœ…|βœ…
322 |Create/edit/delete project members|❌|❌|❌|❌|βœ…
323 |See a list of project logs|βœ…|βœ…|βœ…|βœ…|❌
324 |See a list of project replications|❌|❌|❌|βœ…|βœ…
325 |See a list of project replication jobs|❌|❌|❌|❌|βœ…
326 |See a list of project labels|❌|❌|❌|βœ…|βœ…
327 |Create/edit/delete project labels|❌|❌|❌|βœ…|βœ…
328 |See a list of repositories|βœ…|βœ…|βœ…|βœ…|βœ…
329 |Create repositories|❌|❌|βœ…|βœ…|βœ…
330 |Edit/delete repositories|❌|❌|❌|βœ…|βœ…
331 |See a list of images|βœ…|βœ…|βœ…|βœ…|βœ…
332 |Retag image|❌|βœ…|βœ…|βœ…|βœ…
333 |Pull image|βœ…|βœ…|βœ…|βœ…|βœ…
334 |Push image|❌|❌|βœ…|βœ…|βœ…
335 |Scan/delete image|❌|❌|❌|βœ…|βœ…
336 |Add scanners to Harbor *|❌|❌|❌|❌|❌
337 |Edit scanners in projects|❌|❌|❌|❌|βœ…
338 |See a list of image vulnerabilities|βœ…|βœ…|βœ…|βœ…|βœ…
339 |Create list of project vulnerabilities|❌|❌|βœ…|βœ…|βœ…
340 |Read list of project vulnerabilities|❌|❌|βœ…|βœ…|βœ…
341 |Export list of project vulnerabilities|❌|❌|βœ…|βœ…|βœ…
342 |See image build history|βœ…|βœ…|βœ…|βœ…|βœ…
343 |Add/Remove labels of image|❌|❌|βœ…|βœ…|βœ…
344 |See a list of helm charts|βœ…|βœ…|βœ…|βœ…|βœ…
345 |Download helm charts|βœ…|βœ…|βœ…|βœ…|βœ…
346 |Upload helm charts|❌|❌|βœ…|βœ…|βœ…
347 |Delete helm charts|❌|❌|❌|βœ…|βœ…
348 |See a list of helm chart versions|βœ…|βœ…|βœ…|βœ…|βœ…
349 |Download helm chart versions|βœ…|βœ…|βœ…|βœ…|βœ…
350 |Upload helm chart versions|❌|❌|βœ…|βœ…|βœ…
351 |Delete helm chart versions|❌|❌|❌|βœ…|βœ…
352 |Add/Remove labels of helm chart version|❌|❌|βœ…|βœ…|βœ…
353 |See a list of project robots|❌|❌|❌|βœ…|βœ…
354 |Create/edit/delete project robots|❌|❌|❌|❌|βœ…
355 |See configured CVE allowlist|βœ…|βœ…|βœ…|βœ…|βœ…
356 |Create/edit/remove CVE allowlist|❌|❌|❌|❌|βœ…
357 |View webhook events|❌|❌|❌|βœ…|βœ…
358 |Add new webhook events|❌|❌|❌|❌|βœ…
359 |Enable/deactivate webhooks|❌|❌|❌|❌|βœ…
360 |Create/delete tag retention rules|❌|❌|βœ…|βœ…|βœ…
361 |Enable/deactivate tag retention rules|❌|❌|βœ…|βœ…|βœ…
362 |Create/delete tag immutability rules|❌|❌|❌|βœ…|βœ…
363 |Enable/deactivate tag immutability rules|❌|❌|❌|βœ…|βœ…
364 |See project quotas|βœ…|βœ…|βœ…|βœ…|βœ…
365 |Edit project quotas *|❌|❌|❌|❌|❌
366 |Delete Project|❌|❌|❌|❌|βœ…
367
368 ~* Only the Harbor system administrator can edit project quotas and add new scanners.
369
370 = Gitea =
371
372 Please note, that some terms used in DevOps-as-a-Service have different names in Gitea. Please check the following table to avoid any confusion.
373
374 |=(((
375 DevOps Portal
376 )))|=(((
377 Gitea
378 )))
379 |(((
380 Project
381 )))|(((
382 Organization
383 )))
384 |(((
385 Project Role
386 )))|(((
387 Team
388 )))
389 |(((
390 Git Repository
391 )))|(((
392 Repository
393 )))
394 |(((
395 Artifact Repository
396 )))|(((
397 Package
398 )))
399 |(((
400 Issue Tracking
401 )))|(((
402 Project (currently disabled)
403 )))
404
405 TheΒ **Owner**Β team has full admin permission in the Organization. This is a technical user used by the DevOps Portal for auto-provisioning.
406
407 |=(((
408 Gitea Role
409 )))|=(((
410 Portal Project Role
411 )))|=Permissions
412 |(((
413 Viewer
414 )))|Viewer|Read
415 |(((
416 Developer
417 )))|(((
418 Developer
419 )))|Read, Write
420 |(% colspan="1" %)(((
421 Master
422 )))|(% colspan="1" %)Master|Read, Write
423 |(% colspan="1" %)Admin|(% colspan="1" %)Admin|Read, Write, Repository create
424
425 = Nexus Project Roles =
426
427 For each role in a project a role in Nexus is created which includes one Privilege for each repository in the project.
428
429 |=(((
430 Role
431 )))|=(((
432 Admin
433 )))|=(((
434 Master
435 )))|=(((
436 Developer
437 )))|=(((
438 Viewer
439 )))
440 |(((
441 ID
442 )))|(((
443 PROJECTKEY-admin
444 )))|(((
445 PROJECTKEY-master
446 )))|(((
447 PROJECTKEY-developer
448 )))|(((
449 PROJECTKEY-viewer
450 )))
451 |(((
452 Name
453 )))|(((
454 PROJECTKEY-admin
455 )))|(((
456 PROJECTKEY-master
457 )))|(((
458 PROJECTKEY-developer
459 )))|(((
460 PROJECTKEY-viewer
461 )))
462 |(((
463 Privilege
464 )))|(((
465 PROJECTKEY-docker-admin
466
467 PROJECTKEY-maven-admin
468
469 PROJECTKEY-//repotype//-admin
470 )))|(((
471 PROJECTKEY-docker-master
472
473 PROJECTKEY-maven-master
474
475 PROJECTKEY-//repotype//-master
476 )))|(((
477 PROJECTKEY-docker-developer
478
479 PROJECTKEY-maven-developer
480
481 PROJECTKEY-//repotype//-developer
482 )))|(((
483 PROJECTKEY-docker-viewer
484
485 PROJECTKEY-maven-viewer
486
487 PROJECTKEY-//repotype//-viewer
488 )))
489
490 For each role in a project a **PrivilegeΒ of type Repository Content Selector** is created which combines Content Selector (Project), Repository (Docker Registry) and Actions depending on the role.
491
492 |=(((
493 Privilege / Role
494 )))|=(((
495 Admin
496 )))|=(((
497 Master
498 )))|=(((
499 Developer
500 )))|=(((
501 Viewer
502 )))
503 |(((
504 Name
505 )))|(((
506 PROJECTKEY-docker-admin
507 )))|(((
508 PROJECTKEY-docker-master
509 )))|(((
510 PROJECTKEY-docker-developer
511 )))|(((
512 PROJECTKEY-docker-viewer
513 )))
514 |(((
515 Content Selector
516 )))|(((
517 PROJECTKEY-docker
518 )))|(((
519 PROJECTKEY-docker
520 )))|(((
521 PROJECTKEY-docker
522 )))|(((
523 PROJECTKEY-docker
524 )))
525 |(((
526 Repository
527 )))|(((
528 docker-registry
529 )))|(((
530 docker-registry
531 )))|(((
532 docker-registry
533 )))|(((
534 docker-registry
535 )))
536 |(((
537 Actions
538 )))|(((
539 delete, add, edit, browse, read
540 )))|(((
541 add, edit, browse, read
542 )))|(((
543 add, edit, browse, read
544 )))|(((
545 browse, read
546 )))
547
548 See [[https:~~/~~/help.sonatype.com/repomanager3/security/privileges>>url:https://help.sonatype.com/repomanager3/nexus-repository-administration/access-control/privileges]] for available Actions.
Β© 2018-2026 T-Systems International GmbH