Permissions give users the ability to perform certain operations such as analyzing projects, configuring project settings, and updating issues on projects within a SonarCloud organization of which they are a member.
Permissions are administered by an organization administrator who has the right to grant and revoke permissions to users. The administrator is responsible for ensuring that users have the permissions that they need.
Permissions can be assigned on either an organization level or an individual project level. They can also be granted to multiple projects at once, or to a subset of a group of projects.
The following table gives an overview of the different types of permissions that may be assigned to users at organization level and at project level for both public and private projects.
|Permission Type||Organization Level||Project Level||Public Project||Private Project|
|See Source Code*||✅|
|Administer Security Hotspots*||✅||✅||✅|
*users also need Browse permissions.
Setting permissions on the UI
To administer permissions on an organizational level, go to Your Organization > Administration > Permissions
From the editing interface, you can grant or revoke permissions to users and groups:
To administer permissions on a project level, go to Project > Administration > Permissions.
You can either manually grant permissions for each project to some users and groups, or apply permissions templates to projects.
Permissions: Organization level
Users have to be added to an organization in order to acquire permissions. For GitHub users, this must be done on the GitHub side. Then, if any members are added or removed in the GitHub organization, the changes are made to SonarCloud either manually or, if you have selected the option within GitHub, by automatic synchronization. For other DevOps platforms, users must be added manually to the platform and then again to SonarCloud. Once a user is added, they are automatically made a regular member of an organization and are granted the set of permissions defined by the permissions template for that organization. See Managing Members.
Administrators are organization owners who have Administer Organization permissions. Administrators can manually grant or revoke permissions at an individual user level or, in the case of large numbers, to groups of users at a group level or, apply a pre-configured permissions template to projects.
Organization owners are members of the Owner Group, who, by default have administer permissions, however, these permissions can be revoked.
- Administer: Allows you to perform any action on both Quality Profiles and Quality Gates.
- Execute Analysis: Allows you to trigger an analysis and to push analysis results to the SonarCloud server.
- Create Project: Allows you to initialize a project and configure its settings before the initial first analysis is performed.
- Administer Organization: Allows you to perform all administrative functions for an organization.
Permissions: Project level
Permissions can also be granted or revoked on an individual project level.
Permissions can be granted to a user or group to perform the following operations. Note that the permissions available to users depend on whether the plan in use is public or private.
Permissions for users of public projects
- Administer Issues: Change the type and severity of the issue; resolve issues as being "Won't Fix" or "False Positive" (users also need "Browse" permission).
- Administer Security Hotspots: Change the status of a Security Hotspot.
- Administer (Quality Profile and Quality Gate).
- Execute Analysis
Permissions for users of private projects
Users of private projects can also be granted the following two permission types.
- Browse: Access a project; browse its measures, issues; perform some issue edits such as confirm/resolve/reopen, assignment, comment (also need "Administer Issues" permission); Browse Security Hotspots (also need "Administer Security Hotspots" permission); comment on or change the user assigned to a Security Hotspot.
- See Source Code: View the project's source code.
Administrators must have browse permissions for private projects.
The list above shows the permission types required for public or private projects. It does not follow the order in which the permission types appear on the UI.
SonarCloud comes with a default template that automatically grants a defined set of permissions to new projects in an organization. You can edit the default template and create additional templates from the editable template interface.
To access the default template, go to Your Organization > Administration > Permission Templates > Default Permission Template.
This takes you to the template interface which you can edit. New templates are empty, so you can adapt them to meet the needs of individual projects.
A permissions template does not have a direct connection to your project settings. This means that:
- You can modify the permissions of a project after a permissions template has been applied.
- Project permissions do not change when a permissions template has been modified.
To create a new template, go to Organization > Administration > Permission Templates and click the Create button.
Your newly created template will then appear in the list of permission templates.
Applying permission templates to groups of projects
To apply permissions templates to multiple projects, go to Your Organization > Administration > Projects Management.
Select the check box for each project you want to apply the template to and then click Bulk Apply Permission Template in the top right corner. Then, choose your template from the dropdown list and click Apply.
The settings used while applying permissions templates in bulk override any existing settings to the template.
Applying permission templates to subsets of groups
If you want to apply a template to a subset of new projects in your organization, you can use a project key regular expression (the template's Project Key Pattern). By default, if a new project has a key that matches the supplied pattern, it will automatically have the template's permissions applied.
Creators is a special group that appears only in the permission template editing interface. Any permissions assigned to this group will, at the time of project creation, be granted to the single user account used to create the project. This allows SonarCloud administrators to let users autonomously create and administer (permissions) on their own projects.
While templates can be applied after project creation, applying a template that includes "Creators" permissions to an existing project will not grant the relevant permissions to the project's original creator because that association is not stored.
Permissions and visibility in paid organizations
If you are on a paid plan organization but want to make a project public (for instance because you are developing an open-source library), you can make the change on the My Project>Administration > Permissions settings page.
If an organization is on a paid plan then, by default, you have to be a member of the organization to be able to see:
- Quality Profiles
- Quality Gates
The administration pages are also restricted to administrators of the organization.
For more information, see Payment and visibility.
Permissions and rules
The following actions are available only if you have the right permissions ("Administer Quality Profiles and Gates"):
- Add/Remove rule tags
- Extend description
For more information, see Rules.