There’s some strange behavior of how the access is being controlled for the portfolios.
A user, without having access to portfolio or project in that portfolio, is able to view them in the portfolio section.
All the available portfolio (Public/Private) is accessible to the user.
When clicked one of the Private portfolio → Portfolio breakdown, no projects are seen.
But in the Overview of the portfolio, all the information is visible.
How I am managing the portfolio?
Access to private portfolio is managed using a permission template, where all the groups which should have access to the portfolio is added, with the required permissions level.
Can we please have a fix for this in the next release ?
I am also on SonarQube 10.5.1 Enterprise. I did some testing of this on my end and I don’t think this is a bug in SonarQube’s functionality. My suspicion is that your permissions are properly scoped for the projects included in the portfolio, but not the portfolio itself. This could either be due to the portfolio having public visibility or the portfolio having private visibility, but granting “Browse” permissions to a broader group than you want. Can you verify whether the portfolio-level permissions align with the limited access you want to grant?
Thanks for your response and taking time in checking it out.
Indeed it’s assigned using the same permission template which i use for all the projects inside a portfolio.
How I’m currently managing?
Each team has different access level groups created
Each Team has a permission template created, which contains all the groups created (1) and with different access rights.
Use this permission template (2) to assign permissions when a new project is created and also assign the permissions to portfolio using the same permission template.
Please let me know if I’m missing out on something in setting the permissions for Portfolio.
It sounds like you’re confident that the permissions template you’re applying to the portfolio is properly scoped. However, the visibility setting (public/private) is separate from the permissions template. I’d recommend double-checking that the visibility of your portfolio is actually set to Private. This can be found on the [Portfolio name] → Portfolio Settings → Permissions page.