Skip to Content

Wiki source code of Users and roles

Version 8.2 by Boris Folgmann on 2026/05/20 13:15
Show last authors
1 {{toc depth="1"/}}
2
3 = Role Model =
4
5 == Portal Roles ==
6
7 Inside the DevOps Portal users have exactly
8
9 (% class="active" %)|=(% style="width: 124px;" %)Portal Role|=(% style="width: 861px;" %)Description
10 |(% style="width:124px" %)(((
11 Admin
12 )))|(% style="width:861px" %)Admins have full-access. They can //create//, //edit //and //delete //all kinds of entities, like users, projects, organizations, technical users and roles. Therefore, they can also add additional admins who have the same privileges. The last Admin cannot remove himself.
13 |(% style="width:124px" %)(((
14 Creator
15 )))|(% style="width:861px" %)Creators can //create //all kinds of entities like users, projects, organizations and technical users. When a Creator creates a new project he is automatically assigned an admin role in the project, which allows him to add more members.
16 |(% style="width:124px" %)(((
17 User
18 )))|(% style="width:861px" %)All other users are simply called users. They can be assigned any role in projects.
19
20 == Project Roles ==
21
22 Each user who is a member of a project has to be in //exactly one// Project Role. Therefore it is not possible to have no or multiple roles in a project.
23
24 Different roles have different sets of permissions. Possible roles are:
25
26 (% class="responsive-table" %)
27 (% class="active" %)|=(% style="width: 120px;" %)(((
28 Project Role
29 )))|=(% style="width: 864px;" %)(((
30 Description
31 )))
32 |(% style="width:120px" %)(((
33 Admin
34 )))|(% style="width:864px" %)(((
35 Full access, even to potentially dangerous operations like deleting content in the Project. Can administer Project Members and Roles.
36 )))
37 |(% style="width:120px" %)(((
38 Master
39 )))|(% style="width:864px" %)Elevated write acccess, excluding potentially dangerous operations which can lead to massive data loss or other unrevertable changes.
40 |(% style="width:120px" %)(((
41 Developer
42 )))|(% style="width:864px" %)(((
43 General read-write access to contribute to the Project
44 )))
45 |(% style="width:120px" %)(((
46 Viewer
47 )))|(% style="width:864px" %)(((
48 Read-only access to all not security-relevant data in the Project
49 )))
50
51 Currently, the role assignment is applied for all tools within one project.
52
53 {{info}}
54 Note:
55 To ensure the integrity of the applications in the context of the managed service, no customer user is allowed to get system admin permissions for the tools. The maximum permissions for a customer user is the "Project Admin" role as described here
56 {{/info}}
57
58 = User Permissions in DevOps Portal =
59
60 |=(((
61 Role Type
62 )))|=(% colspan="3" rowspan="1" %)(((
63 Portal Role
64 )))|=(% rowspan="23" %) |=(% colspan="4" %)(((
65 Project Role
66 )))
67 |(((
68 **Role Name**
69 )))|(((
70 **User**
71 )))|(((
72 **Admin**
73 )))|(((
74 **Creator **
75 )))|(((
76 **Viewer**
77 )))|(((
78 **Developer**
79 )))|(((
80 **Master**
81 )))|(((
82 **Admin**
83 )))
84 |Login to DevOps Portal|✅|✅|✅|✅|✅|✅|✅
85 |Logout from DevOps Portal|✅|✅|✅|✅|✅|✅|✅
86 |Change my password|✅|✅|✅|✅|✅|✅|✅
87 |Reset forgotten password|✅|✅|✅|✅|✅|✅|✅
88 |Display list of users|✅|✅|✅|✅|✅|✅|✅
89 |Search for user |✅|✅|✅|✅|✅|✅|✅
90 |Add or remove "Corporate Admin" role to user |❌|✅|❌|❌|❌|❌|❌
91 |Create User|❌|✅|✅|❌|❌|❌|❌
92 |Delete User|❌|✅|❌|❌|❌|❌|❌
93 |Lock User|❌|✅|❌|❌|❌|❌|❌
94 |Unlock User|❌|✅|❌|❌|❌|❌|❌
95 |Send invitation mail for first login|❌|✅|❌|❌|❌|❌|❌
96 |Display list of projects |❌|✅|❌|⚠ Only his projects|⚠  Only his projects|⚠  Only his projects|⚠  Only his projects
97 |Search for project |❌|✅|❌|⚠  Only his projects|⚠  Only his projects|⚠  Only his projects|⚠  Only his projects
98 |Create project |❌|✅|✅|❌|❌|❌|❌
99 |Delete project|❌|✅|❌|❌|❌|❌|❌
100 |Retire project |❌|✅|❌|❌|❌|❌|⚠  Only his projects
101 |Reactivate project|❌|✅|❌|❌|❌|❌|⚠  Only his projects
102 |Add User to Project|❌|✅|❌|❌|❌|❌|⚠  Only his projects
103 |Remove User from Project|❌|✅|❌|❌|❌|❌|⚠  Only his projects
104 |Display used storage by project/tool or total|❌|✅|❌|⚠  Only his projects|⚠  Only his projects|⚠  Only his projects|⚠  Only his projects
105
106 = JIRA Project Roles / Permission Scheme =
107
108 In JIRA the Project Roles are first added to Security / Project Roles and then they get their Permissions assigned in the SDCloud Permission Scheme which has to associated later with the Jira Projects.
109
110 |=(((
111 Permission / Role
112 )))|=(((
113 Admin
114 )))|=(((
115 Master
116 )))|=(((
117 Developer
118 )))|=(((
119 Viewer
120 )))
121 |=(% colspan="1" %)(((
122 Project Permissions
123 )))|(% colspan="1" %)(((
124
125 )))|(% colspan="1" %)(((
126
127 )))|(% colspan="1" %)(((
128
129 )))|(% colspan="1" %)(((
130
131 )))
132 |Administer projects
133 Enabled Extended project administration|✅|❌|❌|❌
134 |Browse projects|✅|✅|✅|✅
135 |Manage sprints|✅|✅|❌|❌
136 |Service Desk Agent|✅|✅|✅|❌
137 |View development tool|✅|✅|✅|✅
138 |View (read-only) workflow|✅|✅|✅|✅
139 |=Issue Permissions| | | |
140 |Assign issues|✅|✅|✅|❌
141 |Assignable user|✅|✅|✅|❌
142 |Close issues|✅|✅|❌|❌
143 |Create issues|✅|✅|✅|❌
144 |Delete issues|✅|❌|❌|❌
145 |Edit issues|✅|✅|✅|❌
146 |Link issues|✅|✅|✅|❌
147 |Modify reporter|✅|✅|❌|❌
148 |Move issues|✅|✅|❌|❌
149 |Resolve issues|✅|✅|✅|❌
150 |Schedule issues|✅|✅|❌|❌
151 |Set issues security|✅|❌|❌|❌
152 |Transition issues|✅|✅|✅|❌
153 |=(% colspan="1" %)Voters & watchers permissions|(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %)
154 |Manage watcher list|✅|✅|❌|❌
155 |View voters and watchers|✅|✅|✅|❌
156 |=(% colspan="1" %)Comments permissions|(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %)
157 |Add comments|✅|✅|✅|❌
158 |Delete all comments|✅|❌|❌|❌
159 |Delete own comments|✅|✅|✅|❌
160 |Edit all comments|✅|❌|❌|❌
161 |Edit own comments|✅|✅|✅|❌
162 |=(% colspan="1" %)Attachments permissions|(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %)
163 |Create attachments|✅|✅|✅|❌
164 |Delete all attachments|✅|❌|❌|❌
165 |Delete own attachments|✅|✅|✅|❌
166 |=(% colspan="1" %)Time-tracking Permissions|(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %)
167 |Work on issues|✅|✅|✅|❌
168 |Delete all worklogs|✅|❌|❌|❌
169 |Delete own worklogs|✅|✅|✅|❌
170 |Edit all worklogs|✅|❌|❌|❌
171 |Edit own worklogs|✅|✅|✅|❌
172
173 * Service Desk Agent is only available if the software was added to JIRA
174
175 = Confluence Project Roles =
176
177 See vendor documentation for the exact meaning: [[https:~~/~~/confluence.atlassian.com/doc/space-permissions-overview-139521.html>>url:https://confluence.atlassian.com/doc/space-permissions-overview-139521.html]].
178
179 |=(((
180 Space
181 )))|=(% colspan="2" %)(((
182 All
183 )))|=(% colspan="2" %)(((
184 Pages
185 )))|=(% colspan="2" %)(((
186 Blog
187 )))|=(% colspan="2" %)(((
188 Attachments
189 )))|=(% colspan="2" %)(((
190 Comments
191 )))|=(((
192 Restrictions
193 )))|=(((
194 Mail
195 )))|=(% colspan="2" %)(((
196 Space
197 )))
198 |=(% colspan="1" %)Role/Operation|(% colspan="1" %)View|(% colspan="1" %)Delete Own|(% colspan="1" %)Add|(% colspan="1" %)Delete|(% colspan="1" %)Add|(% colspan="1" %)Delete|(% colspan="1" %)Add|(% colspan="1" %)Delete|(% colspan="1" %)Add|(% colspan="1" %)Delete|(% colspan="1" %)Add/Delete|(% colspan="1" %)Delete|(% colspan="1" %)Export|(% colspan="1" %)Admin
199 |=Admin|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅
200 |=Master|✅|✅|✅|❌|✅|❌|✅|❌|✅|✅|✅|❌|✅|❌
201 |=Developer|✅|✅|✅|❌|❌|❌|✅|❌|✅|❌|❌|❌|❌|❌
202 |=Viewer|✅|❌|❌|❌|❌|❌|❌|❌|❌|❌|❌|❌|❌|❌
203
204 = Bitbucket Project Roles =
205
206 |=(((
207
208 )))|=(((
209 Browse
210 )))|=(((
211 Clone / Pull
212 )))|=(% colspan="1" %)(((
213 Create, browse, comment on pull request
214 )))|=(% colspan="1" %)(((
215 Merge pull request
216 )))|=(% colspan="1" %)(((
217 Push
218 )))|=(% colspan="1" %)(((
219 Create repositories
220 )))|=(% colspan="1" %)(((
221 Edit settings / permissions
222 )))
223 |Admin|✅|✅|✅|✅|✅|✅|✅
224 |Master|✅|✅|✅|✅|✅|✅|❌
225 |Developer|✅|✅|✅|✅|✅|❌|❌
226 |Viewer|✅|✅|✅|❌|❌|❌|❌
227
228 //Repository permissions are inherited from project permissions.//
229
230 = Jenkins Project Roles =
231
232 |=(% colspan="1" %)(((
233 Permission
234 )))|=(((
235 Role
236 )))|=(((
237 Admin
238 )))|=(((
239 Master
240 )))|=(((
241 Developer
242 )))|=(((
243 Viewer
244 )))|=(% colspan="1" %)(((
245 Authenticated Users
246 )))|=(% colspan="1" %)(((
247 Anonymous Users
248 )))|=(% colspan="1" %)(((
249 Prometheus Tech User
250 )))
251 |=(% rowspan="5" %)Credentials|Create|✅|✅|❌|❌|❌|❌|❌
252 |Delete|✅|❌|❌|❌|❌|❌|❌
253 |Manage Domains|✅|❌|❌|❌|❌|❌|❌
254 |Update|✅|✅|❌|❌|❌|❌|❌
255 |View|✅|✅|✅|❌|❌|❌|❌
256 |=(% rowspan="10" %)Job|Build|✅|✅|✅|❌|❌|❌|❌
257 |Cancel|✅|✅|❌|❌|❌|❌|❌
258 |Configure|✅|✅|❌|❌|❌|❌|❌
259 |Create|✅|✅|❌|❌|❌|❌|❌
260 |Delete|✅|❌|❌|❌|❌|❌|❌
261 |Discover|✅|✅|✅|✅|❌|❌|❌
262 |ExtendedRead| | | | | | |
263 |Move|✅|❌|❌|❌|❌|❌|❌
264 |Read|✅|✅|✅|✅|❌|❌|❌
265 |Workspace|✅|✅|✅|❌|❌|❌|❌
266 |=(% rowspan="3" %)Run|Delete|✅|❌|❌|❌|❌|❌|❌
267 |Replay|✅|✅|✅|❌|❌|❌|❌
268 |Update|✅|✅|✅|❌|❌|❌|❌
269 |=Job Config History|DeleteEntry| | | | | | |
270 |=SCM|Tag|✅|✅|❌|❌|❌|❌|❌
271 |=Metrics|HealthCheck| | | | | | |
272 | |ThreadDump| | | | | | |
273 | |View| | | | | | |
274
275 = GitLab =
276
277 Users are assigned to Groups in GitLab with the following roles assignment.  Permissions within subordinated Subgroups and GitLab Projects are inherited.
278
279 |=(((
280 Project Role
281 )))|=(((
282 GitLab Group Members Permission
283 )))
284 |(((
285 Viewer
286 )))|(((
287 Reporter
288 )))
289 |(((
290 Developer
291 )))|(((
292 Developer
293 )))
294 |(% colspan="1" %)(((
295 Master
296 )))|(% colspan="1" %)(((
297 Maintainer
298 )))
299 |(% colspan="1" %)(((
300 Admin
301 )))|(% colspan="1" %)(((
302 Owner
303 )))
304
305 Regarding permissions for Group Permissions in GitLab, see [[https:~~/~~/docs.gitlab.com/ee/user/permissions.html#group-members-permissions>>url:https://docs.gitlab.com/ee/user/permissions.html#group-members-permissions]].
306
307 = Harbor Project Roles =
308
309 Harbor manages images through projects. You provide access to these images to users by including the users in projects and assigning one of the following roles to them:
310
311 |=(((
312 Harbor
313 )))|=(((
314 Portal
315 )))|=
316 |=Role Name|=Role Id|=Project Role
317 |Project Admin|1|ADMIN
318 |Maintainer|4|MASTER
319 |Developer|2|DEVELOPER
320 |Guest|3|VIEWER
321
322 === Harbor Roles Permissions ===
323
324 |=(((
325 Action
326 )))|=(((
327 Limited Guest
328 )))|=(((
329 Guest
330 )))|=(((
331 Developer
332 )))|=(((
333 Maintainer
334 )))|=(((
335 Project Admin
336 )))
337 |See the project configurations|✅|✅|✅|✅|✅
338 |Edit the project configurations|❌|❌|❌|❌|✅
339 |See a list of project members| |✅|✅|✅|✅
340 |Create/edit/delete project members|❌|❌|❌|❌|✅
341 |See a list of project logs|✅|✅|✅|✅|❌
342 |See a list of project replications|❌|❌|❌|✅|✅
343 |See a list of project replication jobs|❌|❌|❌|❌|✅
344 |See a list of project labels|❌|❌|❌|✅|✅
345 |Create/edit/delete project labels|❌|❌|❌|✅|✅
346 |See a list of repositories|✅|✅|✅|✅|✅
347 |Create repositories|❌|❌|✅|✅|✅
348 |Edit/delete repositories|❌|❌|❌|✅|✅
349 |See a list of images|✅|✅|✅|✅|✅
350 |Retag image|❌|✅|✅|✅|✅
351 |Pull image|✅|✅|✅|✅|✅
352 |Push image|❌|❌|✅|✅|✅
353 |Scan/delete image|❌|❌|❌|✅|✅
354 |Add scanners to Harbor *|❌|❌|❌|❌|❌
355 |Edit scanners in projects|❌|❌|❌|❌|✅
356 |See a list of image vulnerabilities|✅|✅|✅|✅|✅
357 |Create list of project vulnerabilities|❌|❌|✅|✅|✅
358 |Read list of project vulnerabilities|❌|❌|✅|✅|✅
359 |Export list of project vulnerabilities|❌|❌|✅|✅|✅
360 |See image build history|✅|✅|✅|✅|✅
361 |Add/Remove labels of image|❌|❌|✅|✅|✅
362 |See a list of helm charts|✅|✅|✅|✅|✅
363 |Download helm charts|✅|✅|✅|✅|✅
364 |Upload helm charts|❌|❌|✅|✅|✅
365 |Delete helm charts|❌|❌|❌|✅|✅
366 |See a list of helm chart versions|✅|✅|✅|✅|✅
367 |Download helm chart versions|✅|✅|✅|✅|✅
368 |Upload helm chart versions|❌|❌|✅|✅|✅
369 |Delete helm chart versions|❌|❌|❌|✅|✅
370 |Add/Remove labels of helm chart version|❌|❌|✅|✅|✅
371 |See a list of project robots|❌|❌|❌|✅|✅
372 |Create/edit/delete project robots|❌|❌|❌|❌|✅
373 |See configured CVE allowlist|✅|✅|✅|✅|✅
374 |Create/edit/remove CVE allowlist|❌|❌|❌|❌|✅
375 |View webhook events|❌|❌|❌|✅|✅
376 |Add new webhook events|❌|❌|❌|❌|✅
377 |Enable/deactivate webhooks|❌|❌|❌|❌|✅
378 |Create/delete tag retention rules|❌|❌|✅|✅|✅
379 |Enable/deactivate tag retention rules|❌|❌|✅|✅|✅
380 |Create/delete tag immutability rules|❌|❌|❌|✅|✅
381 |Enable/deactivate tag immutability rules|❌|❌|❌|✅|✅
382 |See project quotas|✅|✅|✅|✅|✅
383 |Edit project quotas *|❌|❌|❌|❌|❌
384 |Delete Project|❌|❌|❌|❌|✅
385
386 ~* Only the Harbor system administrator can edit project quotas and add new scanners.
387
388 = Gitea =
389
390 Please note, that some terms used in DevOps-as-a-Service have different names in Gitea. Please check the following table to avoid any confusion.
391
392 |=(((
393 DevOps Portal
394 )))|=(((
395 Gitea
396 )))
397 |(((
398 Project
399 )))|(((
400 Organization
401 )))
402 |(((
403 Project Role
404 )))|(((
405 Team
406 )))
407 |(((
408 Git Repository
409 )))|(((
410 Repository
411 )))
412 |(((
413 Artifact Repository
414 )))|(((
415 Package
416 )))
417 |(((
418 Issue Tracking
419 )))|(((
420 Project (currently disabled)
421 )))
422
423 The **Owner** team has full admin permission in the Organization. This is a technical user used by the DevOps Portal for auto-provisioning.
424
425 |=(((
426 Gitea Role
427 )))|=(((
428 Portal Project Role
429 )))|=Permissions
430 |(((
431 Viewer
432 )))|Viewer|Read
433 |(((
434 Developer
435 )))|(((
436 Developer
437 )))|Read, Write
438 |(% colspan="1" %)(((
439 Master
440 )))|(% colspan="1" %)Master|Read, Write
441 |(% colspan="1" %)Admin|(% colspan="1" %)Admin|Read, Write, Repository create
442
443 = Nexus Project Roles =
444
445 For each role in a project a role in Nexus is created which includes one Privilege for each repository in the project.
446
447 |=(((
448 Role
449 )))|=(((
450 Admin
451 )))|=(((
452 Master
453 )))|=(((
454 Developer
455 )))|=(((
456 Viewer
457 )))
458 |(((
459 ID
460 )))|(((
461 PROJECTKEY-admin
462 )))|(((
463 PROJECTKEY-master
464 )))|(((
465 PROJECTKEY-developer
466 )))|(((
467 PROJECTKEY-viewer
468 )))
469 |(((
470 Name
471 )))|(((
472 PROJECTKEY-admin
473 )))|(((
474 PROJECTKEY-master
475 )))|(((
476 PROJECTKEY-developer
477 )))|(((
478 PROJECTKEY-viewer
479 )))
480 |(((
481 Privilege
482 )))|(((
483 PROJECTKEY-docker-admin
484
485 PROJECTKEY-maven-admin
486
487 PROJECTKEY-//repotype//-admin
488 )))|(((
489 PROJECTKEY-docker-master
490
491 PROJECTKEY-maven-master
492
493 PROJECTKEY-//repotype//-master
494 )))|(((
495 PROJECTKEY-docker-developer
496
497 PROJECTKEY-maven-developer
498
499 PROJECTKEY-//repotype//-developer
500 )))|(((
501 PROJECTKEY-docker-viewer
502
503 PROJECTKEY-maven-viewer
504
505 PROJECTKEY-//repotype//-viewer
506 )))
507
508 For each role in a project a **Privilege of type Repository Content Selector** is created which combines Content Selector (Project), Repository (Docker Registry) and Actions depending on the role.
509
510 |=(((
511 Privilege / Role
512 )))|=(((
513 Admin
514 )))|=(((
515 Master
516 )))|=(((
517 Developer
518 )))|=(((
519 Viewer
520 )))
521 |(((
522 Name
523 )))|(((
524 PROJECTKEY-docker-admin
525 )))|(((
526 PROJECTKEY-docker-master
527 )))|(((
528 PROJECTKEY-docker-developer
529 )))|(((
530 PROJECTKEY-docker-viewer
531 )))
532 |(((
533 Content Selector
534 )))|(((
535 PROJECTKEY-docker
536 )))|(((
537 PROJECTKEY-docker
538 )))|(((
539 PROJECTKEY-docker
540 )))|(((
541 PROJECTKEY-docker
542 )))
543 |(((
544 Repository
545 )))|(((
546 docker-registry
547 )))|(((
548 docker-registry
549 )))|(((
550 docker-registry
551 )))|(((
552 docker-registry
553 )))
554 |(((
555 Actions
556 )))|(((
557 delete, add, edit, browse, read
558 )))|(((
559 add, edit, browse, read
560 )))|(((
561 add, edit, browse, read
562 )))|(((
563 browse, read
564 )))
565
566 See [[https:~~/~~/help.sonatype.com/repomanager3/security/privileges>>url:https://help.sonatype.com/repomanager3/nexus-repository-administration/access-control/privileges]] for available Actions.
© 2018-2026 T-Systems International GmbH