Project Key permissions

SonarQube version: 6.7

Currently, we use above version and teams can use or sonar.branch. I know that sonar.branch will make a new project based on the branch also, which is a problem. And I know that 7.x will fail analysis if sonar.branch is used

Another problem is that teams can use a branch name in project key, or name etc.

I’m looking to put a stop to that, my proposed solution is to use a project permission template and using the pattern so that this won’t happen.
example, if a team tries to create a project like: 1234_new_sonarqube_project_master
I’d like to block that by using pattern maybe below:

Is this a reasonable idea or are there any problems in that?
I’ve tested the regex on: and it works for above

I’d love to hear ideas or feedback/criticism
Hopefully we will move to 7.9 soon, but in the meantime I’d like to block project analysis like that


I applaud your creativity in trying to find ways to solve this problem. Unfortunately, your project permission template won’t quite do what you expect… but maybe it can still help.

What the regex in the project permission template does is say “apply this set of permissions to new projects with keys like this…”. So it won’t prevent project creation. For that you need to limit the set of users with project creation permissions (and train the chosen ones).

But what you could do with project permission templates is have a default template with locked down permissions - so that even if I do create my project I can’t do anything with it afterward & have to come to you for help (cue lecture and project deletion…). And then have your permission template with the regex that matches acceptable keys so that I have what I need on the okay projects.

Hope this both makes sense and helps.


Hi Ann
Thanks for getting back to me.
So project key pattern on a permission template won’t stop project creation?
I had assumed that if I have a permission template, and add a user/group to that - the user/group can execute analysis on that only if the project key pattern matches the project key they provide?
example. permission template = 1234_template, has all permissions like execute analysis, has my user karl_admin on it, with project key pattern: ^(?!. master). [^0-9].*$ - that won’t reject a project creation by my user login for a project key : 1234_project_master ?
So, if it does allow project creation for above, what will it limit? if can still analyse the project if my project key is trying to exclude strings like master?


No. Only revoking project creation rights will do that.

That’s not how templates work. Permission templates are applied at project creation and there is no ongoing relationship after that initial application. The project key pattern says “apply this template for projects that follow this pattern”. Let’s say I have this:

  • template A, Project key pattern a*
    • Joe has analysis rights
  • template Default, (no Project key pattern)
    • Jane has analysis rights

When I create project apple, template A is applied. Joe has analysis rights. If I then modify template A to give Jane analysis rights… nothing happens for project A; Jane still can’t analyze it.

So, how to use permission templates toward your goal?

  • template A, Project key pattern: ^(?!. master). ^(?!. feature). ^(?!. develop). (?!. bugfix). [^0-9].*$
    • No one has project admin or analysis rights
  • template Default
    • Creator has project admin and analysis rights

Jane is able to create 1234_new_sonarqube_project_master but then can’t do anything else with it.