Hello, I’m a QA Assurance Engineer at a company that uses SonarQube Enterprise Edition. I’ve been assigned with a task related to blocking any user’s login if that user is not within a specific group.
For example, assuming we have groups X, Y and sonar-users (default). If an user belongs solely to sonar-users, its access should be denied into SonarQube. Otherwise, if this same user, gets included into “X” group, its access shall be granted.
Nowadays even though some groups don’t have any type of access to any project/portfolio/application, they’re still able to login. It shouldn’t be that way (within our context).
We are trying to achieve this in account of access management good practices. We’d like to know if it’s possible to enable this functionality at all, in any version.
Hey, Colin. Thanks for the fast response. Yes, our users authenticate with LDAP.
In that case, your best bet is to fiddle with your ldap.user.baseDn
or ldap.user.request
configuration to only allow access to the groups you’ve specified (basically, not letting the ldapsearch
query return a user unless a condition is met)
So you could do something like this:
ldap.user.request=(&(sAMAccountName={login})(|(memberOf=CN=Group1,OU=Training,DC=company,DC=local)(memberOf=CN=Group2,OU=Training,DC=company,DC=local)))
So it’s not exactly what you propose (block users if they would only belong to sonar-users
), but it would prevent users from logging in / having an account created at all if they don’t belong to your specified groups.