circle-exclamation
This version of the SonarQube documentation is no longer maintained. It relates to a version of SonarQube that is not active.
search
Start Free

Managing permissions

As a System Administrator, you can grant users and groups global permissions and you can manage the default project permissions.

As a System Administrator, you can grant users and groups global permissions (permissions not related to a project) and you can manage the project-related permissions granted by default when a new project is created.

circle-info

Permissions can be set automatically depending on the Overview of authentication and provisioning.

hashtag
Setting the global permissions

chevron-rightGlobal permissionshashtag
Permission type
Description

Administer System

Has full control over the SonarQube instance.

Administer Quality Gates

Can create and update quality gates that can be applied to the organization’s projects.

Administer Quality Profiles

  • Can create and update quality profiles that can be applied to the organization’s projects.

  • Can add tags to rules.

Execute analysis

Can start an analysis on every project in SonarQube. This includes the ability to get all settings required to perform an analysis, including secured settings like passwords, and to push analysis results to SonarQube.

This permission is applied by default to the sonar-users group, which means that its users can see the branch status of any project, even if they don’t have explicit permissions for it. We recommend that after you install SonarQube, you review all global permissions and ensure they comply with your company policy.

Create Projects

Can create new projects in SonarQube.

Create Applications

Can create new applications in SonarQube.

Create Portfolios

Can create new portfolios in SonarQube.

chevron-rightSetting the global permissions of groups and usershashtag

To set the global-level permissions of the groups and users:

  1. In the top navigation bar, go to Administration > Security > Global permissions. The Global Permissions page opens.

  2. You can search for users or groups.

  3. In the permissions grid, select a check box to grant the corresponding permission.

hashtag
Changing the default visibility of new projects

By default, any newly created project will be public. It means every SonarQube user, authenticated or not, will be able to:

  • Browse: Access a project, browse its measures and issues, and perform some issue edits (confirm, assign, comment).

  • See Source Code: View the project’s source code.

To change the default visibility of new projects:

  1. In the top navigation bar, go to Administration > Projects > Management.

  2. In the top right corner of the page, select the pen icon near Default visibility of new projects. The Set Default Visibility of New Projects dialog opens.

  3. Select Public or Private.

  4. Select Change default visibility.

hashtag
Managing project-related permissions through templates

As a global System Administrator, using permission templates allows you to define:

  • The permissions granted by default to users, groups, and project creators on new projects, new applications (starting in Developer Edition), or new portfolios (starting in Enterprise Edition).

  • Different sets of permissions that a project admin can apply to their project at any time.

chevron-rightPermissions related to a projecthashtag

Permission Type

Description

Browse Project

Applies only to private projects (Anyone, including anonymous users, can view the public projects.).

Can view the project.

See Source Code

Applies only to private projects.

Can view the source code (via API and web view) provided the Browse project permission is also granted.

Administer Issues

Can perform the following actions:

• Accept an issue

• Mark an issue as False positive

Administer Security Hotspots

Can change the status of a security hotspot. For private projects, the Browse project permission must also be granted.

Administer project

Can perform the following actions:

• Delete a project.

• Change the project settings including project-level permissions.

• Configure various project functions, such as PDF reporting, snapshots, and webhooks.

For private projects, the Browse project permission must also be granted.

Execute Analysis on project

Can start an analysis on the project. This includes the ability to get all settings required to perform an analysis (including secured settings like passwords) and to push analysis results to the SonarQube server.

chevron-rightPermission template concepthashtag

A permission template defines the project-related permissions granted to groups and members of the organization.

You can define several permission templates in your organization:

  • You define the default template.

  • You can define a template that applies to specific projects according to their key pattern by using a regular expression.

When a new project is created, SonarQube Server uses a permission template to grant the default permissions on the project. It retrieves the template according to the following rules:

  • If the project key complies with the project key pattern of a template, then this template is used. If several templates comply, an error is raised.

  • Otherwise, the default template is used.

The project administrator can then change the permissions as necessary.

chevron-rightCreating a new templatehashtag

  1. In the top navigation bar, go to Administration > Security > Permission Templates. The Permission Templates page opens with the list of templates.

  2. Select the Create button. The Create Permission Template dialog opens.

  3. Enter the template name and description.

  4. If you want to apply the template to specific new projects according to their key, enter the corresponding regular expression in Project key pattern. The regular expression must specify the complete key (not only a part of the key). For example, to match the project keys abc-def1-<anyString> and abc-def2-<anyString>, use the pattern ^abc-(def1|def2)-.*.

  5. Select the Create button. The dialog closes and the new template is displayed.

  6. Set the permissions by selecting the respective check boxes.

chevron-rightSetting the default template for projects, applications or portfolioshashtag

  1. In the top navigation bar, go to Administration > Security > Permission Templates. The Permission Templates page opens with the list of templates.

  2. Select the three-dot menu to the far right of the template you want to change.

  3. In the menu, select Set Default for Projects, Set Default for Applications, or Set Default for Portfolios.

chevron-rightDeleting a templatehashtag

  1. In the top navigation bar, go to Administration > Security > Permission Templates. The Permission Templates page opens with the list of templates.

  2. Select the three-dot menu to the far right of the template you want to delete.

  3. In the menu, select Delete and confirm.

chevron-rightChanging a templatehashtag

  1. In the top navigation bar, go to Administration > Security > Permission Templates. The Permission Templates page opens with the list of templates.

  2. Select the three-dot menu to the far right of the template you want to change.

  3. In the menu:

    • To change the template name, description or patter: select Update Details.

    • To change the template permissions, description or patter: select Edit Permissions.

Please note that changing the template does not automatically apply the updated permissions to projects associated with it. You must reapply the template to your projects.

chevron-rightApplying a permission template to several projects at a timehashtag

  1. In the top navigation bar, go to Administration > Projects > Management.

  2. Retrieve and select in the grid the projects you want to update.

  3. In the tool bar, select Bulk Apply Permission Template. The Bulk Apply Permission Template dialog opens.

  4. Select the template and select Apply.

hashtag
Restoring administrator access to SonarQube Server

If you lost global administrator access to SonarQube Server, you can restore it by executing the following queries directly in your database. You can:

  • Regrant the global Administer System permission to an existing user.

  • Reactivate and/or reset the password of the built-in admin account

chevron-rightRegranting the Administer System permission to a userhashtag

Use the query below where <userLogin> represents the login of the user who should become a system administrator:

chevron-rightReactivating the built-in admin accounthashtag

If you changed and then lost the password to the built-in admin account or deactivated this user, you can activate the user and reset the password using the following query, depending on the database engine:

PostgreSQL and Microsoft SQL Server

Oracle

hashtag
Related pages

PreviousManaging groupsNextAdministering tokens

Last updated

Was this helpful?