Details
-
Suggestion
-
Resolution: Unresolved
-
None
-
5
-
Description
Request
According to the documentation at https://confluence.atlassian.com/display/STASH/Using+repository+permissions, there are six kinds of actions on which you can allow/disallow permissions:
- Browse
- Clone, fork, pull
- Create, browse, or comment on a pull request
- Merge a pull request
- Push
- Edit settings and permissions
Currently, the least-permissive access you can grant to a user (of "admin", "write", and "read") is "read" (1+2+3). We are requesting a fourth level of access that is more restrictive, perhaps called "browse-only" or "web-only", which would be limited to (1+3).
Motivation for this request:
Our company has several repos in Stash with high-security IP, and we generally follow the principle of least privilege – unless a person has a legitimate reason to clone a repo on your local machine (or fork it into your private space), we don't want to grant read access.
This is a pain point for our product managers. They use JIRA extensively, our JIRA instance is linked to Stash, and they can see in a JIRA issue that there has been related Stash activity. We want them to be able to use Stash to see the source (most importantly, to participate in the discussions surrounding a pull request), but we don't want to grant them all the permissions that come with "read" access.
Our concern is that if we granted read access, some would use that privilege to clone the repos locally. We don't want our product managers to be walking around with copies of the source code on their machines – the majority of them use laptops, and we don't want to put our IP at risk if their laptop is stolen or compromised. If we could grant "browse-only" access, we could put up a reasonable deterrent to this behavior and encourage them to only view the repo through Stash's web UI.
Attachments
Issue Links
- mentioned in
-
Page Loading...