# Permissions

## Introduction

Permissions in SonarQube Cloud exist at the enterprise, portfolio, organization, and project levels, each with its own set of actions. Permissions are set by an administrator at each level for individual users and groups, or by permission templates.

<figure><img src="/files/uUe5dRBL3WsZavuKSfS5" alt="Diagram of the permissions structure in SonarQube Cloud"><figcaption></figcaption></figure>

### Groups

Organization groups are the primary vehicle for assigning permissions consistently across many users at the organization, portfolio, and project levels. Since portfolios can be a collection of projects across multiple organizations, they can use groups from multiple organizations for permission assignment.&#x20;

When an organization is created there are two groups that are created by default:

* **Owner**: This group contains by default the creator of the organization. The organization’s administrator can manage this group by adding, removing users and changing its name.
* **Members**: This group contains all members of the organization. The membership of this group cannot be modified.

The administrator can override the groups’ default permissions for an organization or project, if the organization is on the [Team and Enterprise](https://www.sonarsource.com/plans-and-pricing/) plans. See [Managing user groups](/sonarqube-cloud/administering-sonarcloud/managing-organization/users-and-permissions/user-groups.md) for more information.

Group permissions supplement the individual user permissions, working as a *union* between user and group permissions. For example, if you don’t have the **Create project** permission as an individual user (organization level) but you belong to the **Owner** group that has the permission enabled, you automatically get it from the group.

### Permission templates

Permission templates let administrators apply consistent permission sets (user, groups, creator) for new and existing projects and portfolios. When a new project or portfolio is created, permissions from the default permission template are automatically applied to it.&#x20;

Permission templates don't continuously sync user and group permissions, even when the template is changed by the administrator. They act as one-time events and are triggered during the creation process or when you decide to reset permissions.

Custom project permissions templates are available in the [Team and Enterprise](https://www.sonarsource.com/plans-and-pricing/) plans. See [Using permission templates](/sonarqube-cloud/administering-sonarcloud/managing-organization/manage-org-projects/manage-project-permissions/templates.md) for projects and [Administering portfolios](/sonarqube-cloud/getting-started-with-enterprise/administering-portfolios.md#permission-templates) for more information.

## Enterprise permissions

The following are the permissions available for an enterprise:&#x20;

<table><thead><tr><th width="197">Permission</th><th>Description</th></tr></thead><tbody><tr><td><strong>Administer Enterprise</strong></td><td><p>The enterprise administrator can:</p><ul><li>Change user permissions of an enterprise</li><li>Add an organization to the enterprise.</li><li>Remove or downgrade an organization.</li><li>Rename the organization</li><li>Manage portfolio permission templates</li></ul></td></tr><tr><td><strong>Create Portfolios</strong></td><td>Can create portfolios.</td></tr></tbody></table>

### When an enterprise is created

The enterprise must have at least one administrator, we recommend two per enterprise. The initial user who created the enterprise is automatically its administrator.

See [Managing the enterprise-related permissions](/sonarqube-cloud/administering-sonarcloud/managing-enterprise/managing-the-enterprise-related-permissions.md) for more information.

## Portfolio permissions

The following permissions are available for a portfolio:&#x20;

<table><thead><tr><th width="198.82421875">Permission</th><th>Description</th></tr></thead><tbody><tr><td><strong>Administer</strong></td><td>Can change the portfolio’s permissions.</td></tr><tr><td><strong>Edit</strong></td><td><p>Grants the ability to: </p><ul><li>Delete a portfolio.</li><li>Add projects by name (with projects’ Browse permission), by project tags, by organizations, or using regex (without projects’ Browse permission). </li><li>Remove any projects. Projects without the Browse permissions appear as hidden and once removed cannot be added back in.</li></ul></td></tr><tr><td><strong>View</strong></td><td>Can view the portfolio’s Overview, Portfolio Breakdown, and Measures tabs. On the Portfolio Breakdown page, users can only view the projects they have access to (Browse permission).</td></tr></tbody></table>

### When a portfolio is created

When a portfolio is created by users with the enterprise-level **Create portfolio** permission, permissions from the default portfolio permission template (defined by the enterprise administrator) are applied to the new portfolio.&#x20;

The portfolio permissions include users and groups of any organization that belongs to the enterprise.

See [Administering portfolios](/sonarqube-cloud/getting-started-with-enterprise/administering-portfolios.md) for more information.

## Organization permissions

The following permissions are available for an organization:

<table><thead><tr><th width="224">Permission Type</th><th width="524">Description</th></tr></thead><tbody><tr><td><strong>Administer organization</strong></td><td><p>Has full control over the administration functions for the organization, including the following permission-related functions:</p><ul><li>Management of the organization’s user and group permissions</li><li>Management of project template permissions</li><li>Recovery of project administrator permissions. See <a data-mention href="/pages/RFDDT2Dz7HGpFxocV0Cj">/pages/RFDDT2Dz7HGpFxocV0Cj</a> for more information.</li><li>Bulk apply of project permission templates. See <a data-mention href="/pages/94a2836yBMtNaqs6SQ6e">/pages/94a2836yBMtNaqs6SQ6e</a> for more information.</li></ul></td></tr><tr><td><strong>Administer Quality Gates</strong></td><td>Can create and update <a data-mention href="/pages/8xApxZtaDzjCuy6eb9oB">/pages/8xApxZtaDzjCuy6eb9oB</a> that can be applied to the organization’s projects.</td></tr><tr><td><strong>Administer Quality Profiles</strong></td><td>Can create and update quality profiles that can be applied to the organization’s projects. See <a data-mention href="/pages/OEWS8DYTT3K2UXi6ACv7">/pages/OEWS8DYTT3K2UXi6ACv7</a> for more details.</td></tr><tr><td><strong>Execute analysis</strong></td><td><p>Grants the ability to: </p><ul><li>Retrieve all settings required to run the analysis, including secured credentials like passwords.</li><li>Push analysis results to SonarQube Cloud.</li><li>Run scans on any project in the organization, including private ones, regardless of existing project-level permissions.</li></ul></td></tr><tr><td><strong>Create projects</strong></td><td>Can create new projects in the organization.</td></tr></tbody></table>

### When an organization is created

When an enterprise administrator creates an organization, they are automatically added to the Owner and Members groups with the following permissions:

* **Owner**: All permissions for the organization.
* **Members**: None.

Once the organization is created, the organization’s administrator can change the Owner and Members group permissions and create additional custom groups ([Team and Enterprise](https://www.sonarsource.com/plans-and-pricing/) plans). They can also manage individual users and their permissions. &#x20;

Keep in mind that all members of the organization belong to the Members group, therefore all new users added to the organization, automatically have permissions of the Members group.&#x20;

For more information, see:

* [Managing organization permissions](/sonarqube-cloud/administering-sonarcloud/managing-organization/users-and-permissions/organization-permissions.md)
* [Adding organization members](/sonarqube-cloud/administering-sonarcloud/managing-organization/users-and-permissions/organization-members.md)
* [Managing user groups](/sonarqube-cloud/administering-sonarcloud/managing-organization/users-and-permissions/user-groups.md)
* [Using permission templates](/sonarqube-cloud/administering-sonarcloud/managing-organization/manage-org-projects/manage-project-permissions/templates.md)
* [Recovering project admin access](/sonarqube-cloud/administering-sonarcloud/managing-organization/manage-org-projects/manage-project-permissions/recovering-admin-access.md)
* [Using Projects Management page](/sonarqube-cloud/administering-sonarcloud/managing-organization/manage-org-projects/projects-management-page.md)

## Project permissions

The following permissions are available for a project:

<table><thead><tr><th width="192">Permission Type</th><th>Description</th></tr></thead><tbody><tr><td><strong>Administer</strong></td><td><p>On private projects, the Browse project permission must also be granted. The project administrator can access project settings and perform administration functions, including the following permission-related functions:</p><ul><li>Management of the project’s user and group permissions. </li><li>Project's visibility (public, private).</li></ul></td></tr><tr><td><strong>Execute analysis</strong></td><td><p>Grants the ability to: </p><ul><li>Retrieve all settings required to run the analysis, including secured credentials like passwords</li><li>Push analysis results to SonarQube Cloud</li></ul><p><strong>Note</strong>: Users with the Execute Analysis permission at the organization-level are able to scan projects, even if they don’t have any explicit project permissions. </p></td></tr><tr><td><strong>Administer security hotspots</strong></td><td>Can change the status of a security hotspot. For private projects, the Browse project permission must also be granted.</td></tr><tr><td><strong>Administer issues</strong></td><td><p>Can perform the following actions: </p><ul><li>Accept an issue</li><li>Mark an issue as False positive</li></ul></td></tr><tr><td><strong>See source code</strong> (private projects)</td><td><p>Grants the ability to view the source code (via API and web view) provided the Browse project permission is also granted.</p><p><strong>Note</strong>: Anonymous and unauthorized users are prevented from easily downloading public projects’ source code via API and web views.</p></td></tr><tr><td><strong>Browse</strong><br>(private projects)</td><td>Can view a project.</td></tr></tbody></table>

### When a project is created

When a user with the organization-level **Create projects** permission creates a new project, they are automatically added to the Owner and Members groups with the following default permissions.

* **Owner**: Administer architecture, Administer, Execute analysis.
* **Members**: Browse (private projects), See source code (private projects), Administer issues, Administer security hotspots.

These default group permissions are set by the default project permission template. They are managed by the organization’s administrator ([Team and Enterprise](https://www.sonarsource.com/plans-and-pricing/) plans).

Once the project is created, the project’s administrator can change the Owner and Members group permissions ([Team and Enterprise](https://www.sonarsource.com/plans-and-pricing/) plans). They can also manage individual user permissions.

Keep in mind that all members of the project belong to the Members group, therefore all new users automatically have project permissions from the Members group applied to them.&#x20;

See [Setting your project's permissions](/sonarqube-cloud/managing-your-projects/administering-your-projects/setting-permissions.md) for more information.

## Managing permissions with Web API

See the following links in the Web API portal:

* [Users and Roles API](https://api-docs.sonarsource.com/sonarqube-cloud/default/public-externalusers-0-0)
* [Enterprises, Reports, Portfolios, Portfolio Permission Templates API](https://api-docs.sonarsource.com/sonarqube-cloud/default/public-sonarcloud-organizations-enterprises-external-1-0-1#/enterprises/list-enterprises)
* [Organizations API](https://api-docs.sonarsource.com/sonarqube-cloud/default/public-sonarcloud-organizations-organizations-external-1-0-2)
* [Projects External API](https://api-docs.sonarsource.com/sonarqube-cloud/default/public-projectsexternal-0-0-1)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.sonarsource.com/sonarqube-cloud/administering-sonarcloud/permissions.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.