User are removed from "Administer Security Hotspots" group at login

Hi,

My purpose is to create a new Sonar user group to let some users manage Security Hotspots.

What I’ve done :

  1. In the " Default template" (of the “Permission Templates” screen), I’ve created a new group with the following permission : “Administer Security Hotspots”
  2. In the " Groups" management screen, I’ve go to that new group and add some users
  3. In the " Users" screen, I’ve check if they belong to the new group. Every things looks fine.

The issue :
One of the user of the “Administer Security Hotspots” group try to update the status of a security hotspot and don’t succeed. The field was grey and readonly with a pop-up “Changing a hotspot’s status requires permission”. It’s like the user don’t have the suitable permission.

I go back to the administration and discover the user is not anymore in the “Administer Security Hotspots” group.
I add him again in this group and ask him to retry, same issue.
I add him again in this group and ask him to logout/login. Just after he login, I refresh the admin screen and see him disappear from the group.
This user belong also to following group “sonar-users” with permissions “Browse” & “See Source Code” and nothing else.

Is their anything which prevent user having only those 2 permissions (“Browse” & “See Source Code”) to have the permission to “Administer Security Hotspots” ?
Maybe another permission must be set ?

Many thanks for your help !

Hey there.

Are you also delegating authentication to an external identity provider like LDAP? As noted in the documentation on Delegated Authentication:

When group mapping is configured, the delegated authentication source becomes the only place to manage group membership, and the user’s groups are re-fetched with each log in.

Meaning that if you are manually managing group membership and have ldap.group.* parameters configured, group membership will be revoked for users upon login if that group doesn’t also exist in LDAP (the same applies for other delegated authentication mechanism as well: SAML, GitHub, etc.)

Many thanks Colin, this is exactly what I forgot.
Problem solved !

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.