Skip to Content

Wiki source code of Users and roles

Last modified by Boris Folgmann on 2026/05/20 13:16
Show last authors
1 {{toc depth="1"/}}
2
3 = Role Model =
4
5 == Portal Roles ==
6
7 Inside the DevOps Portal users have exactly one defined role out of three.
8
9 (% class="active" %)|=(% style="width: 124px;" %)Portal Role|=(% style="width: 861px;" %)Description
10 |(% style="width:124px" %)(((
11 Admin
12 )))|(% style="width:861px" %)Admins have full-access. They can //create//, //edit //and //delete //all kinds of entities, like users, projects, organizations, technical users and roles. Therefore, they can also add additional admins who have the same privileges. The last Admin cannot remove himself.
13 |(% style="width:124px" %)(((
14 Creator
15 )))|(% style="width:861px" %)Creators can //create //all kinds of entities like users, projects, organizations and technical users. When a Creator creates a new project he is automatically assigned an admin role in the project, which allows him to add more members.
16 |(% style="width:124px" %)(((
17 User
18 )))|(% style="width:861px" %)All other users are simply called users. They can be assigned any role in projects.
19
20 (% class="wikigeneratedid" %)
21 The permissions of these roles are documented at [[DevOps Portal for Users>>DevOps Portal for Users.WebHome]], [[DevOps Portal for Creators>>DevOps Portal for Creators.WebHome]], and [[DevOps Portal for Admins>>DevOps Portal for Admins.WebHome]].
22
23 == Project Roles ==
24
25 Each user who is a member of a project has to be in //exactly one// Project Role. Therefore it is not possible to have no or multiple roles in a project.
26
27 Different roles have different sets of permissions. Possible roles are:
28
29 (% class="responsive-table" %)
30 (% class="active" %)|=(% style="width: 120px;" %)(((
31 Project Role
32 )))|=(% style="width: 864px;" %)(((
33 Description
34 )))
35 |(% style="width:120px" %)(((
36 Admin
37 )))|(% style="width:864px" %)(((
38 Full access, even to potentially dangerous operations like deleting content in the Project. Can administer Project Members and Roles.
39 )))
40 |(% style="width:120px" %)(((
41 Master
42 )))|(% style="width:864px" %)Elevated write acccess, excluding potentially dangerous operations which can lead to massive data loss or other unrevertable changes.
43 |(% style="width:120px" %)(((
44 Developer
45 )))|(% style="width:864px" %)(((
46 General read-write access to contribute to the Project
47 )))
48 |(% style="width:120px" %)(((
49 Viewer
50 )))|(% style="width:864px" %)(((
51 Read-only access to all not security-relevant data in the Project
52 )))
53
54 Currently, the role assignment is applied for all tools within one project.
55
56 {{info}}
57 Note:
58 To ensure the integrity of the applications in the context of the managed service, no customer user is allowed to get system admin permissions for the tools. The maximum permissions for a customer user is the "Project Admin" role as described here
59 {{/info}}
60
61 = User Permissions in DevOps Portal =
62
63 |=(((
64 Role Type
65 )))|=(% colspan="3" rowspan="1" %)(((
66 Portal Role
67 )))|=(% rowspan="23" %) |=(% colspan="4" %)(((
68 Project Role
69 )))
70 |(((
71 **Role Name**
72 )))|(((
73 **User**
74 )))|(((
75 **Admin**
76 )))|(((
77 **Creator **
78 )))|(((
79 **Viewer**
80 )))|(((
81 **Developer**
82 )))|(((
83 **Master**
84 )))|(((
85 **Admin**
86 )))
87 |Login to DevOps Portal|✅|✅|✅|✅|✅|✅|✅
88 |Logout from DevOps Portal|✅|✅|✅|✅|✅|✅|✅
89 |Change my password|✅|✅|✅|✅|✅|✅|✅
90 |Reset forgotten password|✅|✅|✅|✅|✅|✅|✅
91 |Display list of users|✅|✅|✅|✅|✅|✅|✅
92 |Search for user |✅|✅|✅|✅|✅|✅|✅
93 |Add or remove "Corporate Admin" role to user |❌|✅|❌|❌|❌|❌|❌
94 |Create User|❌|✅|✅|❌|❌|❌|❌
95 |Delete User|❌|✅|❌|❌|❌|❌|❌
96 |Lock User|❌|✅|❌|❌|❌|❌|❌
97 |Unlock User|❌|✅|❌|❌|❌|❌|❌
98 |Send invitation mail for first login|❌|✅|❌|❌|❌|❌|❌
99 |Display list of projects |❌|✅|❌|⚠ Only his projects|⚠  Only his projects|⚠  Only his projects|⚠  Only his projects
100 |Search for project |❌|✅|❌|⚠  Only his projects|⚠  Only his projects|⚠  Only his projects|⚠  Only his projects
101 |Create project |❌|✅|✅|❌|❌|❌|❌
102 |Delete project|❌|✅|❌|❌|❌|❌|❌
103 |Retire project |❌|✅|❌|❌|❌|❌|⚠  Only his projects
104 |Reactivate project|❌|✅|❌|❌|❌|❌|⚠  Only his projects
105 |Add User to Project|❌|✅|❌|❌|❌|❌|⚠  Only his projects
106 |Remove User from Project|❌|✅|❌|❌|❌|❌|⚠  Only his projects
107 |Display used storage by project/tool or total|❌|✅|❌|⚠  Only his projects|⚠  Only his projects|⚠  Only his projects|⚠  Only his projects
108
109 = JIRA Project Roles / Permission Scheme =
110
111 In JIRA the Project Roles are first added to Security / Project Roles and then they get their Permissions assigned in the SDCloud Permission Scheme which has to associated later with the Jira Projects.
112
113 |=(((
114 Permission / Role
115 )))|=(((
116 Admin
117 )))|=(((
118 Master
119 )))|=(((
120 Developer
121 )))|=(((
122 Viewer
123 )))
124 |=(% colspan="1" %)(((
125 Project Permissions
126 )))|(% colspan="1" %)(((
127
128 )))|(% colspan="1" %)(((
129
130 )))|(% colspan="1" %)(((
131
132 )))|(% colspan="1" %)(((
133
134 )))
135 |Administer projects
136 Enabled Extended project administration|✅|❌|❌|❌
137 |Browse projects|✅|✅|✅|✅
138 |Manage sprints|✅|✅|❌|❌
139 |Service Desk Agent|✅|✅|✅|❌
140 |View development tool|✅|✅|✅|✅
141 |View (read-only) workflow|✅|✅|✅|✅
142 |=Issue Permissions| | | |
143 |Assign issues|✅|✅|✅|❌
144 |Assignable user|✅|✅|✅|❌
145 |Close issues|✅|✅|❌|❌
146 |Create issues|✅|✅|✅|❌
147 |Delete issues|✅|❌|❌|❌
148 |Edit issues|✅|✅|✅|❌
149 |Link issues|✅|✅|✅|❌
150 |Modify reporter|✅|✅|❌|❌
151 |Move issues|✅|✅|❌|❌
152 |Resolve issues|✅|✅|✅|❌
153 |Schedule issues|✅|✅|❌|❌
154 |Set issues security|✅|❌|❌|❌
155 |Transition issues|✅|✅|✅|❌
156 |=(% colspan="1" %)Voters & watchers permissions|(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %)
157 |Manage watcher list|✅|✅|❌|❌
158 |View voters and watchers|✅|✅|✅|❌
159 |=(% colspan="1" %)Comments permissions|(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %)
160 |Add comments|✅|✅|✅|❌
161 |Delete all comments|✅|❌|❌|❌
162 |Delete own comments|✅|✅|✅|❌
163 |Edit all comments|✅|❌|❌|❌
164 |Edit own comments|✅|✅|✅|❌
165 |=(% colspan="1" %)Attachments permissions|(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %)
166 |Create attachments|✅|✅|✅|❌
167 |Delete all attachments|✅|❌|❌|❌
168 |Delete own attachments|✅|✅|✅|❌
169 |=(% colspan="1" %)Time-tracking Permissions|(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %) |(% colspan="1" %)
170 |Work on issues|✅|✅|✅|❌
171 |Delete all worklogs|✅|❌|❌|❌
172 |Delete own worklogs|✅|✅|✅|❌
173 |Edit all worklogs|✅|❌|❌|❌
174 |Edit own worklogs|✅|✅|✅|❌
175
176 * Service Desk Agent is only available if the software was added to JIRA
177
178 = Confluence Project Roles =
179
180 See vendor documentation for the exact meaning: [[https:~~/~~/confluence.atlassian.com/doc/space-permissions-overview-139521.html>>url:https://confluence.atlassian.com/doc/space-permissions-overview-139521.html]].
181
182 |=(((
183 Space
184 )))|=(% colspan="2" %)(((
185 All
186 )))|=(% colspan="2" %)(((
187 Pages
188 )))|=(% colspan="2" %)(((
189 Blog
190 )))|=(% colspan="2" %)(((
191 Attachments
192 )))|=(% colspan="2" %)(((
193 Comments
194 )))|=(((
195 Restrictions
196 )))|=(((
197 Mail
198 )))|=(% colspan="2" %)(((
199 Space
200 )))
201 |=(% colspan="1" %)Role/Operation|(% colspan="1" %)View|(% colspan="1" %)Delete Own|(% colspan="1" %)Add|(% colspan="1" %)Delete|(% colspan="1" %)Add|(% colspan="1" %)Delete|(% colspan="1" %)Add|(% colspan="1" %)Delete|(% colspan="1" %)Add|(% colspan="1" %)Delete|(% colspan="1" %)Add/Delete|(% colspan="1" %)Delete|(% colspan="1" %)Export|(% colspan="1" %)Admin
202 |=Admin|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅|✅
203 |=Master|✅|✅|✅|❌|✅|❌|✅|❌|✅|✅|✅|❌|✅|❌
204 |=Developer|✅|✅|✅|❌|❌|❌|✅|❌|✅|❌|❌|❌|❌|❌
205 |=Viewer|✅|❌|❌|❌|❌|❌|❌|❌|❌|❌|❌|❌|❌|❌
206
207 = Bitbucket Project Roles =
208
209 |=(((
210
211 )))|=(((
212 Browse
213 )))|=(((
214 Clone / Pull
215 )))|=(% colspan="1" %)(((
216 Create, browse, comment on pull request
217 )))|=(% colspan="1" %)(((
218 Merge pull request
219 )))|=(% colspan="1" %)(((
220 Push
221 )))|=(% colspan="1" %)(((
222 Create repositories
223 )))|=(% colspan="1" %)(((
224 Edit settings / permissions
225 )))
226 |Admin|✅|✅|✅|✅|✅|✅|✅
227 |Master|✅|✅|✅|✅|✅|✅|❌
228 |Developer|✅|✅|✅|✅|✅|❌|❌
229 |Viewer|✅|✅|✅|❌|❌|❌|❌
230
231 //Repository permissions are inherited from project permissions.//
232
233 = Jenkins Project Roles =
234
235 |=(% colspan="1" %)(((
236 Permission
237 )))|=(((
238 Role
239 )))|=(((
240 Admin
241 )))|=(((
242 Master
243 )))|=(((
244 Developer
245 )))|=(((
246 Viewer
247 )))|=(% colspan="1" %)(((
248 Authenticated Users
249 )))|=(% colspan="1" %)(((
250 Anonymous Users
251 )))|=(% colspan="1" %)(((
252 Prometheus Tech User
253 )))
254 |=(% rowspan="5" %)Credentials|Create|✅|✅|❌|❌|❌|❌|❌
255 |Delete|✅|❌|❌|❌|❌|❌|❌
256 |Manage Domains|✅|❌|❌|❌|❌|❌|❌
257 |Update|✅|✅|❌|❌|❌|❌|❌
258 |View|✅|✅|✅|❌|❌|❌|❌
259 |=(% rowspan="10" %)Job|Build|✅|✅|✅|❌|❌|❌|❌
260 |Cancel|✅|✅|❌|❌|❌|❌|❌
261 |Configure|✅|✅|❌|❌|❌|❌|❌
262 |Create|✅|✅|❌|❌|❌|❌|❌
263 |Delete|✅|❌|❌|❌|❌|❌|❌
264 |Discover|✅|✅|✅|✅|❌|❌|❌
265 |ExtendedRead| | | | | | |
266 |Move|✅|❌|❌|❌|❌|❌|❌
267 |Read|✅|✅|✅|✅|❌|❌|❌
268 |Workspace|✅|✅|✅|❌|❌|❌|❌
269 |=(% rowspan="3" %)Run|Delete|✅|❌|❌|❌|❌|❌|❌
270 |Replay|✅|✅|✅|❌|❌|❌|❌
271 |Update|✅|✅|✅|❌|❌|❌|❌
272 |=Job Config History|DeleteEntry| | | | | | |
273 |=SCM|Tag|✅|✅|❌|❌|❌|❌|❌
274 |=Metrics|HealthCheck| | | | | | |
275 | |ThreadDump| | | | | | |
276 | |View| | | | | | |
277
278 = GitLab =
279
280 Users are assigned to Groups in GitLab with the following roles assignment.  Permissions within subordinated Subgroups and GitLab Projects are inherited.
281
282 |=(((
283 Project Role
284 )))|=(((
285 GitLab Group Members Permission
286 )))
287 |(((
288 Viewer
289 )))|(((
290 Reporter
291 )))
292 |(((
293 Developer
294 )))|(((
295 Developer
296 )))
297 |(% colspan="1" %)(((
298 Master
299 )))|(% colspan="1" %)(((
300 Maintainer
301 )))
302 |(% colspan="1" %)(((
303 Admin
304 )))|(% colspan="1" %)(((
305 Owner
306 )))
307
308 Regarding permissions for Group Permissions in GitLab, see [[https:~~/~~/docs.gitlab.com/ee/user/permissions.html#group-members-permissions>>url:https://docs.gitlab.com/ee/user/permissions.html#group-members-permissions]].
309
310 = Harbor Project Roles =
311
312 Harbor manages images through projects. You provide access to these images to users by including the users in projects and assigning one of the following roles to them:
313
314 |=(((
315 Harbor
316 )))|=(((
317 Portal
318 )))|=
319 |=Role Name|=Role Id|=Project Role
320 |Project Admin|1|ADMIN
321 |Maintainer|4|MASTER
322 |Developer|2|DEVELOPER
323 |Guest|3|VIEWER
324
325 === Harbor Roles Permissions ===
326
327 |=(((
328 Action
329 )))|=(((
330 Limited Guest
331 )))|=(((
332 Guest
333 )))|=(((
334 Developer
335 )))|=(((
336 Maintainer
337 )))|=(((
338 Project Admin
339 )))
340 |See the project configurations|✅|✅|✅|✅|✅
341 |Edit the project configurations|❌|❌|❌|❌|✅
342 |See a list of project members| |✅|✅|✅|✅
343 |Create/edit/delete project members|❌|❌|❌|❌|✅
344 |See a list of project logs|✅|✅|✅|✅|❌
345 |See a list of project replications|❌|❌|❌|✅|✅
346 |See a list of project replication jobs|❌|❌|❌|❌|✅
347 |See a list of project labels|❌|❌|❌|✅|✅
348 |Create/edit/delete project labels|❌|❌|❌|✅|✅
349 |See a list of repositories|✅|✅|✅|✅|✅
350 |Create repositories|❌|❌|✅|✅|✅
351 |Edit/delete repositories|❌|❌|❌|✅|✅
352 |See a list of images|✅|✅|✅|✅|✅
353 |Retag image|❌|✅|✅|✅|✅
354 |Pull image|✅|✅|✅|✅|✅
355 |Push image|❌|❌|✅|✅|✅
356 |Scan/delete image|❌|❌|❌|✅|✅
357 |Add scanners to Harbor *|❌|❌|❌|❌|❌
358 |Edit scanners in projects|❌|❌|❌|❌|✅
359 |See a list of image vulnerabilities|✅|✅|✅|✅|✅
360 |Create list of project vulnerabilities|❌|❌|✅|✅|✅
361 |Read list of project vulnerabilities|❌|❌|✅|✅|✅
362 |Export list of project vulnerabilities|❌|❌|✅|✅|✅
363 |See image build history|✅|✅|✅|✅|✅
364 |Add/Remove labels of image|❌|❌|✅|✅|✅
365 |See a list of helm charts|✅|✅|✅|✅|✅
366 |Download helm charts|✅|✅|✅|✅|✅
367 |Upload helm charts|❌|❌|✅|✅|✅
368 |Delete helm charts|❌|❌|❌|✅|✅
369 |See a list of helm chart versions|✅|✅|✅|✅|✅
370 |Download helm chart versions|✅|✅|✅|✅|✅
371 |Upload helm chart versions|❌|❌|✅|✅|✅
372 |Delete helm chart versions|❌|❌|❌|✅|✅
373 |Add/Remove labels of helm chart version|❌|❌|✅|✅|✅
374 |See a list of project robots|❌|❌|❌|✅|✅
375 |Create/edit/delete project robots|❌|❌|❌|❌|✅
376 |See configured CVE allowlist|✅|✅|✅|✅|✅
377 |Create/edit/remove CVE allowlist|❌|❌|❌|❌|✅
378 |View webhook events|❌|❌|❌|✅|✅
379 |Add new webhook events|❌|❌|❌|❌|✅
380 |Enable/deactivate webhooks|❌|❌|❌|❌|✅
381 |Create/delete tag retention rules|❌|❌|✅|✅|✅
382 |Enable/deactivate tag retention rules|❌|❌|✅|✅|✅
383 |Create/delete tag immutability rules|❌|❌|❌|✅|✅
384 |Enable/deactivate tag immutability rules|❌|❌|❌|✅|✅
385 |See project quotas|✅|✅|✅|✅|✅
386 |Edit project quotas *|❌|❌|❌|❌|❌
387 |Delete Project|❌|❌|❌|❌|✅
388
389 ~* Only the Harbor system administrator can edit project quotas and add new scanners.
390
391 = Gitea =
392
393 Please note, that some terms used in DevOps-as-a-Service have different names in Gitea. Please check the following table to avoid any confusion.
394
395 |=(((
396 DevOps Portal
397 )))|=(((
398 Gitea
399 )))
400 |(((
401 Project
402 )))|(((
403 Organization
404 )))
405 |(((
406 Project Role
407 )))|(((
408 Team
409 )))
410 |(((
411 Git Repository
412 )))|(((
413 Repository
414 )))
415 |(((
416 Artifact Repository
417 )))|(((
418 Package
419 )))
420 |(((
421 Issue Tracking
422 )))|(((
423 Project (currently disabled)
424 )))
425
426 The **Owner** team has full admin permission in the Organization. This is a technical user used by the DevOps Portal for auto-provisioning.
427
428 |=(((
429 Gitea Role
430 )))|=(((
431 Portal Project Role
432 )))|=Permissions
433 |(((
434 Viewer
435 )))|Viewer|Read
436 |(((
437 Developer
438 )))|(((
439 Developer
440 )))|Read, Write
441 |(% colspan="1" %)(((
442 Master
443 )))|(% colspan="1" %)Master|Read, Write
444 |(% colspan="1" %)Admin|(% colspan="1" %)Admin|Read, Write, Repository create
445
446 = Nexus Project Roles =
447
448 For each role in a project a role in Nexus is created which includes one Privilege for each repository in the project.
449
450 |=(((
451 Role
452 )))|=(((
453 Admin
454 )))|=(((
455 Master
456 )))|=(((
457 Developer
458 )))|=(((
459 Viewer
460 )))
461 |(((
462 ID
463 )))|(((
464 PROJECTKEY-admin
465 )))|(((
466 PROJECTKEY-master
467 )))|(((
468 PROJECTKEY-developer
469 )))|(((
470 PROJECTKEY-viewer
471 )))
472 |(((
473 Name
474 )))|(((
475 PROJECTKEY-admin
476 )))|(((
477 PROJECTKEY-master
478 )))|(((
479 PROJECTKEY-developer
480 )))|(((
481 PROJECTKEY-viewer
482 )))
483 |(((
484 Privilege
485 )))|(((
486 PROJECTKEY-docker-admin
487
488 PROJECTKEY-maven-admin
489
490 PROJECTKEY-//repotype//-admin
491 )))|(((
492 PROJECTKEY-docker-master
493
494 PROJECTKEY-maven-master
495
496 PROJECTKEY-//repotype//-master
497 )))|(((
498 PROJECTKEY-docker-developer
499
500 PROJECTKEY-maven-developer
501
502 PROJECTKEY-//repotype//-developer
503 )))|(((
504 PROJECTKEY-docker-viewer
505
506 PROJECTKEY-maven-viewer
507
508 PROJECTKEY-//repotype//-viewer
509 )))
510
511 For each role in a project a **Privilege of type Repository Content Selector** is created which combines Content Selector (Project), Repository (Docker Registry) and Actions depending on the role.
512
513 |=(((
514 Privilege / Role
515 )))|=(((
516 Admin
517 )))|=(((
518 Master
519 )))|=(((
520 Developer
521 )))|=(((
522 Viewer
523 )))
524 |(((
525 Name
526 )))|(((
527 PROJECTKEY-docker-admin
528 )))|(((
529 PROJECTKEY-docker-master
530 )))|(((
531 PROJECTKEY-docker-developer
532 )))|(((
533 PROJECTKEY-docker-viewer
534 )))
535 |(((
536 Content Selector
537 )))|(((
538 PROJECTKEY-docker
539 )))|(((
540 PROJECTKEY-docker
541 )))|(((
542 PROJECTKEY-docker
543 )))|(((
544 PROJECTKEY-docker
545 )))
546 |(((
547 Repository
548 )))|(((
549 docker-registry
550 )))|(((
551 docker-registry
552 )))|(((
553 docker-registry
554 )))|(((
555 docker-registry
556 )))
557 |(((
558 Actions
559 )))|(((
560 delete, add, edit, browse, read
561 )))|(((
562 add, edit, browse, read
563 )))|(((
564 add, edit, browse, read
565 )))|(((
566 browse, read
567 )))
568
569 See [[https:~~/~~/help.sonatype.com/repomanager3/security/privileges>>url:https://help.sonatype.com/repomanager3/nexus-repository-administration/access-control/privileges]] for available Actions.
© 2018-2026 T-Systems International GmbH