Must-share information (formatted with Markdown):
-
which versions are you using SonarQube server Enterprise edition 2025.2
-
how is SonarQube deployed: Docker
-
what are you trying to achieve
We’ve defined an admin permission template which grants every permission to a given group. We’ve noticed that people in this group are unable to administer projects. To do so, the have to perform the “Restore access” action inside Projects Management Admin section.
Every time we apply the template to a given project, we lose project admin permissions. We’ve also noticed that giving full access to specific users on the Permission Template and then applying it to a project gives project’s admin permissions, so we’re wondering if group templates are applied first (granting all permissions), and then user permissions are applied (denying project admin permission).
However this only happens with Project Admin permissions, applying other permissions work as expected.
We’ve noticed this happening after upgrading to 2025.2, but it may have been happening before
- what have you tried so far to achieve this
See above
Do not share screenshots of logs – share the text itself (bonus points for being well-formatted)!
2 Likes
We’ve seen that this also happens with the “Administer issues” permission
Global permissions for admins look like:
There are several groups from active directory that have the same permissions, the idea being that these groups should be able to do everythin in SonarQube. sonar-users group has granted the execute analysis permission.
The permission template being applied to every project (redacted text shows internal active directory info):
Admin users also belong to both groups with gaps (they’re populated from acive directory groups), which correspond to normal SQ users.
Applying the template to a given project does not give project administration access nor issue administration to it. If we “fill” the gaps on the permission template and then apply it again to the project, admins are able to administrate it and its issues. If we then leave the permission template as it was originally and then apply it again to the project (from the project management admin area), admins are still able to administer project and issues. Strangely enough, if we apply the template from the project admin area, admins lose project and issue administration capabilities.
Current workaround is either to Restore Access to project and, from the project administration area, give issue administration permissions or modifying the Permissions Template as per above; but both of them are far from ideal.
It’d be nice if project, issue and security hotspot administration permissions could be set globally
We’ve noticed that this began to happen when upgrading to 2025.1.1
