# Permission Management

In this article, the permission & access right management in Teamscale is explained in detail.

# Managing Access to Global Teamscale Features

Teamscale has several global features to which access can be controlled. Examples include the creation of projects or editing the global e-mail notification settings. To grant access to these features global roles are assigned to users or groups.

# Users vs. Groups vs. Roles

Access right management in Teamscale is based on users, groups and roles assigned to them.

  • Each developer using Teamscale needs to have a user account
  • Users can be tied to multiple groups. In order to grant permissions to a user or group members, roles are assigned.
  • A role represents a set of permissions granted to the user or group members and may have an optional context in which it applies. One such context would be a specific project within which the permissions of a role apply. There are three different kinds of roles:
    • Global roles which grant access to administrative features of Teamscale and creation of new objects like projects or analysis profiles.
    • Project roles are assigned to members and define rights the users have within a project. They grant access to different actions available within the project.
    • Basic roles which allow simple view, edit and delete access to access controlled objects like analysis profiles or external credentials. In the following the three different role types and corresponding permissions are explained in detail.

# Global Roles

Global roles represent a set of permissions which enable features of Teamscale which are unrelated to a specific object like a project or analysis profile. They can be created, edited and deleted by a user with the global permission to edit roles. See the tables below for global permissions and their meaning. A global role can be assigned to a user or group and grants the global permissions of the role. The role Instance Admin cannot be edited and always includes all global permissions.

# Default Global Roles

The following overview lists the pre-configured default global roles of Teamscale.

PermissionDescription
Instance AdminThe instance admin has all global permissions.
Project CreatorThe project creator role allows creating new projects, analysis profiles and metric threshold configurations.
User ManagerThe user manager allows creating users and groups.

# Global Permissions

PermissionDescription
Create ProjectsAllow creation of new projects. The creator has the project administrator role for the project upon creation.
Create UsersAllow creation of users. The creator has the owner role for the user upon creation.
Create GroupsAllow creation of groups. The creator has the owner role for the group upon creation.
Create Analysis ProfilesAllow creation of analysis profiles. The creator has the owner role for the analysis profile upon creation.
Create Metric Threshold ConfigurationsAllow creation of metric threshold configurations. The creator has the owner role for the metric threshold configuration upon creation.
Create External CredentialsAllow creation of new external credentials for repository connectors, issue trackers etc.. The creator has the owner role for the account upon creation.
Access Administrative ServicesAllow access to administrative services. Mostly affects debug services.
Admin DashboardsAllow viewing and editing all dashboards including admin dashboards.
Backup Global DataAllow backup of global data like users, groups and permissions.
Assign Global RolesAllow assigning global roles to users or groups.
Edit RolesAllow editing the permissions of global- and project roles. Note that a role edit affects all role assignments of that role.
View System StatusAllow viewing the system status via the system perspective.
Edit External Metrics SchemaAllow editing the external metrics schema.
Edit External Findings SchemaAllow editing external findings and finding groups.
Edit Global Notification SettingsAllow editing global notification settings.
Edit Server OptionsAllow editing server options via the settings page of the admin perspective.

# Project Roles

Project roles represent a customizable set of permissions which are specific to projects. They can be created, edited and deleted by a user with the global permission to edit roles (see tables below). A project role can be assigned to a user or a group for a single project and grants the permissions of the role within the project. Furthermore, a project role can be assigned globally for all projects. Such a global assignment will grant the permissions to the user or group for all projects that exist in Teamscale. The role Project Administrator can't be edited and always includes all project permissions.

# Default Project Roles

The following project roles come pre-configured with Teamscale.

PermissionDescription
Project AdministratorProject administrators have all available project permissions for a project. This role is not editable.
DeveloperDevelopers can just view the project.
Project LeadProject leads may view a project and additionally manage baselines and tasks.
ArchitectArchitects may view a project and create and edit architectures for it.
BuildBuild permissions allow uploading external data and trigger information on commit hooks for a project.

# Project Permissions

PermissionDescription
View ProjectView the project in project-specific perspectives.
Edit ProjectEdit the project configuration and pause/start the project analysis.
Delete ProjectDelete the project.
Edit BaselinesCreate, edit and delete baselines for the project.
Edit TasksCreate, edit and delete tasks for the project.
Flag Red FindingsFlag red findings as tolerated or false positive.
Flag Yellow FindingsFlag yellow findings as tolerated or false positive.
Edit ArchitecturesCreate, edit and delete architectures for the project.
Edit Issue MetricsEdit issue metrics of the project.
Perform External UploadsPerform external uploads to the project.
Trigger Commit HookTrigger scheduling a repository update trigger on a commit hook for a repository of the project.
Backup Project DataCreate backups of project data.
Assign RolesEdit role assignments of the project to grant a set of permissions to other users or group members within the project.
Edit Project OptionsEdit project options.
View All User DataView data from other users in the project in case the data privacy option is enabled.

# Basic Roles

Basic roles can be assigned to users and groups for objects in the following categories:

  • Analysis Profiles

  • Metric Threshold Configurations

  • External Credentials

  • Groups

  • Users

  • Quality Reports

The rest of this section will use the analysis profiles category as an example. However, the same also applies to objects in the other categories. Each basic role grants a fixed set of permissions to the user or group members (see table below for details). A basic role can be assigned for a single analysis profile to a user or a group and grants the permissions of the role for the analysis profile. Furthermore, a basic role can be assigned globally for all analysis profiles. Such a global assignment will grant the permissions of the role to the user or group for all analysis profiles that exist in Teamscale.

# Basic Roles

RoleDescription
ViewerOnly allows viewing the object.
EditorAllows viewing and editing the object.
OwnerAllows viewing, editing and deleting the object. Furthermore, allows providing access via assignment of roles to other users or groups for the object.