Sonarqube Version - Community Edition v9.9.1
Sonarqube deployed through zip
Hello!
I’m trying to understand how the Global Access token works and how much privilege it has. In our instance of SonarQube we have configured LDAP and every project access is AD Group based. For each project, we have 3 AD groups (Admin, Dev & Member) and their access differs respectively.
Also, all our projects are private, so the access is only AD group-based. Here, all the 3 AD groups have Execute Analysis permissions.
Now, we recently noticed that any user with a Global Access token can push the scan results to any project on the server irrespective of the project’s permission. Is this how it is supposed to work? If yes, is there a way to limit that/stop users from creating Global access tokens?
Also, in the documentation Generating and using tokens, it says “the user should have Global Execute Analysis Permission.” Where can I find this option in the server, is it the same one as in,
Administration → Security → Global Permissions → Execute Analysis?
Any advice/suggestion would be very much appreciated.
The Global Access Token will have all the same privleges as the user. If the user has the global Execute Analysis permission, that token will be able to execute analysis on any project.
Does that user the global Execute Analysis permission? It’s indeed the one you reference here:
If you don’t want users to have global rights to execute analysis – yes. Permission templates are also useful here.
There isn’t – and I’m not sure what the valid use-case would be that isn’t already solved by limiting permissions given to the user (as tokens cannot exceed those permissions).