How to auto-apply a Permission template (with Project Key Pattern)

Hi there,

SonarQube version 8.2 here.
I found many suggestions like “you can set up permission templates that are applied automatically based on project key patterns”. While so far I was not able to test this successfully.
What I tried so far:

  1. Created a Permission template with Project Key Pattern “^xxxx-|^XXXX-” to react on a project prefix.
  2. Applied this to my Portfolio
  3. Created a new project - default template permissions were assigned. That’s ok.
  4. Added a Tag to attach my Project to my Portfolio
  5. Permissions didn’t change.
  6. Run a pipeline and executed a scan. Pushed for the data into my new project. Permissions are still the same.
  7. Went to the Portfolio and re-applied the Template again (hoping this will distribute the permissions to all childs matching the name.
  8. Permissions are still the same (Original from Default template)

Of course I can select few projects (matching and not macthing the prefix) and apply the Template manually. But in that case it doesn’t case about the prefix and applied to all projects selected.

So the question is: how do you apply this “automatically”?

Please advise.


Permission templates are applied automatically at project creation and… never again unless you apply them manually directly to the project. Inclusion in a portfolio has no impact. A project could be a member of multiple portfolios. If permissions were inherited from portfolio to project I guess this would be a last-saved-wins nightmare.

You need to figure out why they’re not being applied at step 3. Off-hand, the guess for that would be a problem with your key pattern.


1 Like

Hi Ann,
Thanks for your prompt response.
Could you please suggest an option for our scenario then?

We have 1 instance.
We have multiple Dev Teams.
We separate the Teams on Portfolio level.
As by default all Sonar users see all new projects we created a default template that removes “browse” for all sonar-users.
So by default only owner can see and modify the Project settings.
Then we’d apply a template to asssign a proper group (based on Portfolio).
Which as you are explaining doesn’t seem possible.

What are our options then to have the group auto-assignment?
As from what I see in security settings there can be only 1 default template assigned to all Projects.
So creating multiple Templates and separate them by Project Key Pattern is not an option.
Every time someone creates a new project and asks an admin to manually apply a template also not the most convenient option.
So what would be the best practice for such case?
Maybe separate on Application level? never tested this.



Yes and no. There is only 1 default. Think of it as the default in a switch. If no other conditions match, it will be applied. But before you get to it, you have the chance to match the project key patterns set up in the other templates. Does that make sense?


Hi Ann,
Sorry, not completely.
Are you saying I can have 20 custom templates with different Key Patterns and then when I am creating a new project and the name would match one of these I’d get assigned appropriate permissions?
As this doesn’t seem so. I tested this scenario already and that doesn’t work.
Also your response gets more confusing, as “Default” template can mean 2 different things:
1 is the built-in template with name “Default” and 2 is a template that has been assigned with parameter Default Template for Project/Portfolio/Application.

So we have 3 types on templates:

  1. Default.
  2. Custom with parameter Default for Project
  3. Custon with Key Pattern.

So what is a correct way to detect 1 of 20 Teams by the name prefix and assign an appropriate template for each case?


The patterns in permissions templates don’t match project names, they match keys.


All above is still valid for cases when Name == Key. Which is our case.
Please advise of this.


I’ve just done some testing to make sure my memory was accurate and there haven’t been any regressions in this area. It was, and there haven’t.

In a new instance I created some test users and a template:

Then I analyzed a project with key=com.sonarsource.rule-api:rule-api. Here are its resulting permissions:

Note that my first test didn’t work. I used a bash pattern (com.sonar*) rather than a valid regular expression (com.sonar.*).

And just for the record, here’s my untouched default (as in what will be used for projects if nothing else is a match):


Hi Ann,

So with other words answer to my question below

is YES :slight_smile:

Thank you. I’ve tested more and indeed found an issue in my regular expression.

To close this topic could you confirm 1 more thign for me?
I want to add Projects to Portfolio automatically as well.
I found that I can do so using the same principal - regular expression.
I’ve tested this and it works well.
Only 1 thing is bothering me:
When creating a new Project it doesn’t get attached to the Portfolio right away. But only after first scan.
So the question is: is that the only option or there is some kind of cron job on the background that would attach the project within some certain time even without scan?
Please clarify.

Thank you.


I’m glad you worked through the permissions issue. Technically I should make you open a new thread for the project/portfolio question, but…

There aren’t really* any crons in SonarQube. If you want that you’ll have to set up an external job that uses web services to find your new projects and associate them with the portfolio. But then that would be a manual assignment, not one based on regex. Your best bet is just to analyze promptly or to allow first analysis to do the project creation.


*IIRC there’s actually one that runs once a day to see if we need to send out any notices about the license - close to renewal time? close to LOC limit? …

Copy that.
Thanks a lot Ann.
This case can now be closed.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.