error observed: project admin permissions not added to new admin groups
steps to reproduce
** new SonarQube server, with one admin group
** created several projects + associated analysis
** admin user is able to see project settings on each project page
** create a new admin group and there new admin users (in our case, this group was populated from ldap, but that shouldn’t matter) and assign all global permissions and project template permissions. Assign every permission you could assign in SonarQube to this new group.
** new admin user are unable to see the project settings for the current project, but they’re able to see project administration pages for new projects.
potential workaround
** execute a manual INSERT sql statements on group_roles for the new group and component for each row of permissions referring to the original admin group
yes of course. When we installed our SQ instance, the sonar-administrator group is automatically created. Later on, we had the need to set up a new admin group:
Manually navigating to the project admin area prompts on a login with an account with enough privileges. Accounts that are part of the sonar-administrator group can administer per project (had an screenshot showing this but seems I’m not allowed to post more than 3 images)
On new projects, all “new” and “old” admin groups can administer per project.
Digging into SQ’s database, seems that upon granting admin permissions to the new group, does not reflect per project, there aren’t any rows on the group_roles table linking the admin permissions with each component/project. For new projects though, the rows are created, so it seems that the group_roles table isn’t updated when granting/ungranting permissions to a group.
You say that the new admin group is in your permissions template and obviously that’s working as expected when you create new projects. The thing is that there’s no ongoing relationship between a permissions template and a project. So updating a template does not also update the projects that used it on creation.
I think of it like a cookie cutter. If I use a round cookie cutter to cut out 12 circles of dough and then drop the cookie cutter and dent it, those 12 circles are unaffected. It’s only new cookies that will have the dent. It’s the same here.
And you can re-apply a permissions template from Administration->Projects->Management.
thanks for yout time looking into this, it’s greatly appreciated Somehow I expected the changes on the project permissions template to be applied to all projects once updated, but the behaviour you describe, once known, totally makes sense too.
Reapplying permissions template from Administration → Projects → Management works like a charm!