# Permission Management
In this article, the permission & access right management in Teamscale is explained in detail.
# Managing Access to Global Teamscale Features
Teamscale has several global features to which access can be controlled. Examples include the creation of projects or editing the global e-mail notification settings. To grant access to these features global roles are assigned to users or groups.
# Users vs. Groups vs. Roles
Access right management in Teamscale is based on users, groups and roles assigned to them.
- Each developer using Teamscale needs to have a user account
- Users can be tied to multiple groups. In order to grant permissions to a user or group members, roles are assigned.
- A role represents a set of permissions granted to the user or group members and
may have an optional context in which it applies. One such context would
be a specific project within which the permissions of a role apply.
There are three different kinds of roles:
- Global roles which grant access to administrative features of Teamscale and creation of new objects like projects or analysis profiles.
- Project roles are assigned to members and define rights the users have within a project. They grant access to different actions available within the project.
- Basic roles which allow simple view, edit and delete access to access controlled objects like analysis profiles or external credentials. In the following the three different role types and corresponding permissions are explained in detail.
# Global Roles
Global roles represent a set of permissions which enable features of Teamscale which are unrelated to a specific object like a project or analysis profile. They can be created, edited and deleted by a user with the global permission to edit roles. See the tables below for global permissions and their meaning. A global role can be assigned to a user or group and grants the global permissions of the role. The role Instance Admin cannot be edited and always includes all global permissions.
# Default Global Roles
The following overview lists the pre-configured default global roles of Teamscale.
|Instance Admin||The instance admin has all global permissions.|
|Project Creator||The project creator role allows creating new projects, analysis profiles and metric threshold configurations.|
|User Manager||The user manager allows creating users and groups.|
# Global Permissions
|Create Projects||Allow creation of new projects. The creator has the project administrator role for the project upon creation.|
|Create Users||Allow creation of users. The creator has the owner role for the user upon creation.|
|Create Groups||Allow creation of groups. The creator has the owner role for the group upon creation.|
|Create Analysis Profiles||Allow creation of analysis profiles. The creator has the owner role for the analysis profile upon creation.|
|Create Metric Threshold Configurations||Allow creation of metric threshold configurations. The creator has the owner role for the metric threshold configuration upon creation.|
|Create External Credentials||Allow creation of new external credentials for repository connectors, issue trackers etc.. The creator has the owner role for the account upon creation.|
|Access Administrative Services||Allow access to administrative services. Mostly affects debug services.|
|Admin Dashboards||Allow viewing and editing all dashboards including admin dashboards.|
|Backup Global Data||Allow backup of global data like users, groups and permissions.|
|Assign Global Roles||Allow assigning global roles to users or groups.|
|Edit Roles||Allow editing the permissions of global- and project roles. Note that a role edit affects all role assignments of that role.|
|View System Status||Allow viewing the system status via the system perspective.|
|Edit External Metrics Schema||Allow editing the external metrics schema.|
|Edit External Findings Schema||Allow editing external findings and finding groups.|
|Edit Global Notification Settings||Allow editing global notification settings.|
|Edit Server Options||Allow editing server options via the settings page of the admin perspective.|
# Project Roles
Project roles represent a customizable set of permissions which are specific to projects. They can be created, edited and deleted by a user with the global permission to edit roles (see tables below). A project role can be assigned to a user or a group for a single project and grants the permissions of the role within the project. Furthermore, a project role can be assigned globally for all projects. Such a global assignment will grant the permissions to the user or group for all projects that exist in Teamscale. The role Project Administrator can't be edited and always includes all project permissions.
# Default Project Roles
The following project roles come pre-configured with Teamscale.
|Project Administrator||Project administrators have all available project permissions for a project. This role is not editable.|
|Developer||Developers can just view the project.|
|Project Lead||Project leads may view a project and additionally manage baselines and tasks.|
|Architect||Architects may view a project and create and edit architectures for it.|
|Build||Build permissions allow uploading external data and trigger information on commit hooks for a project.|
# Project Permissions
|View Project||View the project in project-specific perspectives.|
|Edit Project||Edit the project configuration and pause/start the project analysis.|
|Delete Project||Delete the project.|
|Edit Baselines||Create, edit and delete baselines for the project.|
|Edit Tasks||Create, edit and delete tasks for the project.|
|Update Task Status||Update the status of a project task.|
|Flag Red Findings||Flag red findings as tolerated or false positive.|
|Flag Yellow Findings||Flag yellow findings as tolerated or false positive.|
|Edit Architectures||Create, edit and delete architectures for the project.|
|Edit Issue Metrics||Edit issue metrics of the project.|
|Perform External Uploads||Perform external uploads to the project.|
|Trigger Commit Hook||Trigger scheduling a repository update trigger on a commit hook for a repository of the project.|
|Backup Project Data||Create backups of project data.|
|Assign Roles||Edit role assignments of the project to grant a set of permissions to other users or group members within the project.|
|Edit Project Options||Edit project options.|
|View All User Data||View data from other users in the project in case the data privacy option is enabled.|
# Basic Roles
Basic roles can be assigned to users and groups for objects in the following categories:
Metric Threshold Configurations
The rest of this section will use the analysis profiles category as an example. However, the same also applies to objects in the other categories. Each basic role grants a fixed set of permissions to the user or group members (see table below for details). A basic role can be assigned for a single analysis profile to a user or a group and grants the permissions of the role for the analysis profile. Furthermore, a basic role can be assigned globally for all analysis profiles. Such a global assignment will grant the permissions of the role to the user or group for all analysis profiles that exist in Teamscale.
# Basic Roles
|Viewer||Only allows viewing the object.|
|Editor||Allows viewing and editing the object.|
|Owner||Allows viewing, editing and deleting the object. Furthermore, allows providing access via assignment of roles to other users or groups for the object.|