Skip to Content

Wiki source code of Users and roles

Version 7.2 by Boris Folgmann on 2026/05/20 13:12
Show last authors
1 {{toc depth="1"/}}
2
3 = Role Model =
4
5 == Portal Roles ==
6
7 |=Portal |=
8 | |
9 | |
10
11 == Project Roles ==
12
13 Each user who is a member of a project has to be in //exactly one// Project Role. Therefore it is not possible to have no or multiple roles in a project.
14
15 Different roles have different sets of permissions. Possible roles are:
16
17 (% class="responsive-table" %)
18 (% class="active" %)|=(((
19 Role
20 )))|=(((
21 Description
22 )))
23 |(((
24 Admin
25 )))|(((
26 Full access, even to potentially dangerous operations like deleting content in the Project. Can administer Project Members and Roles.
27 )))
28 |(((
29 Master
30 )))|Elevated write acccess, excluding potentially dangerous operations which can lead to massive data loss or other unrevertable changes.
31 |(((
32 Developer
33 )))|(((
34 General read-write access to contribute to the Project
35 )))
36 |(((
37 Viewer
38 )))|(((
39 Read-only access to all not security-relevant data in the Project
40 )))
41
42 Currently, the role assignment is applied for all tools within one project.
43
44 {{info}}
45 Note:
46 To ensure the integrity of the applications in the context of the managed service, no customer user is allowed to get system admin permissions for the tools. The maximum permissions for a customer user is the "Project Admin" role as described here
47 {{/info}}
48
49 = User Permissions in DevOps Portal =
50
51 |=(((
52 Role Type
53 )))|=(% colspan="3" rowspan="1" %)(((
54 Portal Role
55 )))|=(% rowspan="23" %) |=(% colspan="4" %)(((
56 Project Role
57 )))
58 |(((
59 **Role Name**
60 )))|(((
61 **User**
62 )))|(((
63 **Admin**
64 )))|(((
65 **Creator **
66 )))|(((
67 **Viewer**
68 )))|(((
69 **Developer**
70 )))|(((
71 **Master**
72 )))|(((
73 **Admin**
74 )))
75 |Login to DevOps Portal|✅|✅|✅|✅|✅|✅|✅
76 |Logout from DevOps Portal|✅|✅|✅|✅|✅|✅|✅
77 |Change my password|✅|✅|✅|✅|✅|✅|✅
78 |Reset forgotten password|✅|✅|✅|✅|✅|✅|✅
79 |Display list of users|✅|✅|✅|✅|✅|✅|✅
80 |Search for user |✅|✅|✅|✅|✅|✅|✅
81 |Add or remove "Corporate Admin" role to user |❌|✅|❌|❌|❌|❌|❌
82 |Create User|❌|✅|✅|❌|❌|❌|❌
83 |Delete User|❌|✅|❌|❌|❌|❌|❌
84 |Lock User|❌|✅|❌|❌|❌|❌|❌
85 |Unlock User|❌|✅|❌|❌|❌|❌|❌
86 |Send invitation mail for first login|❌|✅|❌|❌|❌|❌|❌
87 |Display list of projects |❌|✅|❌|⚠ Only his projects|⚠  Only his projects|⚠  Only his projects|⚠  Only his projects
88 |Search for project |❌|✅|❌|⚠  Only his projects|⚠  Only his projects|⚠  Only his projects|⚠  Only his projects
89 |Create project |❌|✅|✅|❌|❌|❌|❌
90 |Delete project|❌|✅|❌|❌|❌|❌|❌
91 |Retire project |❌|✅|❌|❌|❌|❌|⚠  Only his projects
92 |Reactivate project|❌|✅|❌|❌|❌|❌|⚠  Only his projects
93 |Add User to Project|❌|✅|❌|❌|❌|❌|⚠  Only his projects
94 |Remove User from Project|❌|✅|❌|❌|❌|❌|⚠  Only his projects
95 |Display used storage by project/tool or total|❌|✅|❌|⚠  Only his projects|⚠  Only his projects|⚠  Only his projects|⚠  Only his projects
96
97 = JIRA Project Roles / Permission Scheme =
98
99 In JIRA the Project Roles are first added to Security / Project Roles and then they get their Permissions assigned in the SDCloud Permission Scheme which has to associated later with the Jira Projects.
100
101 |=(((
102 Permission / Role
103 )))|=(((
104 Admin
105 )))|=(((
106 Master
107 )))|=(((
108 Developer
109 )))|=(((
110 Viewer
111 )))
112 |=(% colspan="1" %)(((
113 Project Permissions
114 )))|(% colspan="1" %)(((
115
116 )))|(% colspan="1" %)(((
117
118 )))|(% colspan="1" %)(((
119
120 )))|(% colspan="1" %)(((
121
122 )))
123 |Administer projects
124 Enabled Extended project administration|✅|❌|❌|❌
125 |Browse projects|✅|✅|✅|✅
126 |Manage sprints|✅|✅|❌|❌
127 |Service Desk Agent|✅|✅|✅|❌
128 |View development tool|✅|✅|✅|✅
129 |View (read-only) workflow|✅|✅|✅|✅
130 |=Issue Permissions| | | |
131 |Assign issues|✅|✅|✅|❌
132 |Assignable user|✅|✅|✅|❌
133 |Close issues|✅|✅|❌|❌
134 |Create issues|✅|✅|✅|❌
135 |Delete issues|✅|❌|❌|❌
136 |Edit issues|✅|✅|✅|❌
137 |Link issues|✅|✅|✅|❌
138 |Modify reporter|✅|✅|❌|❌
139 |Move issues|✅|✅|❌|❌
140 |Resolve issues|✅|✅|✅|❌
141 |Schedule issues|✅|✅|❌|❌
142 |Set issues security|✅|❌|❌|❌
143 |Transition issues|✅|✅|✅|❌
144 |=(% colspan="1" %)Voters & watchers permissions|(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %)
145 |Manage watcher list|✅|✅|❌|❌
146 |View voters and watchers|✅|✅|✅|❌
147 |=(% colspan="1" %)Comments permissions|(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %)
148 |Add comments|✅|✅|✅|❌
149 |Delete all comments|✅|❌|❌|❌
150 |Delete own comments|✅|✅|✅|❌
151 |Edit all comments|✅|❌|❌|❌
152 |Edit own comments|✅|✅|✅|❌
153 |=(% colspan="1" %)Attachments permissions|(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %)
154 |Create attachments|✅|✅|✅|❌
155 |Delete all attachments|✅|❌|❌|❌
156 |Delete own attachments|✅|✅|✅|❌
157 |=(% colspan="1" %)Time-tracking Permissions|(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %)
158 |Work on issues|✅|✅|✅|❌
159 |Delete all worklogs|✅|❌|❌|❌
160 |Delete own worklogs|✅|✅|✅|❌
161 |Edit all worklogs|✅|❌|❌|❌
162 |Edit own worklogs|✅|✅|✅|❌
163
164 * Service Desk Agent is only available if the software was added to JIRA
165
166 = Confluence Project Roles =
167
168 See vendor documentation for the exact meaning: [[https:~~/~~/confluence.atlassian.com/doc/space-permissions-overview-139521.html>>url:https://confluence.atlassian.com/doc/space-permissions-overview-139521.html]].
169
170 |=(((
171 Space
172 )))|=(% colspan="2" %)(((
173 All
174 )))|=(% colspan="2" %)(((
175 Pages
176 )))|=(% colspan="2" %)(((
177 Blog
178 )))|=(% colspan="2" %)(((
179 Attachments
180 )))|=(% colspan="2" %)(((
181 Comments
182 )))|=(((
183 Restrictions
184 )))|=(((
185 Mail
186 )))|=(% colspan="2" %)(((
187 Space
188 )))
189 |=(% colspan="1" %)Role/Operation|(% colspan="1" %)View|(% colspan="1" %)Delete Own|(% colspan="1" %)Add|(% colspan="1" %)Delete|(% colspan="1" %)Add|(% colspan="1" %)Delete|(% colspan="1" %)Add|(% colspan="1" %)Delete|(% colspan="1" %)Add|(% colspan="1" %)Delete|(% colspan="1" %)Add/Delete|(% colspan="1" %)Delete|(% colspan="1" %)Export|(% colspan="1" %)Admin
190 |=Admin|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅
191 |=Master|✅|✅|✅|❌|✅|❌|✅|❌|✅|✅|✅|❌|✅|❌
192 |=Developer|✅|✅|✅|❌|❌|❌|✅|❌|✅|❌|❌|❌|❌|❌
193 |=Viewer|✅|❌|❌|❌|❌|❌|❌|❌|❌|❌|❌|❌|❌|❌
194
195 = Bitbucket Project Roles =
196
197 |=(((
198
199 )))|=(((
200 Browse
201 )))|=(((
202 Clone / Pull
203 )))|=(% colspan="1" %)(((
204 Create, browse, comment on pull request
205 )))|=(% colspan="1" %)(((
206 Merge pull request
207 )))|=(% colspan="1" %)(((
208 Push
209 )))|=(% colspan="1" %)(((
210 Create repositories
211 )))|=(% colspan="1" %)(((
212 Edit settings / permissions
213 )))
214 |Admin|✅|✅|✅|✅|✅|✅|✅
215 |Master|✅|✅|✅|✅|✅|✅|❌
216 |Developer|✅|✅|✅|✅|✅|❌|❌
217 |Viewer|✅|✅|✅|❌|❌|❌|❌
218
219 //Repository permissions are inherited from project permissions.//
220
221 = Jenkins Project Roles =
222
223 |=(% colspan="1" %)(((
224 Permission
225 )))|=(((
226 Role
227 )))|=(((
228 Admin
229 )))|=(((
230 Master
231 )))|=(((
232 Developer
233 )))|=(((
234 Viewer
235 )))|=(% colspan="1" %)(((
236 Authenticated Users
237 )))|=(% colspan="1" %)(((
238 Anonymous Users
239 )))|=(% colspan="1" %)(((
240 Prometheus Tech User
241 )))
242 |=(% rowspan="5" %)Credentials|Create|✅|✅|❌|❌|❌|❌|❌
243 |Delete|✅|❌|❌|❌|❌|❌|❌
244 |Manage Domains|✅|❌|❌|❌|❌|❌|❌
245 |Update|✅|✅|❌|❌|❌|❌|❌
246 |View|✅|✅|✅|❌|❌|❌|❌
247 |=(% rowspan="10" %)Job|Build|✅|✅|✅|❌|❌|❌|❌
248 |Cancel|✅|✅|❌|❌|❌|❌|❌
249 |Configure|✅|✅|❌|❌|❌|❌|❌
250 |Create|✅|✅|❌|❌|❌|❌|❌
251 |Delete|✅|❌|❌|❌|❌|❌|❌
252 |Discover|✅|✅|✅|✅|❌|❌|❌
253 |ExtendedRead| | | | | | |
254 |Move|✅|❌|❌|❌|❌|❌|❌
255 |Read|✅|✅|✅|✅|❌|❌|❌
256 |Workspace|✅|✅|✅|❌|❌|❌|❌
257 |=(% rowspan="3" %)Run|Delete|✅|❌|❌|❌|❌|❌|❌
258 |Replay|✅|✅|✅|❌|❌|❌|❌
259 |Update|✅|✅|✅|❌|❌|❌|❌
260 |=Job Config History|DeleteEntry| | | | | | |
261 |=SCM|Tag|✅|✅|❌|❌|❌|❌|❌
262 |=Metrics|HealthCheck| | | | | | |
263 | |ThreadDump| | | | | | |
264 | |View| | | | | | |
265
266 = GitLab =
267
268 Users are assigned to Groups in GitLab with the following roles assignment.  Permissions within subordinated Subgroups and GitLab Projects are inherited.
269
270 |=(((
271 Project Role
272 )))|=(((
273 GitLab Group Members Permission
274 )))
275 |(((
276 Viewer
277 )))|(((
278 Reporter
279 )))
280 |(((
281 Developer
282 )))|(((
283 Developer
284 )))
285 |(% colspan="1" %)(((
286 Master
287 )))|(% colspan="1" %)(((
288 Maintainer
289 )))
290 |(% colspan="1" %)(((
291 Admin
292 )))|(% colspan="1" %)(((
293 Owner
294 )))
295
296 Regarding permissions for Group Permissions in GitLab, see [[https:~~/~~/docs.gitlab.com/ee/user/permissions.html#group-members-permissions>>url:https://docs.gitlab.com/ee/user/permissions.html#group-members-permissions]].
297
298 = Harbor Project Roles =
299
300 Harbor manages images through projects. You provide access to these images to users by including the users in projects and assigning one of the following roles to them:
301
302 |=(((
303 Harbor
304 )))|=(((
305 Portal
306 )))|=
307 |=Role Name|=Role Id|=Project Role
308 |Project Admin|1|ADMIN
309 |Maintainer|4|MASTER
310 |Developer|2|DEVELOPER
311 |Guest|3|VIEWER
312
313 === Harbor Roles Permissions ===
314
315 |=(((
316 Action
317 )))|=(((
318 Limited Guest
319 )))|=(((
320 Guest
321 )))|=(((
322 Developer
323 )))|=(((
324 Maintainer
325 )))|=(((
326 Project Admin
327 )))
328 |See the project configurations|✅|✅|✅|✅|✅
329 |Edit the project configurations|❌|❌|❌|❌|✅
330 |See a list of project members| |✅|✅|✅|✅
331 |Create/edit/delete project members|❌|❌|❌|❌|✅
332 |See a list of project logs|✅|✅|✅|✅|❌
333 |See a list of project replications|❌|❌|❌|✅|✅
334 |See a list of project replication jobs|❌|❌|❌|❌|✅
335 |See a list of project labels|❌|❌|❌|✅|✅
336 |Create/edit/delete project labels|❌|❌|❌|✅|✅
337 |See a list of repositories|✅|✅|✅|✅|✅
338 |Create repositories|❌|❌|✅|✅|✅
339 |Edit/delete repositories|❌|❌|❌|✅|✅
340 |See a list of images|✅|✅|✅|✅|✅
341 |Retag image|❌|✅|✅|✅|✅
342 |Pull image|✅|✅|✅|✅|✅
343 |Push image|❌|❌|✅|✅|✅
344 |Scan/delete image|❌|❌|❌|✅|✅
345 |Add scanners to Harbor *|❌|❌|❌|❌|❌
346 |Edit scanners in projects|❌|❌|❌|❌|✅
347 |See a list of image vulnerabilities|✅|✅|✅|✅|✅
348 |Create list of project vulnerabilities|❌|❌|✅|✅|✅
349 |Read list of project vulnerabilities|❌|❌|✅|✅|✅
350 |Export list of project vulnerabilities|❌|❌|✅|✅|✅
351 |See image build history|✅|✅|✅|✅|✅
352 |Add/Remove labels of image|❌|❌|✅|✅|✅
353 |See a list of helm charts|✅|✅|✅|✅|✅
354 |Download helm charts|✅|✅|✅|✅|✅
355 |Upload helm charts|❌|❌|✅|✅|✅
356 |Delete helm charts|❌|❌|❌|✅|✅
357 |See a list of helm chart versions|✅|✅|✅|✅|✅
358 |Download helm chart versions|✅|✅|✅|✅|✅
359 |Upload helm chart versions|❌|❌|✅|✅|✅
360 |Delete helm chart versions|❌|❌|❌|✅|✅
361 |Add/Remove labels of helm chart version|❌|❌|✅|✅|✅
362 |See a list of project robots|❌|❌|❌|✅|✅
363 |Create/edit/delete project robots|❌|❌|❌|❌|✅
364 |See configured CVE allowlist|✅|✅|✅|✅|✅
365 |Create/edit/remove CVE allowlist|❌|❌|❌|❌|✅
366 |View webhook events|❌|❌|❌|✅|✅
367 |Add new webhook events|❌|❌|❌|❌|✅
368 |Enable/deactivate webhooks|❌|❌|❌|❌|✅
369 |Create/delete tag retention rules|❌|❌|✅|✅|✅
370 |Enable/deactivate tag retention rules|❌|❌|✅|✅|✅
371 |Create/delete tag immutability rules|❌|❌|❌|✅|✅
372 |Enable/deactivate tag immutability rules|❌|❌|❌|✅|✅
373 |See project quotas|✅|✅|✅|✅|✅
374 |Edit project quotas *|❌|❌|❌|❌|❌
375 |Delete Project|❌|❌|❌|❌|✅
376
377 ~* Only the Harbor system administrator can edit project quotas and add new scanners.
378
379 = Gitea =
380
381 Please note, that some terms used in DevOps-as-a-Service have different names in Gitea. Please check the following table to avoid any confusion.
382
383 |=(((
384 DevOps Portal
385 )))|=(((
386 Gitea
387 )))
388 |(((
389 Project
390 )))|(((
391 Organization
392 )))
393 |(((
394 Project Role
395 )))|(((
396 Team
397 )))
398 |(((
399 Git Repository
400 )))|(((
401 Repository
402 )))
403 |(((
404 Artifact Repository
405 )))|(((
406 Package
407 )))
408 |(((
409 Issue Tracking
410 )))|(((
411 Project (currently disabled)
412 )))
413
414 The **Owner** team has full admin permission in the Organization. This is a technical user used by the DevOps Portal for auto-provisioning.
415
416 |=(((
417 Gitea Role
418 )))|=(((
419 Portal Project Role
420 )))|=Permissions
421 |(((
422 Viewer
423 )))|Viewer|Read
424 |(((
425 Developer
426 )))|(((
427 Developer
428 )))|Read, Write
429 |(% colspan="1" %)(((
430 Master
431 )))|(% colspan="1" %)Master|Read, Write
432 |(% colspan="1" %)Admin|(% colspan="1" %)Admin|Read, Write, Repository create
433
434 = Nexus Project Roles =
435
436 For each role in a project a role in Nexus is created which includes one Privilege for each repository in the project.
437
438 |=(((
439 Role
440 )))|=(((
441 Admin
442 )))|=(((
443 Master
444 )))|=(((
445 Developer
446 )))|=(((
447 Viewer
448 )))
449 |(((
450 ID
451 )))|(((
452 PROJECTKEY-admin
453 )))|(((
454 PROJECTKEY-master
455 )))|(((
456 PROJECTKEY-developer
457 )))|(((
458 PROJECTKEY-viewer
459 )))
460 |(((
461 Name
462 )))|(((
463 PROJECTKEY-admin
464 )))|(((
465 PROJECTKEY-master
466 )))|(((
467 PROJECTKEY-developer
468 )))|(((
469 PROJECTKEY-viewer
470 )))
471 |(((
472 Privilege
473 )))|(((
474 PROJECTKEY-docker-admin
475
476 PROJECTKEY-maven-admin
477
478 PROJECTKEY-//repotype//-admin
479 )))|(((
480 PROJECTKEY-docker-master
481
482 PROJECTKEY-maven-master
483
484 PROJECTKEY-//repotype//-master
485 )))|(((
486 PROJECTKEY-docker-developer
487
488 PROJECTKEY-maven-developer
489
490 PROJECTKEY-//repotype//-developer
491 )))|(((
492 PROJECTKEY-docker-viewer
493
494 PROJECTKEY-maven-viewer
495
496 PROJECTKEY-//repotype//-viewer
497 )))
498
499 For each role in a project a **Privilege of type Repository Content Selector** is created which combines Content Selector (Project), Repository (Docker Registry) and Actions depending on the role.
500
501 |=(((
502 Privilege / Role
503 )))|=(((
504 Admin
505 )))|=(((
506 Master
507 )))|=(((
508 Developer
509 )))|=(((
510 Viewer
511 )))
512 |(((
513 Name
514 )))|(((
515 PROJECTKEY-docker-admin
516 )))|(((
517 PROJECTKEY-docker-master
518 )))|(((
519 PROJECTKEY-docker-developer
520 )))|(((
521 PROJECTKEY-docker-viewer
522 )))
523 |(((
524 Content Selector
525 )))|(((
526 PROJECTKEY-docker
527 )))|(((
528 PROJECTKEY-docker
529 )))|(((
530 PROJECTKEY-docker
531 )))|(((
532 PROJECTKEY-docker
533 )))
534 |(((
535 Repository
536 )))|(((
537 docker-registry
538 )))|(((
539 docker-registry
540 )))|(((
541 docker-registry
542 )))|(((
543 docker-registry
544 )))
545 |(((
546 Actions
547 )))|(((
548 delete, add, edit, browse, read
549 )))|(((
550 add, edit, browse, read
551 )))|(((
552 add, edit, browse, read
553 )))|(((
554 browse, read
555 )))
556
557 See [[https:~~/~~/help.sonatype.com/repomanager3/security/privileges>>url:https://help.sonatype.com/repomanager3/nexus-repository-administration/access-control/privileges]] for available Actions.
© 2018-2026 T-Systems International GmbH