- Which versions are you using: SonarQube EE 9.9 LTS
- How is SonarQube deployed: Docker
What are you trying to achieve
As many organisations, we have teams curating many projects. I would like the team leads to get the Admin permission, allow them to see
Project settings, e.g.
New Code to projects they are responsible for.
We group projects by tags; every team has it’s own unique tag. (Also used for portfolios)
Is there a way of assigning
project admin permission to one person or a group?
Is there a way to do it automatically? I.e. we tag a project and a dedicated person/group get admin permission?
Is there any other way of meeting the requirement of having project admins for a group of projects?
What have you tried so far to achieve this
Searched documentation and community for similar topics.
Do not share screenshots of logs – share the text itself (bonus points for being well-formatted)!
I’ve moved this to the ‘Product Manager for a Day’ category, because the functionality you’re asking for doesn’t exist.
That said, what does exist is the ability to grant the “project creator” specific rights to the projects she creates. So: how are your projects created? Are they created in SonarQube automatically, on first analysis? Or do your team leads create them via the UI before the first analysis?
Thank you for getting back to me.
All our projects are created automatically by the CI first analysis, thus we can’t assign admin permission to the project creator as it would be the ci-user.
Is there a way to update the “project creator”, and assign the admin permission to them?
I’m thinking out loud…
We have GitHub teams and CODEOWNERS in every repository. On the first analysis we could read that file and override the “project creator” property.
Is it a promising rabbit hole to chase?
Nonetheless, thank you for pushing my question (feature request) onto Product.
The idea is likely a blind path since the documentation says:
While templates can be applied after project creation, applying a template that includes Creators permissions to an existing project/portfolio/application will not grant the relevant permissions to the project’s original creator because that association is not stored.
Ref: Creators permissions
The Creator allocation in permission templates is basically a hack to make sure that the person who created a project isn’t locked out of it because they lack global rights.
And I think the
CODEOWNERS list is an interesting angle.
In the meantime, you could script the addition of the permissions…?
I believe it’s a path worth exploring.
Would you provide a suggestion on how we could approach it?
I’m thinking high-level around permissions API.
We could probably map GH and sonar profiles, as every user should have SCM Accounts in the profile settings. Based on that and CODEOWNERS, we could assign permissions.
I think it’s worth exploring, although it’s a bit convoluted.
Would you suggest a more straightforward solution?
Yes, after the first analysis / project creation, you could iterate the
CODEOWNERS and make permissions API calls.
The best way to master the API is to perform the desired action via the UI and eavesdrop to see which calls the UI made to accomplish the action.
You may also find this guide helpful.
Thank you for the hint on reverse engineering Sonar
I will explore that path.
Furthermore, I look forward to seeing this as an official feature.
Please share feature request board if you have one so I can vote for it.
Thanks for taking the time to share your needs with us. Your needs align with one of our key goals for the year, which is to simplify project creation at scale. You’ll find a cart about it on our portal here.
More specifically about permissions on projects, we’re working on keeping them in sync with the main DevOps platforms, starting with GitHub. Do you think this approach would be convenient in helping you achieve what you are looking for?
Thank you for getting back to me.
I look forward to the simplification and centralisation of the permission model. GitHub is an excellent source. If that allows assigning an admin/owner of a project dynamically, it’s all I need. It would be even better if that was an ongoing sync, meaning whenever I change the permission in GH, it replicates in SQ.
I do not have enough context on the “Simplify automation of projects creation” proposal. We create projects from the pipeline on the fly, which is simple enough. However, any further simplification is welcome.
Thanks for sharing.
We’re actually working on making this sync happen.