Skip to Content

Wiki source code of Users and roles

Version 7.2 by Boris Folgmann on 2026/05/20 13:12
Show last authors
1 {{toc depth="1"/}}
2
3 = Role Model =
4
5 == Portal Roles ==
6
7 |=Portal |=
8 | |
9 | |
10
11 == Project Roles ==
12
13 Each user who is a member of a project has to be in //exactly one// Project Role. Therefore it is not possible to have no or multiple roles in a project.
14
15 Different roles have different sets of permissions. Possible roles are:
16
17 (% class="responsive-table" %)
18 (% class="active" %)|=(((
19 Role
20 )))|=(((
21 Description
22 )))
23 |(((
24 Admin
25 )))|(((
26 Full access, even to potentially dangerous operations like deleting content in the Project.Β Can administer Project Members and Roles.
27 )))
28 |(((
29 Master
30 )))|Elevated write acccess, excluding potentially dangerous operations which can lead to massive data loss or other unrevertable changes.
31 |(((
32 Developer
33 )))|(((
34 General read-write access to contribute to the Project
35 )))
36 |(((
37 Viewer
38 )))|(((
39 Read-only access to all not security-relevant data in the Project
40 )))
41
42 Currently, the role assignment is applied for all tools within one project.
43
44 {{info}}
45 Note:
46 To ensure the integrity of the applications in the context of the managed service, no customer user is allowed to get system admin permissions for the tools. The maximum permissions for a customer user is the "Project Admin" role as described here
47 {{/info}}
48
49 = User Permissions in DevOps Portal =
50
51 |=(((
52 Role Type
53 )))|=(% colspan="3" rowspan="1" %)(((
54 Portal Role
55 )))|=(% rowspan="23" %) |=(% colspan="4" %)(((
56 Project Role
57 )))
58 |(((
59 **Role Name**
60 )))|(((
61 **User**
62 )))|(((
63 **Admin**
64 )))|(((
65 **Creator **
66 )))|(((
67 **Viewer**
68 )))|(((
69 **Developer**
70 )))|(((
71 **Master**
72 )))|(((
73 **Admin**
74 )))
75 |Login to DevOps Portal|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…
76 |Logout from DevOps Portal|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…
77 |Change my password|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…
78 |Reset forgotten password|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…
79 |Display list of users|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…
80 |Search for user |βœ…|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…
81 |Add or remove "Corporate Admin" role to user |❌|βœ…|❌|❌|❌|❌|❌
82 |Create User|❌|βœ…|βœ…|❌|❌|❌|❌
83 |Delete User|❌|βœ…|❌|❌|❌|❌|❌
84 |Lock User|❌|βœ…|❌|❌|❌|❌|❌
85 |Unlock User|❌|βœ…|❌|❌|❌|❌|❌
86 |Send invitation mail for first login|❌|βœ…|❌|❌|❌|❌|❌
87 |Display list of projects |❌|βœ…|❌|⚠ Only his projects|⚠  Only his projects|⚠  Only his projects|⚠  Only his projects
88 |Search for project |❌|βœ…|❌|⚠  Only his projects|⚠  Only his projects|⚠  Only his projects|⚠  Only his projects
89 |Create project |❌|βœ…|βœ…|❌|❌|❌|❌
90 |Delete project|❌|βœ…|❌|❌|❌|❌|❌
91 |Retire project |❌|βœ…|❌|❌|❌|❌|⚠  Only his projects
92 |Reactivate project|❌|βœ…|❌|❌|❌|❌|⚠  Only his projects
93 |Add User to Project|❌|βœ…|❌|❌|❌|❌|⚠  Only his projects
94 |Remove User from Project|❌|βœ…|❌|❌|❌|❌|⚠  Only his projects
95 |Display used storage by project/tool or total|❌|βœ…|❌|⚠  Only his projects|⚠  Only his projects|⚠  Only his projects|⚠  Only his projects
96
97 = JIRA Project Roles / Permission Scheme =
98
99 In JIRA the Project Roles are first added to Security / Project Roles and then they get their Permissions assigned in the SDCloud Permission Scheme which has to associated later with the Jira Projects.
100
101 |=(((
102 Permission / Role
103 )))|=(((
104 Admin
105 )))|=(((
106 Master
107 )))|=(((
108 Developer
109 )))|=(((
110 Viewer
111 )))
112 |=(% colspan="1" %)(((
113 Project Permissions
114 )))|(% colspan="1" %)(((
115
116 )))|(% colspan="1" %)(((
117
118 )))|(% colspan="1" %)(((
119
120 )))|(% colspan="1" %)(((
121
122 )))
123 |Administer projects
124 Enabled Extended project administration|βœ…|❌|❌|❌
125 |Browse projects|βœ…|βœ…|βœ…|βœ…
126 |Manage sprints|βœ…|βœ…|❌|❌
127 |Service Desk Agent|βœ…|βœ…|βœ…|❌
128 |View development tool|βœ…|βœ…|βœ…|βœ…
129 |View (read-only) workflow|βœ…|βœ…|βœ…|βœ…
130 |=Issue Permissions| | | |
131 |Assign issues|βœ…|βœ…|βœ…|❌
132 |Assignable user|βœ…|βœ…|βœ…|❌
133 |Close issues|βœ…|βœ…|❌|❌
134 |Create issues|βœ…|βœ…|βœ…|❌
135 |Delete issues|βœ…|❌|❌|❌
136 |Edit issues|βœ…|βœ…|βœ…|❌
137 |Link issues|βœ…|βœ…|βœ…|❌
138 |Modify reporter|βœ…|βœ…|❌|❌
139 |Move issues|βœ…|βœ…|❌|❌
140 |Resolve issues|βœ…|βœ…|βœ…|❌
141 |Schedule issues|βœ…|βœ…|❌|❌
142 |Set issues security|βœ…|❌|❌|❌
143 |Transition issues|βœ…|βœ…|βœ…|❌
144 |=(% colspan="1" %)Voters & watchers permissions|(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %)
145 |Manage watcher list|βœ…|βœ…|❌|❌
146 |View voters and watchers|βœ…|βœ…|βœ…|❌
147 |=(% colspan="1" %)Comments permissions|(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %)
148 |Add comments|βœ…|βœ…|βœ…|❌
149 |Delete all comments|βœ…|❌|❌|❌
150 |Delete own comments|βœ…|βœ…|βœ…|❌
151 |Edit all comments|βœ…|❌|❌|❌
152 |Edit own comments|βœ…|βœ…|βœ…|❌
153 |=(% colspan="1" %)Attachments permissions|(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %)
154 |Create attachments|βœ…|βœ…|βœ…|❌
155 |Delete all attachments|βœ…|❌|❌|❌
156 |Delete own attachments|βœ…|βœ…|βœ…|❌
157 |=(% colspan="1" %)Time-tracking Permissions|(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %)
158 |Work on issues|βœ…|βœ…|βœ…|❌
159 |Delete all worklogs|βœ…|❌|❌|❌
160 |Delete own worklogs|βœ…|βœ…|βœ…|❌
161 |Edit all worklogs|βœ…|❌|❌|❌
162 |Edit own worklogs|βœ…|βœ…|βœ…|❌
163
164 * Service Desk Agent is only available if the software was added to JIRA
165
166 = ConfluenceΒ Project Roles =
167
168 See vendor documentation for the exact meaning: [[https:~~/~~/confluence.atlassian.com/doc/space-permissions-overview-139521.html>>url:https://confluence.atlassian.com/doc/space-permissions-overview-139521.html]].
169
170 |=(((
171 Space
172 )))|=(% colspan="2" %)(((
173 All
174 )))|=(% colspan="2" %)(((
175 Pages
176 )))|=(% colspan="2" %)(((
177 Blog
178 )))|=(% colspan="2" %)(((
179 Attachments
180 )))|=(% colspan="2" %)(((
181 Comments
182 )))|=(((
183 Restrictions
184 )))|=(((
185 Mail
186 )))|=(% colspan="2" %)(((
187 Space
188 )))
189 |=(% colspan="1" %)Role/Operation|(% colspan="1" %)View|(% colspan="1" %)Delete Own|(% colspan="1" %)Add|(% colspan="1" %)Delete|(% colspan="1" %)Add|(% colspan="1" %)Delete|(% colspan="1" %)Add|(% colspan="1" %)Delete|(% colspan="1" %)Add|(% colspan="1" %)Delete|(% colspan="1" %)Add/Delete|(% colspan="1" %)Delete|(% colspan="1" %)Export|(% colspan="1" %)Admin
190 |=Admin|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…
191 |=Master|βœ…|βœ…|βœ…|❌|βœ…|❌|βœ…|❌|βœ…|βœ…|βœ…|❌|βœ…|❌
192 |=Developer|βœ…|βœ…|βœ…|❌|❌|❌|βœ…|❌|βœ…|❌|❌|❌|❌|❌
193 |=Viewer|βœ…|❌|❌|❌|❌|❌|❌|❌|❌|❌|❌|❌|❌|❌
194
195 = Bitbucket Project Roles =
196
197 |=(((
198
199 )))|=(((
200 Browse
201 )))|=(((
202 Clone / Pull
203 )))|=(% colspan="1" %)(((
204 Create, browse, comment on pull request
205 )))|=(% colspan="1" %)(((
206 Merge pull request
207 )))|=(% colspan="1" %)(((
208 Push
209 )))|=(% colspan="1" %)(((
210 Create repositories
211 )))|=(% colspan="1" %)(((
212 Edit settings / permissions
213 )))
214 |Admin|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…
215 |Master|βœ…|βœ…|βœ…|βœ…|βœ…|βœ…|❌
216 |Developer|βœ…|βœ…|βœ…|βœ…|βœ…|❌|❌
217 |Viewer|βœ…|βœ…|βœ…|❌|❌|❌|❌
218
219 //Repository permissions are inherited from project permissions.//
220
221 = JenkinsΒ Project Roles =
222
223 |=(% colspan="1" %)(((
224 Permission
225 )))|=(((
226 Role
227 )))|=(((
228 Admin
229 )))|=(((
230 Master
231 )))|=(((
232 Developer
233 )))|=(((
234 Viewer
235 )))|=(% colspan="1" %)(((
236 Authenticated Users
237 )))|=(% colspan="1" %)(((
238 Anonymous Users
239 )))|=(% colspan="1" %)(((
240 Prometheus Tech User
241 )))
242 |=(% rowspan="5" %)Credentials|Create|βœ…|βœ…|❌|❌|❌|❌|❌
243 |Delete|βœ…|❌|❌|❌|❌|❌|❌
244 |Manage Domains|βœ…|❌|❌|❌|❌|❌|❌
245 |Update|βœ…|βœ…|❌|❌|❌|❌|❌
246 |View|βœ…|βœ…|βœ…|❌|❌|❌|❌
247 |=(% rowspan="10" %)Job|Build|βœ…|βœ…|βœ…|❌|❌|❌|❌
248 |Cancel|βœ…|βœ…|❌|❌|❌|❌|❌
249 |Configure|βœ…|βœ…|❌|❌|❌|❌|❌
250 |Create|βœ…|βœ…|❌|❌|❌|❌|❌
251 |Delete|βœ…|❌|❌|❌|❌|❌|❌
252 |Discover|βœ…|βœ…|βœ…|βœ…|❌|❌|❌
253 |ExtendedRead| | | | | | |
254 |Move|βœ…|❌|❌|❌|❌|❌|❌
255 |Read|βœ…|βœ…|βœ…|βœ…|❌|❌|❌
256 |Workspace|βœ…|βœ…|βœ…|❌|❌|❌|❌
257 |=(% rowspan="3" %)Run|Delete|βœ…|❌|❌|❌|❌|❌|❌
258 |Replay|βœ…|βœ…|βœ…|❌|❌|❌|❌
259 |Update|βœ…|βœ…|βœ…|❌|❌|❌|❌
260 |=Job Config History|DeleteEntry| | | | | | |
261 |=SCM|Tag|βœ…|βœ…|❌|❌|❌|❌|❌
262 |=Metrics|HealthCheck| | | | | | |
263 | |ThreadDump| | | | | | |
264 | |View| | | | | | |
265
266 = GitLab =
267
268 Users are assigned to Groups in GitLab with the following roles assignment.Β  Permissions within subordinated Subgroups and GitLab Projects are inherited.
269
270 |=(((
271 Project Role
272 )))|=(((
273 GitLab Group Members Permission
274 )))
275 |(((
276 Viewer
277 )))|(((
278 Reporter
279 )))
280 |(((
281 Developer
282 )))|(((
283 Developer
284 )))
285 |(% colspan="1" %)(((
286 Master
287 )))|(% colspan="1" %)(((
288 Maintainer
289 )))
290 |(% colspan="1" %)(((
291 Admin
292 )))|(% colspan="1" %)(((
293 Owner
294 )))
295
296 Regarding permissions for Group Permissions in GitLab, seeΒ [[https:~~/~~/docs.gitlab.com/ee/user/permissions.html#group-members-permissions>>url:https://docs.gitlab.com/ee/user/permissions.html#group-members-permissions]].
297
298 = Harbor Project Roles =
299
300 Harbor manages images through projects. You provide access to these images to users by including the users in projects and assigning one of the following roles to them:
301
302 |=(((
303 Harbor
304 )))|=(((
305 Portal
306 )))|=
307 |=Role Name|=Role Id|=Project Role
308 |Project Admin|1|ADMIN
309 |Maintainer|4|MASTER
310 |Developer|2|DEVELOPER
311 |Guest|3|VIEWER
312
313 === Harbor Roles Permissions ===
314
315 |=(((
316 Action
317 )))|=(((
318 Limited Guest
319 )))|=(((
320 Guest
321 )))|=(((
322 Developer
323 )))|=(((
324 Maintainer
325 )))|=(((
326 Project Admin
327 )))
328 |See the project configurations|βœ…|βœ…|βœ…|βœ…|βœ…
329 |Edit the project configurations|❌|❌|❌|❌|βœ…
330 |See a list of project members| |βœ…|βœ…|βœ…|βœ…
331 |Create/edit/delete project members|❌|❌|❌|❌|βœ…
332 |See a list of project logs|βœ…|βœ…|βœ…|βœ…|❌
333 |See a list of project replications|❌|❌|❌|βœ…|βœ…
334 |See a list of project replication jobs|❌|❌|❌|❌|βœ…
335 |See a list of project labels|❌|❌|❌|βœ…|βœ…
336 |Create/edit/delete project labels|❌|❌|❌|βœ…|βœ…
337 |See a list of repositories|βœ…|βœ…|βœ…|βœ…|βœ…
338 |Create repositories|❌|❌|βœ…|βœ…|βœ…
339 |Edit/delete repositories|❌|❌|❌|βœ…|βœ…
340 |See a list of images|βœ…|βœ…|βœ…|βœ…|βœ…
341 |Retag image|❌|βœ…|βœ…|βœ…|βœ…
342 |Pull image|βœ…|βœ…|βœ…|βœ…|βœ…
343 |Push image|❌|❌|βœ…|βœ…|βœ…
344 |Scan/delete image|❌|❌|❌|βœ…|βœ…
345 |Add scanners to Harbor *|❌|❌|❌|❌|❌
346 |Edit scanners in projects|❌|❌|❌|❌|βœ…
347 |See a list of image vulnerabilities|βœ…|βœ…|βœ…|βœ…|βœ…
348 |Create list of project vulnerabilities|❌|❌|βœ…|βœ…|βœ…
349 |Read list of project vulnerabilities|❌|❌|βœ…|βœ…|βœ…
350 |Export list of project vulnerabilities|❌|❌|βœ…|βœ…|βœ…
351 |See image build history|βœ…|βœ…|βœ…|βœ…|βœ…
352 |Add/Remove labels of image|❌|❌|βœ…|βœ…|βœ…
353 |See a list of helm charts|βœ…|βœ…|βœ…|βœ…|βœ…
354 |Download helm charts|βœ…|βœ…|βœ…|βœ…|βœ…
355 |Upload helm charts|❌|❌|βœ…|βœ…|βœ…
356 |Delete helm charts|❌|❌|❌|βœ…|βœ…
357 |See a list of helm chart versions|βœ…|βœ…|βœ…|βœ…|βœ…
358 |Download helm chart versions|βœ…|βœ…|βœ…|βœ…|βœ…
359 |Upload helm chart versions|❌|❌|βœ…|βœ…|βœ…
360 |Delete helm chart versions|❌|❌|❌|βœ…|βœ…
361 |Add/Remove labels of helm chart version|❌|❌|βœ…|βœ…|βœ…
362 |See a list of project robots|❌|❌|❌|βœ…|βœ…
363 |Create/edit/delete project robots|❌|❌|❌|❌|βœ…
364 |See configured CVE allowlist|βœ…|βœ…|βœ…|βœ…|βœ…
365 |Create/edit/remove CVE allowlist|❌|❌|❌|❌|βœ…
366 |View webhook events|❌|❌|❌|βœ…|βœ…
367 |Add new webhook events|❌|❌|❌|❌|βœ…
368 |Enable/deactivate webhooks|❌|❌|❌|❌|βœ…
369 |Create/delete tag retention rules|❌|❌|βœ…|βœ…|βœ…
370 |Enable/deactivate tag retention rules|❌|❌|βœ…|βœ…|βœ…
371 |Create/delete tag immutability rules|❌|❌|❌|βœ…|βœ…
372 |Enable/deactivate tag immutability rules|❌|❌|❌|βœ…|βœ…
373 |See project quotas|βœ…|βœ…|βœ…|βœ…|βœ…
374 |Edit project quotas *|❌|❌|❌|❌|❌
375 |Delete Project|❌|❌|❌|❌|βœ…
376
377 ~* Only the Harbor system administrator can edit project quotas and add new scanners.
378
379 = Gitea =
380
381 Please note, that some terms used in DevOps-as-a-Service have different names in Gitea. Please check the following table to avoid any confusion.
382
383 |=(((
384 DevOps Portal
385 )))|=(((
386 Gitea
387 )))
388 |(((
389 Project
390 )))|(((
391 Organization
392 )))
393 |(((
394 Project Role
395 )))|(((
396 Team
397 )))
398 |(((
399 Git Repository
400 )))|(((
401 Repository
402 )))
403 |(((
404 Artifact Repository
405 )))|(((
406 Package
407 )))
408 |(((
409 Issue Tracking
410 )))|(((
411 Project (currently disabled)
412 )))
413
414 TheΒ **Owner**Β team has full admin permission in the Organization. This is a technical user used by the DevOps Portal for auto-provisioning.
415
416 |=(((
417 Gitea Role
418 )))|=(((
419 Portal Project Role
420 )))|=Permissions
421 |(((
422 Viewer
423 )))|Viewer|Read
424 |(((
425 Developer
426 )))|(((
427 Developer
428 )))|Read, Write
429 |(% colspan="1" %)(((
430 Master
431 )))|(% colspan="1" %)Master|Read, Write
432 |(% colspan="1" %)Admin|(% colspan="1" %)Admin|Read, Write, Repository create
433
434 = Nexus Project Roles =
435
436 For each role in a project a role in Nexus is created which includes one Privilege for each repository in the project.
437
438 |=(((
439 Role
440 )))|=(((
441 Admin
442 )))|=(((
443 Master
444 )))|=(((
445 Developer
446 )))|=(((
447 Viewer
448 )))
449 |(((
450 ID
451 )))|(((
452 PROJECTKEY-admin
453 )))|(((
454 PROJECTKEY-master
455 )))|(((
456 PROJECTKEY-developer
457 )))|(((
458 PROJECTKEY-viewer
459 )))
460 |(((
461 Name
462 )))|(((
463 PROJECTKEY-admin
464 )))|(((
465 PROJECTKEY-master
466 )))|(((
467 PROJECTKEY-developer
468 )))|(((
469 PROJECTKEY-viewer
470 )))
471 |(((
472 Privilege
473 )))|(((
474 PROJECTKEY-docker-admin
475
476 PROJECTKEY-maven-admin
477
478 PROJECTKEY-//repotype//-admin
479 )))|(((
480 PROJECTKEY-docker-master
481
482 PROJECTKEY-maven-master
483
484 PROJECTKEY-//repotype//-master
485 )))|(((
486 PROJECTKEY-docker-developer
487
488 PROJECTKEY-maven-developer
489
490 PROJECTKEY-//repotype//-developer
491 )))|(((
492 PROJECTKEY-docker-viewer
493
494 PROJECTKEY-maven-viewer
495
496 PROJECTKEY-//repotype//-viewer
497 )))
498
499 For each role in a project a **PrivilegeΒ of type Repository Content Selector** is created which combines Content Selector (Project), Repository (Docker Registry) and Actions depending on the role.
500
501 |=(((
502 Privilege / Role
503 )))|=(((
504 Admin
505 )))|=(((
506 Master
507 )))|=(((
508 Developer
509 )))|=(((
510 Viewer
511 )))
512 |(((
513 Name
514 )))|(((
515 PROJECTKEY-docker-admin
516 )))|(((
517 PROJECTKEY-docker-master
518 )))|(((
519 PROJECTKEY-docker-developer
520 )))|(((
521 PROJECTKEY-docker-viewer
522 )))
523 |(((
524 Content Selector
525 )))|(((
526 PROJECTKEY-docker
527 )))|(((
528 PROJECTKEY-docker
529 )))|(((
530 PROJECTKEY-docker
531 )))|(((
532 PROJECTKEY-docker
533 )))
534 |(((
535 Repository
536 )))|(((
537 docker-registry
538 )))|(((
539 docker-registry
540 )))|(((
541 docker-registry
542 )))|(((
543 docker-registry
544 )))
545 |(((
546 Actions
547 )))|(((
548 delete, add, edit, browse, read
549 )))|(((
550 add, edit, browse, read
551 )))|(((
552 add, edit, browse, read
553 )))|(((
554 browse, read
555 )))
556
557 See [[https:~~/~~/help.sonatype.com/repomanager3/security/privileges>>url:https://help.sonatype.com/repomanager3/nexus-repository-administration/access-control/privileges]] for available Actions.
Β© 2018-2026 T-Systems International GmbH