User and Group administration in SonarQube

Hello team,

We are using Sonarqube developer edition ( and LDAP for authentication.

We have the below LDAP configuration in file.

ldap.bindPassword=<<Bind password>>

In sonarqube, we have default group sonar-users, sonar-administrators and some other groups specific to project.

Issue 1: If a user is added to either sonar-administrators group or any other group specific to project, the user access is removed once the user login to sonarqube. User permissions at “global permission” works. But we are unable to manage user and group authorization from sonarqube.

Issue 2: We need to access to external employees who can able to view only specific application and not all the projects exists in the sonarqube. What would be the better approach in this case.

We had a plan to create a group and add the employees to the group and create and apply permission template specific to that project. But when a user is created in sonarqube by default they get access to sonar-users, we need to get rid of it.
Issues we are facing in this approach,
Unable to remove the users from sonar-users group. Do you have any solution, how to remove users from default group ?
In case, if a user is associated with sonar-users which has least privilege and project specific group which has highest privilege, then which permission would be applied. Is it the least or highest privilege ?


Welcome to the community!

Per the docs, when you enable group mapping (which you have done by configuring properties), all the user’s groups - except one - are synched from your IDP with each login. The one that is not synched:

  • Membership in the default group sonar-users remains (this is a built-in group) even if the group does not exist in the identity provider

This means that every user will be added to this default group, and you cannot prevent that by revoking sonar-users membership. If you need to control who can do / see what, you should manage that through group permissions, not through sonar-users membership.

However, group sync does not create groups in SonarQube for you. They must exist in both places, with the same name (capitalization counts) for syncing to work.


Thank you very much for your reply and problem has been resolved. Now got a more clear idea how this exactly works.