Skip to Content

Wiki source code of Users and roles

Version 7.1 by Boris Folgmann on 2026/05/20 13:11
Show last authors
1 {{toc depth="1"/}}
2
3 = Role Model =
4
5 == Project Roles ==
6
7 Each user who is a member of a project has to be in //exactly one// Project Role. Therefore it is not possible to have no or multiple roles in a project.
8
9 Different roles have different sets of permissions. Possible roles are:
10
11 |=(((
12 Role
13 )))|=(((
14 Description
15 )))
16 |(((
17 Admin
18 )))|(((
19 Full access, even to potentially dangerous operations like deleting content in the Project. Can administer Project Members and Roles.
20 )))
21 |(((
22 Master
23 )))|Elevated write acccess, excluding potentially dangerous operations which can lead to massive data loss or other unrevertable changes.
24 |(((
25 Developer
26 )))|(((
27 General read-write access to contribute to the Project
28 )))
29 |(((
30 Viewer
31 )))|(((
32 Read-only access to all not security-relevant data in the Project
33 )))
34
35 Currently, the role assignment is applied for all tools within one project.
36
37 {{info}}
38 Note:
39 To ensure the integrity of the applications in the context of the managed service, no customer user is allowed to get system admin permissions for the tools. The maximum permissions for a customer user is the "Project Admin" role as described here
40 {{/info}}
41
42 = User Permissions in DevOps Portal =
43
44 |=(((
45 Role Type
46 )))|=(% colspan="3" rowspan="1" %)(((
47 Portal Role
48 )))|=(% rowspan="23" %) |=(% colspan="4" %)(((
49 Project Role
50 )))
51 |(((
52 **Role Name**
53 )))|(((
54 **User**
55 )))|(((
56 **Admin**
57 )))|(((
58 **Creator **
59 )))|(((
60 **Viewer**
61 )))|(((
62 **Developer**
63 )))|(((
64 **Master**
65 )))|(((
66 **Admin**
67 )))
68 |Login to DevOps Portal|✅|✅|✅|✅|✅|✅|✅
69 |Logout from DevOps Portal|✅|✅|✅|✅|✅|✅|✅
70 |Change my password|✅|✅|✅|✅|✅|✅|✅
71 |Reset forgotten password|✅|✅|✅|✅|✅|✅|✅
72 |Display list of users|✅|✅|✅|✅|✅|✅|✅
73 |Search for user |✅|✅|✅|✅|✅|✅|✅
74 |Add or remove "Corporate Admin" role to user |❌|✅|❌|❌|❌|❌|❌
75 |Create User|❌|✅|✅|❌|❌|❌|❌
76 |Delete User|❌|✅|❌|❌|❌|❌|❌
77 |Lock User|❌|✅|❌|❌|❌|❌|❌
78 |Unlock User|❌|✅|❌|❌|❌|❌|❌
79 |Send invitation mail for first login|❌|✅|❌|❌|❌|❌|❌
80 |Display list of projects |❌|✅|❌|⚠ Only his projects|⚠  Only his projects|⚠  Only his projects|⚠  Only his projects
81 |Search for project |❌|✅|❌|⚠  Only his projects|⚠  Only his projects|⚠  Only his projects|⚠  Only his projects
82 |Create project |❌|✅|✅|❌|❌|❌|❌
83 |Delete project|❌|✅|❌|❌|❌|❌|❌
84 |Retire project |❌|✅|❌|❌|❌|❌|⚠  Only his projects
85 |Reactivate project|❌|✅|❌|❌|❌|❌|⚠  Only his projects
86 |Add User to Project|❌|✅|❌|❌|❌|❌|⚠  Only his projects
87 |Remove User from Project|❌|✅|❌|❌|❌|❌|⚠  Only his projects
88 |Display used storage by project/tool or total|❌|✅|❌|⚠  Only his projects|⚠  Only his projects|⚠  Only his projects|⚠  Only his projects
89
90 = JIRA Project Roles / Permission Scheme =
91
92 In JIRA the Project Roles are first added to Security / Project Roles and then they get their Permissions assigned in the SDCloud Permission Scheme which has to associated later with the Jira Projects.
93
94 |=(((
95 Permission / Role
96 )))|=(((
97 Admin
98 )))|=(((
99 Master
100 )))|=(((
101 Developer
102 )))|=(((
103 Viewer
104 )))
105 |=(% colspan="1" %)(((
106 Project Permissions
107 )))|(% colspan="1" %)(((
108
109 )))|(% colspan="1" %)(((
110
111 )))|(% colspan="1" %)(((
112
113 )))|(% colspan="1" %)(((
114
115 )))
116 |Administer projects
117 Enabled Extended project administration|✅|❌|❌|❌
118 |Browse projects|✅|✅|✅|✅
119 |Manage sprints|✅|✅|❌|❌
120 |Service Desk Agent|✅|✅|✅|❌
121 |View development tool|✅|✅|✅|✅
122 |View (read-only) workflow|✅|✅|✅|✅
123 |=Issue Permissions| | | |
124 |Assign issues|✅|✅|✅|❌
125 |Assignable user|✅|✅|✅|❌
126 |Close issues|✅|✅|❌|❌
127 |Create issues|✅|✅|✅|❌
128 |Delete issues|✅|❌|❌|❌
129 |Edit issues|✅|✅|✅|❌
130 |Link issues|✅|✅|✅|❌
131 |Modify reporter|✅|✅|❌|❌
132 |Move issues|✅|✅|❌|❌
133 |Resolve issues|✅|✅|✅|❌
134 |Schedule issues|✅|✅|❌|❌
135 |Set issues security|✅|❌|❌|❌
136 |Transition issues|✅|✅|✅|❌
137 |=(% colspan="1" %)Voters & watchers permissions|(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %)
138 |Manage watcher list|✅|✅|❌|❌
139 |View voters and watchers|✅|✅|✅|❌
140 |=(% colspan="1" %)Comments permissions|(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %)
141 |Add comments|✅|✅|✅|❌
142 |Delete all comments|✅|❌|❌|❌
143 |Delete own comments|✅|✅|✅|❌
144 |Edit all comments|✅|❌|❌|❌
145 |Edit own comments|✅|✅|✅|❌
146 |=(% colspan="1" %)Attachments permissions|(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %)
147 |Create attachments|✅|✅|✅|❌
148 |Delete all attachments|✅|❌|❌|❌
149 |Delete own attachments|✅|✅|✅|❌
150 |=(% colspan="1" %)Time-tracking Permissions|(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %)
151 |Work on issues|✅|✅|✅|❌
152 |Delete all worklogs|✅|❌|❌|❌
153 |Delete own worklogs|✅|✅|✅|❌
154 |Edit all worklogs|✅|❌|❌|❌
155 |Edit own worklogs|✅|✅|✅|❌
156
157 * Service Desk Agent is only available if the software was added to JIRA
158
159 = Confluence Project Roles =
160
161 See vendor documentation for the exact meaning: [[https:~~/~~/confluence.atlassian.com/doc/space-permissions-overview-139521.html>>url:https://confluence.atlassian.com/doc/space-permissions-overview-139521.html]].
162
163 |=(((
164 Space
165 )))|=(% colspan="2" %)(((
166 All
167 )))|=(% colspan="2" %)(((
168 Pages
169 )))|=(% colspan="2" %)(((
170 Blog
171 )))|=(% colspan="2" %)(((
172 Attachments
173 )))|=(% colspan="2" %)(((
174 Comments
175 )))|=(((
176 Restrictions
177 )))|=(((
178 Mail
179 )))|=(% colspan="2" %)(((
180 Space
181 )))
182 |=(% colspan="1" %)Role/Operation|(% colspan="1" %)View|(% colspan="1" %)Delete Own|(% colspan="1" %)Add|(% colspan="1" %)Delete|(% colspan="1" %)Add|(% colspan="1" %)Delete|(% colspan="1" %)Add|(% colspan="1" %)Delete|(% colspan="1" %)Add|(% colspan="1" %)Delete|(% colspan="1" %)Add/Delete|(% colspan="1" %)Delete|(% colspan="1" %)Export|(% colspan="1" %)Admin
183 |=Admin|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅
184 |=Master|✅|✅|✅|❌|✅|❌|✅|❌|✅|✅|✅|❌|✅|❌
185 |=Developer|✅|✅|✅|❌|❌|❌|✅|❌|✅|❌|❌|❌|❌|❌
186 |=Viewer|✅|❌|❌|❌|❌|❌|❌|❌|❌|❌|❌|❌|❌|❌
187
188 = Bitbucket Project Roles =
189
190 |=(((
191
192 )))|=(((
193 Browse
194 )))|=(((
195 Clone / Pull
196 )))|=(% colspan="1" %)(((
197 Create, browse, comment on pull request
198 )))|=(% colspan="1" %)(((
199 Merge pull request
200 )))|=(% colspan="1" %)(((
201 Push
202 )))|=(% colspan="1" %)(((
203 Create repositories
204 )))|=(% colspan="1" %)(((
205 Edit settings / permissions
206 )))
207 |Admin|✅|✅|✅|✅|✅|✅|✅
208 |Master|✅|✅|✅|✅|✅|✅|❌
209 |Developer|✅|✅|✅|✅|✅|❌|❌
210 |Viewer|✅|✅|✅|❌|❌|❌|❌
211
212 //Repository permissions are inherited from project permissions.//
213
214 = Jenkins Project Roles =
215
216 |=(% colspan="1" %)(((
217 Permission
218 )))|=(((
219 Role
220 )))|=(((
221 Admin
222 )))|=(((
223 Master
224 )))|=(((
225 Developer
226 )))|=(((
227 Viewer
228 )))|=(% colspan="1" %)(((
229 Authenticated Users
230 )))|=(% colspan="1" %)(((
231 Anonymous Users
232 )))|=(% colspan="1" %)(((
233 Prometheus Tech User
234 )))
235 |=(% rowspan="5" %)Credentials|Create|✅|✅|❌|❌|❌|❌|❌
236 |Delete|✅|❌|❌|❌|❌|❌|❌
237 |Manage Domains|✅|❌|❌|❌|❌|❌|❌
238 |Update|✅|✅|❌|❌|❌|❌|❌
239 |View|✅|✅|✅|❌|❌|❌|❌
240 |=(% rowspan="10" %)Job|Build|✅|✅|✅|❌|❌|❌|❌
241 |Cancel|✅|✅|❌|❌|❌|❌|❌
242 |Configure|✅|✅|❌|❌|❌|❌|❌
243 |Create|✅|✅|❌|❌|❌|❌|❌
244 |Delete|✅|❌|❌|❌|❌|❌|❌
245 |Discover|✅|✅|✅|✅|❌|❌|❌
246 |ExtendedRead| | | | | | |
247 |Move|✅|❌|❌|❌|❌|❌|❌
248 |Read|✅|✅|✅|✅|❌|❌|❌
249 |Workspace|✅|✅|✅|❌|❌|❌|❌
250 |=(% rowspan="3" %)Run|Delete|✅|❌|❌|❌|❌|❌|❌
251 |Replay|✅|✅|✅|❌|❌|❌|❌
252 |Update|✅|✅|✅|❌|❌|❌|❌
253 |=Job Config History|DeleteEntry| | | | | | |
254 |=SCM|Tag|✅|✅|❌|❌|❌|❌|❌
255 |=Metrics|HealthCheck| | | | | | |
256 | |ThreadDump| | | | | | |
257 | |View| | | | | | |
258
259 = GitLab =
260
261 Users are assigned to Groups in GitLab with the following roles assignment.  Permissions within subordinated Subgroups and GitLab Projects are inherited.
262
263 |=(((
264 Project Role
265 )))|=(((
266 GitLab Group Members Permission
267 )))
268 |(((
269 Viewer
270 )))|(((
271 Reporter
272 )))
273 |(((
274 Developer
275 )))|(((
276 Developer
277 )))
278 |(% colspan="1" %)(((
279 Master
280 )))|(% colspan="1" %)(((
281 Maintainer
282 )))
283 |(% colspan="1" %)(((
284 Admin
285 )))|(% colspan="1" %)(((
286 Owner
287 )))
288
289 Regarding permissions for Group Permissions in GitLab, see [[https:~~/~~/docs.gitlab.com/ee/user/permissions.html#group-members-permissions>>url:https://docs.gitlab.com/ee/user/permissions.html#group-members-permissions]].
290
291 = Harbor Project Roles =
292
293 Harbor manages images through projects. You provide access to these images to users by including the users in projects and assigning one of the following roles to them:
294
295 |=(((
296 Harbor
297 )))|=(((
298 Portal
299 )))|=
300 |=Role Name|=Role Id|=Project Role
301 |Project Admin|1|ADMIN
302 |Maintainer|4|MASTER
303 |Developer|2|DEVELOPER
304 |Guest|3|VIEWER
305
306 === Harbor Roles Permissions ===
307
308 |=(((
309 Action
310 )))|=(((
311 Limited Guest
312 )))|=(((
313 Guest
314 )))|=(((
315 Developer
316 )))|=(((
317 Maintainer
318 )))|=(((
319 Project Admin
320 )))
321 |See the project configurations|✅|✅|✅|✅|✅
322 |Edit the project configurations|❌|❌|❌|❌|✅
323 |See a list of project members| |✅|✅|✅|✅
324 |Create/edit/delete project members|❌|❌|❌|❌|✅
325 |See a list of project logs|✅|✅|✅|✅|❌
326 |See a list of project replications|❌|❌|❌|✅|✅
327 |See a list of project replication jobs|❌|❌|❌|❌|✅
328 |See a list of project labels|❌|❌|❌|✅|✅
329 |Create/edit/delete project labels|❌|❌|❌|✅|✅
330 |See a list of repositories|✅|✅|✅|✅|✅
331 |Create repositories|❌|❌|✅|✅|✅
332 |Edit/delete repositories|❌|❌|❌|✅|✅
333 |See a list of images|✅|✅|✅|✅|✅
334 |Retag image|❌|✅|✅|✅|✅
335 |Pull image|✅|✅|✅|✅|✅
336 |Push image|❌|❌|✅|✅|✅
337 |Scan/delete image|❌|❌|❌|✅|✅
338 |Add scanners to Harbor *|❌|❌|❌|❌|❌
339 |Edit scanners in projects|❌|❌|❌|❌|✅
340 |See a list of image vulnerabilities|✅|✅|✅|✅|✅
341 |Create list of project vulnerabilities|❌|❌|✅|✅|✅
342 |Read list of project vulnerabilities|❌|❌|✅|✅|✅
343 |Export list of project vulnerabilities|❌|❌|✅|✅|✅
344 |See image build history|✅|✅|✅|✅|✅
345 |Add/Remove labels of image|❌|❌|✅|✅|✅
346 |See a list of helm charts|✅|✅|✅|✅|✅
347 |Download helm charts|✅|✅|✅|✅|✅
348 |Upload helm charts|❌|❌|✅|✅|✅
349 |Delete helm charts|❌|❌|❌|✅|✅
350 |See a list of helm chart versions|✅|✅|✅|✅|✅
351 |Download helm chart versions|✅|✅|✅|✅|✅
352 |Upload helm chart versions|❌|❌|✅|✅|✅
353 |Delete helm chart versions|❌|❌|❌|✅|✅
354 |Add/Remove labels of helm chart version|❌|❌|✅|✅|✅
355 |See a list of project robots|❌|❌|❌|✅|✅
356 |Create/edit/delete project robots|❌|❌|❌|❌|✅
357 |See configured CVE allowlist|✅|✅|✅|✅|✅
358 |Create/edit/remove CVE allowlist|❌|❌|❌|❌|✅
359 |View webhook events|❌|❌|❌|✅|✅
360 |Add new webhook events|❌|❌|❌|❌|✅
361 |Enable/deactivate webhooks|❌|❌|❌|❌|✅
362 |Create/delete tag retention rules|❌|❌|✅|✅|✅
363 |Enable/deactivate tag retention rules|❌|❌|✅|✅|✅
364 |Create/delete tag immutability rules|❌|❌|❌|✅|✅
365 |Enable/deactivate tag immutability rules|❌|❌|❌|✅|✅
366 |See project quotas|✅|✅|✅|✅|✅
367 |Edit project quotas *|❌|❌|❌|❌|❌
368 |Delete Project|❌|❌|❌|❌|✅
369
370 ~* Only the Harbor system administrator can edit project quotas and add new scanners.
371
372 = Gitea =
373
374 Please note, that some terms used in DevOps-as-a-Service have different names in Gitea. Please check the following table to avoid any confusion.
375
376 |=(((
377 DevOps Portal
378 )))|=(((
379 Gitea
380 )))
381 |(((
382 Project
383 )))|(((
384 Organization
385 )))
386 |(((
387 Project Role
388 )))|(((
389 Team
390 )))
391 |(((
392 Git Repository
393 )))|(((
394 Repository
395 )))
396 |(((
397 Artifact Repository
398 )))|(((
399 Package
400 )))
401 |(((
402 Issue Tracking
403 )))|(((
404 Project (currently disabled)
405 )))
406
407 The **Owner** team has full admin permission in the Organization. This is a technical user used by the DevOps Portal for auto-provisioning.
408
409 |=(((
410 Gitea Role
411 )))|=(((
412 Portal Project Role
413 )))|=Permissions
414 |(((
415 Viewer
416 )))|Viewer|Read
417 |(((
418 Developer
419 )))|(((
420 Developer
421 )))|Read, Write
422 |(% colspan="1" %)(((
423 Master
424 )))|(% colspan="1" %)Master|Read, Write
425 |(% colspan="1" %)Admin|(% colspan="1" %)Admin|Read, Write, Repository create
426
427 = Nexus Project Roles =
428
429 For each role in a project a role in Nexus is created which includes one Privilege for each repository in the project.
430
431 |=(((
432 Role
433 )))|=(((
434 Admin
435 )))|=(((
436 Master
437 )))|=(((
438 Developer
439 )))|=(((
440 Viewer
441 )))
442 |(((
443 ID
444 )))|(((
445 PROJECTKEY-admin
446 )))|(((
447 PROJECTKEY-master
448 )))|(((
449 PROJECTKEY-developer
450 )))|(((
451 PROJECTKEY-viewer
452 )))
453 |(((
454 Name
455 )))|(((
456 PROJECTKEY-admin
457 )))|(((
458 PROJECTKEY-master
459 )))|(((
460 PROJECTKEY-developer
461 )))|(((
462 PROJECTKEY-viewer
463 )))
464 |(((
465 Privilege
466 )))|(((
467 PROJECTKEY-docker-admin
468
469 PROJECTKEY-maven-admin
470
471 PROJECTKEY-//repotype//-admin
472 )))|(((
473 PROJECTKEY-docker-master
474
475 PROJECTKEY-maven-master
476
477 PROJECTKEY-//repotype//-master
478 )))|(((
479 PROJECTKEY-docker-developer
480
481 PROJECTKEY-maven-developer
482
483 PROJECTKEY-//repotype//-developer
484 )))|(((
485 PROJECTKEY-docker-viewer
486
487 PROJECTKEY-maven-viewer
488
489 PROJECTKEY-//repotype//-viewer
490 )))
491
492 For each role in a project a **Privilege of type Repository Content Selector** is created which combines Content Selector (Project), Repository (Docker Registry) and Actions depending on the role.
493
494 |=(((
495 Privilege / Role
496 )))|=(((
497 Admin
498 )))|=(((
499 Master
500 )))|=(((
501 Developer
502 )))|=(((
503 Viewer
504 )))
505 |(((
506 Name
507 )))|(((
508 PROJECTKEY-docker-admin
509 )))|(((
510 PROJECTKEY-docker-master
511 )))|(((
512 PROJECTKEY-docker-developer
513 )))|(((
514 PROJECTKEY-docker-viewer
515 )))
516 |(((
517 Content Selector
518 )))|(((
519 PROJECTKEY-docker
520 )))|(((
521 PROJECTKEY-docker
522 )))|(((
523 PROJECTKEY-docker
524 )))|(((
525 PROJECTKEY-docker
526 )))
527 |(((
528 Repository
529 )))|(((
530 docker-registry
531 )))|(((
532 docker-registry
533 )))|(((
534 docker-registry
535 )))|(((
536 docker-registry
537 )))
538 |(((
539 Actions
540 )))|(((
541 delete, add, edit, browse, read
542 )))|(((
543 add, edit, browse, read
544 )))|(((
545 add, edit, browse, read
546 )))|(((
547 browse, read
548 )))
549
550 See [[https:~~/~~/help.sonatype.com/repomanager3/security/privileges>>url:https://help.sonatype.com/repomanager3/nexus-repository-administration/access-control/privileges]] for available Actions.
© 2018-2026 T-Systems International GmbH