Managing permissions

As a System Administrator, you can grant users and groups global permissions and you can manage the default project permissions.

As a System Administrator, you can grant users and groups global permissions (permissions not related to a project) and you can manage the project-related permissions granted by default when a new project is created.

Permissions can be set automatically depending on the authentication and provisioning method used.

Setting the global permissions

Global permissions
Permission type
Description

Administer System

Has full control over the SonarQube Server instance.

Administer Quality Gates

Can create and update quality gates that can be applied to the organization’s projects.

Administer Quality Profiles

Can create and update quality profiles that can be applied to the organization’s projects.

Execute analysis

Can start an analysis on every project in SonarQube Server. This includes the ability to get all settings required to perform an analysis (including secured settings like passwords) and to push analysis results to the SonarQube Server.

Create Projects

Can create new projects in SonarQube Server.

Create Applications

Can create new applications in SonarQube Server.

Create Portfolios

Can create new portfolios in SonarQube Server.

Setting the global permissions of groups and users

To set the global-level permissions of the groups and users:

  1. In the top navigation bar, go to Administration > Security > Global permissions. The Global Permissions page opens.

  2. You can search for users or groups.

  3. In the permissions grid, select a check box to grant the corresponding permission.

Changing the default visibility of new projects

By default, any newly created project will be public. It means every SonarQube user, authenticated or not, will be able to:

  • Browse: Access a project, browse its measures and issues, and perform some issue edits (confirm, assign, comment).

  • See Source Code: View the project’s source code.

To change the default visibility of new projects:

  1. In the top navigation bar, go to Administration > Projects > Management.

  2. In the top right corner of the page, select the pen icon near Default visibility of new projects. The Set Default Visibility of New Projects dialog opens.

  3. Select Public or Private.

  4. Select Change default visibility.

Managing project-related permissions through templates

As a global System Administrator, using permission templates allows you to define:

  • The permissions granted by default to users, groups, and project creators on new projects, new applications (starting in Developer Edition), or new portfolios (starting in Enterprise Edition).

  • Different sets of permissions that a project admin can apply to their project at any time.

Permissions related to a project
Permission Type
Description

Browse Project

Applies only to private projects (Anyone, including anonymous users, can view the public projects.).

Can view the project.

See Source Code

Applies only to private projects.

Can view the source code (via API and web view) provided the Browse project permission is also granted.

Administer Issues

Can perform the following actions:

• Accept an issue

• Mark an issue as False positive

Administer Security Hotspots

Can change the status of a security hotspot. For private projects, the Browse project permission must also be granted.

Administer project

Can perform the following actions:

• Delete a project.

• Change the project settings including project-level permissions.

• Configure various project functions, such as PDF reporting, snapshots, and webhooks.

For private projects, the Browse project permission must also be granted.

Execute Analysis on project

Can start an analysis on the project. This includes the ability to get all settings required to perform an analysis (including secured settings like passwords) and to push analysis results to the SonarQube server.

Permission template concept

A permission template defines the project-related permissions granted to groups and members of the organization.

You can define several permission templates in your organization:

  • You define the default template.

  • You can define a template that applies to specific projects according to their key pattern by using a regular expression.

When a new project is created, SonarQube Server uses a permission template to grant the default permissions on the project. It retrieves the template according to the following rules:

  • If the project key complies with the project key pattern of a template, then this template is used. If several templates comply, an error is raised.

  • Otherwise, the default template is used.

The project admin can then change the permissions if necessary and apply any other template.

Creating a new template

  1. In the top navigation bar, go to Administration > Security > Permission Templates. The Permission Templates page opens with the list of templates.

  2. Select the Create button. The Create Permission Template dialog opens.

  3. Enter the template name and description.

  4. If you want to apply the template to specific new projects according to their key, enter the corresponding regular expression in Project key pattern. The regular expression must specify the complete key (not only a part of the key). For example, to match the project keys abc-def1-<anyString> and abc-def2-<anyString>, use the pattern ^abc-(def1|def2)-.*.

  5. Select the Create button. The dialog closes and the new template is displayed.

  6. Set the permissions by selecting the respective check boxes.

Setting the default template for projects, applications or portfolios

  1. In the top navigation bar, go to Administration > Security > Permission Templates. The Permission Templates page opens with the list of templates.

  2. Select the three-dot menu to the far right of the template you want to change.

  3. In the menu, select Set Default for Projects, Set Default for Applications, or Set Default for Portfolios.

Deleting a template

  1. In the top navigation bar, go to Administration > Security > Permission Templates. The Permission Templates page opens with the list of templates.

  2. Select the three-dot menu to the far right of the template you want to delete.

  3. In the menu, select Delete and confirm.

Changing a template

  1. In the top navigation bar, go to Administration > Security > Permission Templates. The Permission Templates page opens with the list of templates.

  2. Select the three-dot menu to the far right of the template you want to change.

  3. In the menu:

    • To change the template name, description or patter: select Update Details.

    • To change the template permissions, description or patter: select Edit Permissions.

Please note that changing the template does not automatically apply the updated permissions to projects associated with it. You must reapply the template to your projects.

Applying a permission template to several projects at a time

  1. In the top navigation bar, go to Administration > Projects > Management.

  2. Retrieve and select in the grid the projects you want to update.

  3. In the tool bar, select Bulk Apply Permission Template. The Bulk Apply Permission Template dialog opens.

  4. Select the template and select Apply.

Restoring administrator access to SonarQube Server

If you lost global administrator access to SonarQube Server, you can restore it by executing the following queries directly in your database. You can:

  • Regrant the global Administer System permission to an existing user.

  • Reactivate and/or reset the password of the built-in admin account

Regranting the Administer System permission to a user

Use the query below where <userLogin> represents the login of the user who should become a system administrator:

insert into user_roles(uuid, user_uuid, role)
values ('random-uuid', (select uuid from users where login='<userLogin>'), 'admin');
Reactivating the built-in admin account

If you changed and then lost the password to the built-in admin account or deactivated this user, you can activate the user and reset the password using the following query, depending on the database engine:

PostgreSQL and Microsoft SQL Server

update users set
crypted_password='100000$t2h8AtNs1AlCHuLobDjHQTn9XppwTIx88UjqUm4s8RsfTuXQHSd/fpFexAnewwPsO6jGFQUv/24DnO55hY6Xew==',
salt='k9x9eN127/3e/hf38iNiKwVfaVk=',
hash_method='PBKDF2',
reset_password='true',
user_local='true',
active='true'
where login='admin';

Oracle

update users set
crypted_password='100000$t2h8AtNs1AlCHuLobDjHQTn9XppwTIx88UjqUm4s8RsfTuXQHSd/fpFexAnewwPsO6jGFQUv/24DnO55hY6Xew==',
salt='k9x9eN127/3e/hf38iNiKwVfaVk=',
hash_method='PBKDF2',
reset_password=1,
user_local=1,
active=1
where login='admin';

Related pages

PreviousManaging groupsNextAssociating with SCM account

Last updated

Was this helpful?