Sonarqube Version - Community Edition v9.9.1
Sonarqube deployed through zip
I’m trying to understand how the Global Access token works and how much privilege it has. In our instance of SonarQube we have configured LDAP and every project access is AD Group based. For each project, we have 3 AD groups (Admin, Dev & Member) and their access differs respectively.
Also, all our projects are private, so the access is only AD group-based. Here, all the 3 AD groups have Execute Analysis permissions.
Now, we recently noticed that any user with a Global Access token can push the scan results to any project on the server irrespective of the project’s permission. Is this how it is supposed to work? If yes, is there a way to limit that/stop users from creating Global access tokens?
Also, in the documentation Generating and using tokens, it says “the user should have Global Execute Analysis Permission.” Where can I find this option in the server, is it the same one as in,
Administration → Security → Global Permissions → Execute Analysis?
Any advice/suggestion would be very much appreciated.
Thanks in Advance!!!
The Global Access Token will have all the same privleges as the user. If the user has the global Execute Analysis permission, that token will be able to execute analysis on any project.
Does that user the global Execute Analysis permission? It’s indeed the one you reference here:
Thank you for your response.
All-access is group-based. So, yes that group has this permission.
So, instead of giving Global Execute Analysis Permission to the groups, we should be assigning it to individual projects?
Do you see any other way how this can be done?
Also, is there an option to restrict users from creating certain kinds of tokens(only User&Project tokens/only Project/Global tokens)?
If you don’t want users to have global rights to execute analysis – yes. Permission templates are also useful here.
There isn’t – and I’m not sure what the valid use-case would be that isn’t already solved by limiting permissions given to the user (as tokens cannot exceed those permissions).
Yes, you are correct. Thank you so much for your response.
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.