As per our Information Security policies, we are required to segregate roles and permissions when working with Sonarcloud.
Hence, the Developers only have the permissions to Execute analysis and not administer any issues and vulnerabilities.
However, we need to perform an exception for the Quality rule failures relating because of “Line Coverage”.
If the “Line coverage” is below the threshold, we still want to grant permissions to a Lead level user to mark and close the issue in Sonarcloud. However, we cannot give these users any permissions to close security vulnerabilities or hotspots.
Can this be done, i.e. granularly providing a user or group permissions to be able to only close certain type of issues?
Hey there.
It’s not possible to narrow down permissions for administering issues further than Administer Issues and Administer Security Hotspots.
Generally, we believe developers should be empowered to take decisions on issues – or at least have members of development teams – such as team leaders – be granted such permissions.
If the issue really comes down to needing an exception for a single rule–do you really want to have this rule enabled at all? This rule can be disabled via adjustments to Quality Profiles. This rule is not enabled by default – which means it must have been enabled in a new Quality Profile your organization is using.
(As an aside, these “common” rules that turn file-level measures into file-level issues are from way back when our Clean as you Code philosophy wasn’t so clear. I don’t think these rules add much value today – if you need to keep track of coverage, do so in your Quality Gate).