Self provisioning of Sonar Group without Global Admin permission

ldap
permissions
sonarqube

(Vaibhav) #1

I am using Sonarqube 7.2. I am able to create Sonar groups using Global Admin. But I want users who have only project admin permission to create groups for their projects(self provision). Right now users with project admin permission can add other users to existing groups and change their permission sets, but they can’t create new groups themselves.

Is there a way/solution to do this?


(Nicolas Bontoux) #2

Hi,

I don’t quite agree with that. If all a user has is project admin permission, then yes he can edit permissions on for existing users/groups on that project, however it cannot add other users to existing groups.

Anything around creating users/groups and/or modifying user-group membership requires global admin permission.


(Vaibhav) #3

Thats a problem for large enterprises, managing 100s of groups for users is not which I would honestly like to do.
I am thinking of Github authentication for sonarqube but using one tool to authenticate another would violate security.

Can this be added as a new feature request for sonarqube?


(Nicolas Bontoux) #4

I can understand that fully managing users and groups in SonarQube can be a problem for large enterprises as you put it, that said I don’t think there will be new features on this front. For one simple reasons: SonarQube offers LDAP integration ! This is typically what large organizations leverage to manage authentication effectively (whether it’s for SonarQube or other applications).

Cherry on the cake, SonarQube supports LDAP Group Mapping, which allows to auto-synch group membership from what is defined in LDAP/AD. Details in those documentation links I’ve put here.


(Vaibhav) #5

Thanks, LDAP integration and Group mapping works.