Block the ability to interact with Sonar from local environments

Must-share information (formatted with Markdown):

  • which versions are you using SonarQube Enterprise EditionVersion 8.9.9 (build 56886)
  • how is SonarQube deployed: Docker
  • what are you trying to achieve: Block the ability to interact with Sonar from laptops
    We have Stage and Prod environments. The prod is meant to be controlled via CI/CD and Stage is a sandbox where users can run experiments. We want to disable the ability to push data from laptops.

The solution could be:

  • Prevent creating personal tokens
  • Modify permissions of personal tokens so they can’t upload stats

I looked at Permission templates for default permissions, but I did not find anything useful.


Welcome to the community!

This is going to be a question of what permissions are granted to your users, not of token creation.

Ideally, only the technical account used by your CI to run analysis will have permissions to analyze a project. Individual developers shouldn’t have those permissions.

I suggest you check your permission template to make sure it’s limited in the analysis permissions it grants, and then consider re-applying it to your projects (via Administration → Projects → Management) to reset everything to base. Note that doing so will “kick out” individual project admins unless they’re in your template. So you would need to re-grant E.G. project leads the ability to administer their projects.

And BTW, under Administration → Security you have the ability to toggle whether project administrators have the ability to update the permissions on their projects (e.g. re-grant analyze). By default that’s on.


Hi Ann,

Thank you for getting back to me and clarifying.
It was super helpful.



It is also good to mention Global Permissions as they cover Execute Analysis permission.

What is the difference between Execute Analysis permission in Global Permissions and Permission Templates?


Granting a global permission gives the person or group that permission… globally - on all projects. Or access to global functions such as instance admin.

Granting a permission in a template is a potential permission. Nothing’s been granted, and won’t be until the next project is created and that permission template is applied.

Does that make sense?



Thank you for shedding some light on it. It was not obvious.

Which one is a higher priority if permission is mutually exclusive?
E.g. I have a template allowing analysis for a group, and I unselect it in global permissions.

A side idea for improvement
Verifying the user has permission at the beginning of the scan would save some time unless there’s a reason for scanning without being able to post the results back to Sonar.


Hi Przemek,

Permissions aren’t mutually exclusive. They’re addative. If you have permission through both a group and individually, and one - but only one - is removed, you still have permission.

Fair point. I’ll pass it on.


Thank you for the explanation.