SonarQube version 8.2 here.
I found many suggestions like “you can set up permission templates that are applied automatically based on project key patterns”. While so far I was not able to test this successfully.
What I tried so far:
Created a Permission template with Project Key Pattern “^xxxx-|^XXXX-” to react on a project prefix.
Applied this to my Portfolio
Created a new project - default template permissions were assigned. That’s ok.
Added a Tag to attach my Project to my Portfolio
Permissions didn’t change.
Run a pipeline and executed a scan. Pushed for the data into my new project. Permissions are still the same.
Went to the Portfolio and re-applied the Template again (hoping this will distribute the permissions to all childs matching the name.
Permissions are still the same (Original from Default template)
Of course I can select few projects (matching and not macthing the prefix) and apply the Template manually. But in that case it doesn’t case about the prefix and applied to all projects selected.
So the question is: how do you apply this “automatically”?
Permission templates are applied automatically at project creation and… never again unless you apply them manually directly to the project. Inclusion in a portfolio has no impact. A project could be a member of multiple portfolios. If permissions were inherited from portfolio to project I guess this would be a last-saved-wins nightmare.
You need to figure out why they’re not being applied at step 3. Off-hand, the guess for that would be a problem with your key pattern.
Hi Ann,
Thanks for your prompt response.
Could you please suggest an option for our scenario then?
We have 1 instance.
We have multiple Dev Teams.
We separate the Teams on Portfolio level.
As by default all Sonar users see all new projects we created a default template that removes “browse” for all sonar-users.
So by default only owner can see and modify the Project settings.
Then we’d apply a template to asssign a proper group (based on Portfolio).
Which as you are explaining doesn’t seem possible.
What are our options then to have the group auto-assignment?
As from what I see in security settings there can be only 1 default template assigned to all Projects.
So creating multiple Templates and separate them by Project Key Pattern is not an option.
Every time someone creates a new project and asks an admin to manually apply a template also not the most convenient option.
So what would be the best practice for such case?
Maybe separate on Application level? never tested this.
Yes and no. There is only 1 default. Think of it as the default in a switch. If no other conditions match, it will be applied. But before you get to it, you have the chance to match the project key patterns set up in the other templates. Does that make sense?
Hi Ann,
Sorry, not completely.
Are you saying I can have 20 custom templates with different Key Patterns and then when I am creating a new project and the name would match one of these I’d get assigned appropriate permissions?
As this doesn’t seem so. I tested this scenario already and that doesn’t work.
Also your response gets more confusing, as “Default” template can mean 2 different things:
1 is the built-in template with name “Default” and 2 is a template that has been assigned with parameter Default Template for Project/Portfolio/Application.
So we have 3 types on templates:
Default.
Custom with parameter Default for Project
Custon with Key Pattern.
So what is a correct way to detect 1 of 20 Teams by the name prefix and assign an appropriate template for each case?
Thanks.
Thank you. I’ve tested more and indeed found an issue in my regular expression.
To close this topic could you confirm 1 more thign for me?
I want to add Projects to Portfolio automatically as well.
I found that I can do so using the same principal - regular expression.
I’ve tested this and it works well.
Only 1 thing is bothering me:
When creating a new Project it doesn’t get attached to the Portfolio right away. But only after first scan.
So the question is: is that the only option or there is some kind of cron job on the background that would attach the project within some certain time even without scan?
Please clarify.
I’m glad you worked through the permissions issue. Technically I should make you open a new thread for the project/portfolio question, but…
There aren’t really* any crons in SonarQube. If you want that you’ll have to set up an external job that uses web services to find your new projects and associate them with the portfolio. But then that would be a manual assignment, not one based on regex. Your best bet is just to analyze promptly or to allow first analysis to do the project creation.
HTH,
Ann
*IIRC there’s actually one that runs once a day to see if we need to send out any notices about the license - close to renewal time? close to LOC limit? …