Skip to Content

Wiki source code of Users and roles

Version 6.3 by Boris Folgmann on 2026/05/20 13:10
Show last authors
1 {{toc depth="1"/}}
2
3 = Role Model =
4
5 Each user who is a member of a project has to be in //exactly one// Project Role. Therefore it is not possible to have no or multiple roles in a project.
6
7 Different roles have different sets of permissions. Possible roles are:
8
9 |=(((
10 Role
11 )))|=(((
12 Description
13 )))
14 |(((
15 Admin
16 )))|(((
17 Full access, even to potentially dangerous operations like deleting content in the Project. Can administer Project Members and Roles.
18 )))
19 |(((
20 Master
21 )))|Elevated write acccess, excluding potentially dangerous operations which can lead to massive data loss or other unrevertable changes.
22 |(((
23 Developer
24 )))|(((
25 General Read-write access to contribute to the Project
26 )))
27 |(((
28 Viewer
29 )))|(((
30 Read-only access to all not security-relevant data in the Project
31 )))
32
33 Currently, the role assignment is applied for all tools within one project.
34
35 {{info}}
36 Note:
37 To ensure the integrity of the applications in the context of the managed service, no customer user is allowed to get system admin permissions for the tools. The maximum permissions for a customer user is the "Project Admin" role as described here
38 {{/info}}
39
40 = User Permissions in DevOps Portal =
41
42 |=(((
43 Role Type
44 )))|=(% colspan="3" rowspan="1" %)(((
45 Portal Role
46 )))|=(% rowspan="23" %) |=(% colspan="4" %)(((
47 Project Role
48 )))
49 |(((
50 **Role Name**
51 )))|(((
52 **User**
53 )))|(((
54 **Admin**
55 )))|(((
56 **Creator **
57 )))|(((
58 **Viewer**
59 )))|(((
60 **Developer**
61 )))|(((
62 **Master**
63 )))|(((
64 **Admin**
65 )))
66 |Login to DevOps Portal|✅|✅|✅|✅|✅|✅|✅
67 |Logout from DevOps Portal|✅|✅|✅|✅|✅|✅|✅
68 |Change my password|✅|✅|✅|✅|✅|✅|✅
69 |Reset forgotten password|✅|✅|✅|✅|✅|✅|✅
70 |Display list of users|✅|✅|✅|✅|✅|✅|✅
71 |Search for user |✅|✅|✅|✅|✅|✅|✅
72 |Add or remove "Corporate Admin" role to user |❌|✅|❌|❌|❌|❌|❌
73 |Create User|❌|✅|✅|❌|❌|❌|❌
74 |Delete User|❌|✅|❌|❌|❌|❌|❌
75 |Lock User|❌|✅|❌|❌|❌|❌|❌
76 |Unlock User|❌|✅|❌|❌|❌|❌|❌
77 |Send invitation mail for first login|❌|✅|❌|❌|❌|❌|❌
78 |Display list of projects |❌|✅|❌|⚠ Only his projects|⚠  Only his projects|⚠  Only his projects|⚠  Only his projects
79 |Search for project |❌|✅|❌|⚠  Only his projects|⚠  Only his projects|⚠  Only his projects|⚠  Only his projects
80 |Create project |❌|✅|✅|❌|❌|❌|❌
81 |Delete project|❌|✅|❌|❌|❌|❌|❌
82 |Retire project |❌|✅|❌|❌|❌|❌|⚠  Only his projects
83 |Reactivate project|❌|✅|❌|❌|❌|❌|⚠  Only his projects
84 |Add User to Project|❌|✅|❌|❌|❌|❌|⚠  Only his projects
85 |Remove User from Project|❌|✅|❌|❌|❌|❌|⚠  Only his projects
86 |Display used storage by project/tool or total|❌|✅|❌|⚠  Only his projects|⚠  Only his projects|⚠  Only his projects|⚠  Only his projects
87
88 = JIRA Project Roles / Permission Scheme =
89
90 In JIRA the Project Roles are first added to Security / Project Roles and then they get their Permissions assigned in the SDCloud Permission Scheme which has to associated later with the Jira Projects.
91
92 |=(((
93 Permission / Role
94 )))|=(((
95 Admin
96 )))|=(((
97 Master
98 )))|=(((
99 Developer
100 )))|=(((
101 Viewer
102 )))
103 |=(% colspan="1" %)(((
104 Project Permissions
105 )))|(% colspan="1" %)(((
106
107 )))|(% colspan="1" %)(((
108
109 )))|(% colspan="1" %)(((
110
111 )))|(% colspan="1" %)(((
112
113 )))
114 |Administer projects
115 Enabled Extended project administration|✅|❌|❌|❌
116 |Browse projects|✅|✅|✅|✅
117 |Manage sprints|✅|✅|❌|❌
118 |Service Desk Agent|✅|✅|✅|❌
119 |View development tool|✅|✅|✅|✅
120 |View (read-only) workflow|✅|✅|✅|✅
121 |=Issue Permissions| | | |
122 |Assign issues|✅|✅|✅|❌
123 |Assignable user|✅|✅|✅|❌
124 |Close issues|✅|✅|❌|❌
125 |Create issues|✅|✅|✅|❌
126 |Delete issues|✅|❌|❌|❌
127 |Edit issues|✅|✅|✅|❌
128 |Link issues|✅|✅|✅|❌
129 |Modify reporter|✅|✅|❌|❌
130 |Move issues|✅|✅|❌|❌
131 |Resolve issues|✅|✅|✅|❌
132 |Schedule issues|✅|✅|❌|❌
133 |Set issues security|✅|❌|❌|❌
134 |Transition issues|✅|✅|✅|❌
135 |=(% colspan="1" %)Voters & watchers permissions|(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %)
136 |Manage watcher list|✅|✅|❌|❌
137 |View voters and watchers|✅|✅|✅|❌
138 |=(% colspan="1" %)Comments permissions|(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %)
139 |Add comments|✅|✅|✅|❌
140 |Delete all comments|✅|❌|❌|❌
141 |Delete own comments|✅|✅|✅|❌
142 |Edit all comments|✅|❌|❌|❌
143 |Edit own comments|✅|✅|✅|❌
144 |=(% colspan="1" %)Attachments permissions|(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %)
145 |Create attachments|✅|✅|✅|❌
146 |Delete all attachments|✅|❌|❌|❌
147 |Delete own attachments|✅|✅|✅|❌
148 |=(% colspan="1" %)Time-tracking Permissions|(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %)
149 |Work on issues|✅|✅|✅|❌
150 |Delete all worklogs|✅|❌|❌|❌
151 |Delete own worklogs|✅|✅|✅|❌
152 |Edit all worklogs|✅|❌|❌|❌
153 |Edit own worklogs|✅|✅|✅|❌
154
155 * Service Desk Agent is only available if the software was added to JIRA
156
157 = Confluence Project Roles =
158
159 See vendor documentation for the exact meaning: [[https:~~/~~/confluence.atlassian.com/doc/space-permissions-overview-139521.html>>url:https://confluence.atlassian.com/doc/space-permissions-overview-139521.html]].
160
161 |=(((
162 Space
163 )))|=(% colspan="2" %)(((
164 All
165 )))|=(% colspan="2" %)(((
166 Pages
167 )))|=(% colspan="2" %)(((
168 Blog
169 )))|=(% colspan="2" %)(((
170 Attachments
171 )))|=(% colspan="2" %)(((
172 Comments
173 )))|=(((
174 Restrictions
175 )))|=(((
176 Mail
177 )))|=(% colspan="2" %)(((
178 Space
179 )))
180 |=(% colspan="1" %)Role/Operation|(% colspan="1" %)View|(% colspan="1" %)Delete Own|(% colspan="1" %)Add|(% colspan="1" %)Delete|(% colspan="1" %)Add|(% colspan="1" %)Delete|(% colspan="1" %)Add|(% colspan="1" %)Delete|(% colspan="1" %)Add|(% colspan="1" %)Delete|(% colspan="1" %)Add/Delete|(% colspan="1" %)Delete|(% colspan="1" %)Export|(% colspan="1" %)Admin
181 |=Admin|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅
182 |=Master|✅|✅|✅|❌|✅|❌|✅|❌|✅|✅|✅|❌|✅|❌
183 |=Developer|✅|✅|✅|❌|❌|❌|✅|❌|✅|❌|❌|❌|❌|❌
184 |=Viewer|✅|❌|❌|❌|❌|❌|❌|❌|❌|❌|❌|❌|❌|❌
185
186 = Bitbucket Project Roles =
187
188 |=(((
189
190 )))|=(((
191 Browse
192 )))|=(((
193 Clone / Pull
194 )))|=(% colspan="1" %)(((
195 Create, browse, comment on pull request
196 )))|=(% colspan="1" %)(((
197 Merge pull request
198 )))|=(% colspan="1" %)(((
199 Push
200 )))|=(% colspan="1" %)(((
201 Create repositories
202 )))|=(% colspan="1" %)(((
203 Edit settings / permissions
204 )))
205 |Admin|✅|✅|✅|✅|✅|✅|✅
206 |Master|✅|✅|✅|✅|✅|✅|❌
207 |Developer|✅|✅|✅|✅|✅|❌|❌
208 |Viewer|✅|✅|✅|❌|❌|❌|❌
209
210 //Repository permissions are inherited from project permissions.//
211
212 = Jenkins Project Roles =
213
214 |=(% colspan="1" %)(((
215 Permission
216 )))|=(((
217 Role
218 )))|=(((
219 Admin
220 )))|=(((
221 Master
222 )))|=(((
223 Developer
224 )))|=(((
225 Viewer
226 )))|=(% colspan="1" %)(((
227 Authenticated Users
228 )))|=(% colspan="1" %)(((
229 Anonymous Users
230 )))|=(% colspan="1" %)(((
231 Prometheus Tech User
232 )))
233 |=(% rowspan="5" %)Credentials|Create|✅|✅|❌|❌|❌|❌|❌
234 |Delete|✅|❌|❌|❌|❌|❌|❌
235 |Manage Domains|✅|❌|❌|❌|❌|❌|❌
236 |Update|✅|✅|❌|❌|❌|❌|❌
237 |View|✅|✅|✅|❌|❌|❌|❌
238 |=(% rowspan="10" %)Job|Build|✅|✅|✅|❌|❌|❌|❌
239 |Cancel|✅|✅|❌|❌|❌|❌|❌
240 |Configure|✅|✅|❌|❌|❌|❌|❌
241 |Create|✅|✅|❌|❌|❌|❌|❌
242 |Delete|✅|❌|❌|❌|❌|❌|❌
243 |Discover|✅|✅|✅|✅|❌|❌|❌
244 |ExtendedRead| | | | | | |
245 |Move|✅|❌|❌|❌|❌|❌|❌
246 |Read|✅|✅|✅|✅|❌|❌|❌
247 |Workspace|✅|✅|✅|❌|❌|❌|❌
248 |=(% rowspan="3" %)Run|Delete|✅|❌|❌|❌|❌|❌|❌
249 |Replay|✅|✅|✅|❌|❌|❌|❌
250 |Update|✅|✅|✅|❌|❌|❌|❌
251 |=Job Config History|DeleteEntry| | | | | | |
252 |=SCM|Tag|✅|✅|❌|❌|❌|❌|❌
253 |=Metrics|HealthCheck| | | | | | |
254 | |ThreadDump| | | | | | |
255 | |View| | | | | | |
256
257 = GitLab =
258
259 Users are assigned to Groups in GitLab with the following roles assignment.  Permissions within subordinated Subgroups and GitLab Projects are inherited.
260
261 |=(((
262 Project Role
263 )))|=(((
264 GitLab Group Members Permission
265 )))
266 |(((
267 Viewer
268 )))|(((
269 Reporter
270 )))
271 |(((
272 Developer
273 )))|(((
274 Developer
275 )))
276 |(% colspan="1" %)(((
277 Master
278 )))|(% colspan="1" %)(((
279 Maintainer
280 )))
281 |(% colspan="1" %)(((
282 Admin
283 )))|(% colspan="1" %)(((
284 Owner
285 )))
286
287 Regarding permissions for Group Permissions in GitLab, see [[https:~~/~~/docs.gitlab.com/ee/user/permissions.html#group-members-permissions>>url:https://docs.gitlab.com/ee/user/permissions.html#group-members-permissions]].
288
289 = Harbor Project Roles =
290
291 Harbor manages images through projects. You provide access to these images to users by including the users in projects and assigning one of the following roles to them:
292
293 |=(((
294 Harbor
295 )))|=(((
296 Portal
297 )))|=
298 |=Role Name|=Role Id|=Project Role
299 |Project Admin|1|ADMIN
300 |Maintainer|4|MASTER
301 |Developer|2|DEVELOPER
302 |Guest|3|VIEWER
303
304 === Harbor Roles Permissions ===
305
306 |=(((
307 Action
308 )))|=(((
309 Limited Guest
310 )))|=(((
311 Guest
312 )))|=(((
313 Developer
314 )))|=(((
315 Maintainer
316 )))|=(((
317 Project Admin
318 )))
319 |See the project configurations|✅|✅|✅|✅|✅
320 |Edit the project configurations|❌|❌|❌|❌|✅
321 |See a list of project members| |✅|✅|✅|✅
322 |Create/edit/delete project members|❌|❌|❌|❌|✅
323 |See a list of project logs|✅|✅|✅|✅|❌
324 |See a list of project replications|❌|❌|❌|✅|✅
325 |See a list of project replication jobs|❌|❌|❌|❌|✅
326 |See a list of project labels|❌|❌|❌|✅|✅
327 |Create/edit/delete project labels|❌|❌|❌|✅|✅
328 |See a list of repositories|✅|✅|✅|✅|✅
329 |Create repositories|❌|❌|✅|✅|✅
330 |Edit/delete repositories|❌|❌|❌|✅|✅
331 |See a list of images|✅|✅|✅|✅|✅
332 |Retag image|❌|✅|✅|✅|✅
333 |Pull image|✅|✅|✅|✅|✅
334 |Push image|❌|❌|✅|✅|✅
335 |Scan/delete image|❌|❌|❌|✅|✅
336 |Add scanners to Harbor *|❌|❌|❌|❌|❌
337 |Edit scanners in projects|❌|❌|❌|❌|✅
338 |See a list of image vulnerabilities|✅|✅|✅|✅|✅
339 |Create list of project vulnerabilities|❌|❌|✅|✅|✅
340 |Read list of project vulnerabilities|❌|❌|✅|✅|✅
341 |Export list of project vulnerabilities|❌|❌|✅|✅|✅
342 |See image build history|✅|✅|✅|✅|✅
343 |Add/Remove labels of image|❌|❌|✅|✅|✅
344 |See a list of helm charts|✅|✅|✅|✅|✅
345 |Download helm charts|✅|✅|✅|✅|✅
346 |Upload helm charts|❌|❌|✅|✅|✅
347 |Delete helm charts|❌|❌|❌|✅|✅
348 |See a list of helm chart versions|✅|✅|✅|✅|✅
349 |Download helm chart versions|✅|✅|✅|✅|✅
350 |Upload helm chart versions|❌|❌|✅|✅|✅
351 |Delete helm chart versions|❌|❌|❌|✅|✅
352 |Add/Remove labels of helm chart version|❌|❌|✅|✅|✅
353 |See a list of project robots|❌|❌|❌|✅|✅
354 |Create/edit/delete project robots|❌|❌|❌|❌|✅
355 |See configured CVE allowlist|✅|✅|✅|✅|✅
356 |Create/edit/remove CVE allowlist|❌|❌|❌|❌|✅
357 |View webhook events|❌|❌|❌|✅|✅
358 |Add new webhook events|❌|❌|❌|❌|✅
359 |Enable/deactivate webhooks|❌|❌|❌|❌|✅
360 |Create/delete tag retention rules|❌|❌|✅|✅|✅
361 |Enable/deactivate tag retention rules|❌|❌|✅|✅|✅
362 |Create/delete tag immutability rules|❌|❌|❌|✅|✅
363 |Enable/deactivate tag immutability rules|❌|❌|❌|✅|✅
364 |See project quotas|✅|✅|✅|✅|✅
365 |Edit project quotas *|❌|❌|❌|❌|❌
366 |Delete Project|❌|❌|❌|❌|✅
367
368 ~* Only the Harbor system administrator can edit project quotas and add new scanners.
369
370 = Gitea =
371
372 Please note, that some terms used in DevOps-as-a-Service have different names in Gitea. Please check the following table to avoid any confusion.
373
374 |=(((
375 DevOps Portal
376 )))|=(((
377 Gitea
378 )))
379 |(((
380 Project
381 )))|(((
382 Organization
383 )))
384 |(((
385 Project Role
386 )))|(((
387 Team
388 )))
389 |(((
390 Git Repository
391 )))|(((
392 Repository
393 )))
394 |(((
395 Artifact Repository
396 )))|(((
397 Package
398 )))
399 |(((
400 Issue Tracking
401 )))|(((
402 Project (currently disabled)
403 )))
404
405 The **Owner** team has full admin permission in the Organization. This is a technical user used by the DevOps Portal for auto-provisioning.
406
407 |=(((
408 Gitea Role
409 )))|=(((
410 Portal Project Role
411 )))|=Permissions
412 |(((
413 Viewer
414 )))|Viewer|Read
415 |(((
416 Developer
417 )))|(((
418 Developer
419 )))|Read, Write
420 |(% colspan="1" %)(((
421 Master
422 )))|(% colspan="1" %)Master|Read, Write
423 |(% colspan="1" %)Admin|(% colspan="1" %)Admin|Read, Write, Repository create
424
425 = Nexus Project Roles =
426
427 For each role in a project a role in Nexus is created which includes one Privilege for each repository in the project.
428
429 |=(((
430 Role
431 )))|=(((
432 Admin
433 )))|=(((
434 Master
435 )))|=(((
436 Developer
437 )))|=(((
438 Viewer
439 )))
440 |(((
441 ID
442 )))|(((
443 PROJECTKEY-admin
444 )))|(((
445 PROJECTKEY-master
446 )))|(((
447 PROJECTKEY-developer
448 )))|(((
449 PROJECTKEY-viewer
450 )))
451 |(((
452 Name
453 )))|(((
454 PROJECTKEY-admin
455 )))|(((
456 PROJECTKEY-master
457 )))|(((
458 PROJECTKEY-developer
459 )))|(((
460 PROJECTKEY-viewer
461 )))
462 |(((
463 Privilege
464 )))|(((
465 PROJECTKEY-docker-admin
466
467 PROJECTKEY-maven-admin
468
469 PROJECTKEY-//repotype//-admin
470 )))|(((
471 PROJECTKEY-docker-master
472
473 PROJECTKEY-maven-master
474
475 PROJECTKEY-//repotype//-master
476 )))|(((
477 PROJECTKEY-docker-developer
478
479 PROJECTKEY-maven-developer
480
481 PROJECTKEY-//repotype//-developer
482 )))|(((
483 PROJECTKEY-docker-viewer
484
485 PROJECTKEY-maven-viewer
486
487 PROJECTKEY-//repotype//-viewer
488 )))
489
490 For each role in a project a **Privilege of type Repository Content Selector** is created which combines Content Selector (Project), Repository (Docker Registry) and Actions depending on the role.
491
492 |=(((
493 Privilege / Role
494 )))|=(((
495 Admin
496 )))|=(((
497 Master
498 )))|=(((
499 Developer
500 )))|=(((
501 Viewer
502 )))
503 |(((
504 Name
505 )))|(((
506 PROJECTKEY-docker-admin
507 )))|(((
508 PROJECTKEY-docker-master
509 )))|(((
510 PROJECTKEY-docker-developer
511 )))|(((
512 PROJECTKEY-docker-viewer
513 )))
514 |(((
515 Content Selector
516 )))|(((
517 PROJECTKEY-docker
518 )))|(((
519 PROJECTKEY-docker
520 )))|(((
521 PROJECTKEY-docker
522 )))|(((
523 PROJECTKEY-docker
524 )))
525 |(((
526 Repository
527 )))|(((
528 docker-registry
529 )))|(((
530 docker-registry
531 )))|(((
532 docker-registry
533 )))|(((
534 docker-registry
535 )))
536 |(((
537 Actions
538 )))|(((
539 delete, add, edit, browse, read
540 )))|(((
541 add, edit, browse, read
542 )))|(((
543 add, edit, browse, read
544 )))|(((
545 browse, read
546 )))
547
548 See [[https:~~/~~/help.sonatype.com/repomanager3/security/privileges>>url:https://help.sonatype.com/repomanager3/nexus-repository-administration/access-control/privileges]] for available Actions.
© 2018-2026 T-Systems International GmbH