User accounts

Security-relevant considerations and setups regarding user accounts.

By default, authentication is forced.

Authentication can be managed:

To change the password of a manually created account, see Changing user password.

To deactivate a user account, see Deactivating users.

To manage the user account permissions, see:

Disabling forced user authentication

You can disable forced user authentication, and allow anonymous users to browse projects and run analyses in your instance. To do so, you need the Administer System permission.

Disabling forced authentication can expose your SonarQube Server instance to security risks. We strongly recommend forcing user authentication on production instances or carefully configuring the security (user permissions, project visibility, etc.) on your instance. See also Accessible API endpoints if forced authentication disabled below.

We advise keeping forced authentication if you have your SonarQube Server instance publicly accessible.

Accessible API endpoints if forced authentication disabled

If forced authentication is disabled, the following API endpoints are accessible without authentication:

  • api/components/search

  • api/issues/tags

  • api/languages/list

  • api/metrics/domains

  • api/metrics/search

  • api/metrics/types

  • api/plugins/installed

  • api/project_tags/search

  • api/qualitygates/list

  • api/qualitygates/search

  • api/qualitygates/show

  • api/qualityprofiles/backup

  • api/qualityprofiles/changelog

  • api/qualityprofiles/export

  • api/qualityprofiles/exporters

  • api/qualityprofiles/importers

  • api/qualityprofiles/inheritance

  • api/qualityprofiles/projects

  • api/qualityprofiles/search

  • api/rules/repositories

  • api/rules/search

  • api/rules/show

  • api/rules/tags

  • api/server/version

  • api/settings/login_message

  • api/sources/scm (for public repositories)

  • api/sources/show (for public repositories)

  • api/system/dbmigrationstatus

  • api/system/migrate_db

  • api/system/ping

  • api/system/status

  • api/system/upgrades

  • api/users/search

  • api/webservices/list

  • api/webservices/response_example

To disable forced authentication:

  1. Go to Administration > Configuration > General Settings > Security.

  2. Disable Force user authentication.

PreviousSecurityNextUser sessions

Last updated

Was this helpful?