Which versions are you using: SonarQube EE 9.9 LTS
How is SonarQube deployed: Docker
What are you trying to achieve
As many organisations, we have teams curating many projects. I would like the team leads to get the Admin permission, allow them to see Project settings, e.g. New Code to projects they are responsible for.
We group projects by tags; every team has it’s own unique tag. (Also used for portfolios)
Is there a way of assigning project admin permission to one person or a group?
Is there a way to do it automatically? I.e. we tag a project and a dedicated person/group get admin permission?
Is there any other way of meeting the requirement of having project admins for a group of projects?
What have you tried so far to achieve this
Searched documentation and community for similar topics.
Do not share screenshots of logs – share the text itself (bonus points for being well-formatted)!
I’ve moved this to the ‘Product Manager for a Day’ category, because the functionality you’re asking for doesn’t exist.
That said, what does exist is the ability to grant the “project creator” specific rights to the projects she creates. So: how are your projects created? Are they created in SonarQube automatically, on first analysis? Or do your team leads create them via the UI before the first analysis?
All our projects are created automatically by the CI first analysis, thus we can’t assign admin permission to the project creator as it would be the ci-user.
Is there a way to update the “project creator”, and assign the admin permission to them?
I’m thinking out loud…
We have GitHub teams and CODEOWNERS in every repository. On the first analysis we could read that file and override the “project creator” property.
Is it a promising rabbit hole to chase?
Nonetheless, thank you for pushing my question (feature request) onto Product.
UPDATE:
The idea is likely a blind path since the documentation says:
While templates can be applied after project creation, applying a template that includes Creators permissions to an existing project/portfolio/application will not grant the relevant permissions to the project’s original creator because that association is not stored.
The Creator allocation in permission templates is basically a hack to make sure that the person who created a project isn’t locked out of it because they lack global rights.
And I think the CODEOWNERS list is an interesting angle.
In the meantime, you could script the addition of the permissions…?
Would you provide a suggestion on how we could approach it?
I’m thinking high-level around permissions API.
We could probably map GH and sonar profiles, as every user should have SCM Accounts in the profile settings. Based on that and CODEOWNERS, we could assign permissions.
I think it’s worth exploring, although it’s a bit convoluted.
Would you suggest a more straightforward solution?
Thanks for taking the time to share your needs with us. Your needs align with one of our key goals for the year, which is to simplify project creation at scale. You’ll find a cart about it on our portal here.
More specifically about permissions on projects, we’re working on keeping them in sync with the main DevOps platforms, starting with GitHub. Do you think this approach would be convenient in helping you achieve what you are looking for?
I look forward to the simplification and centralisation of the permission model. GitHub is an excellent source. If that allows assigning an admin/owner of a project dynamically, it’s all I need. It would be even better if that was an ongoing sync, meaning whenever I change the permission in GH, it replicates in SQ.
I do not have enough context on the “Simplify automation of projects creation” proposal. We create projects from the pipeline on the fly, which is simple enough. However, any further simplification is welcome.