-
Suggestion
-
Resolution: Unresolved
-
None
-
28
-
Summary(Customer's usecase)
We have a lot of projects and repositories that is not open for everyone within our company. We want to limit the access to a project to user in a specific LDAP group so we can be sure that no one else can access the repositories in this project. But at the same time we want to let a project administrator(project creator) configure the plugins but they(project creator) should have no possibility to change anything that has to do with permissions, so they(project administrator) can't let users access a repository that is not allowed to have access.
Right now we can't let users outside our small administration group to became project administrator for their project. This is because they in turn can let other users read, write and even give administration rights for this specific project, and that we can't allow for security concerns.
Expected result
Limit Project creator to provide permission to other user with admin or write permission.
- is related to
-
- Gathering Interest
- relates to
-
- Closed
- causes
-
![[Atlassian Support System]](/images/icons/generic_link_16.png "[Atlassian Support System]")
PS-133977
You do not have permission to view this issue
[BSERV-8765] Limit project admin ability to grant additional permissions
Is there any further progress on this request? We have our own custom plugin to block permission from being granted by the project admins however in one of the last upgrades we did in v6. the repository permissions are now able to be provisioned but the project is still blocked. How can I find how to add the repository permissions from being granted now in v6 or v7?
It's not the cleanest way, but a workaround is to put apache in-front, and then block certain URL's to prevent access to the panels for project and repository permissions.
RewriteEngine On RewriteRule "^/projects/([A-Z0-9]+)/(settings|permissions)$" "/plugins/servlet/branch-permissions/$1" [R=temporary] RewriteRule "^/projects/([A-Z0-9]+)/repos/([A-Za-z0-9\-\.\_]+)/permissions$" "/plugins/servlet/branch-permissions/$1/$2" [R=temporary]
Jack Marshall
added a comment - We have a similar situation, and this plugin would be greatly appreciated. There are certain projects at our company that only authorized users should be able to access, but we don't want to restrict the ability to create new repos or configure the plugins. The users should not be granted the ability to add unauthorized access, but should be able to do everything else.
Jack Marshall
added a comment - We have a similar situation, and this plugin would be greatly appreciated. There are certain projects at our company that only authorized users should be able to access, but we don't want to restrict the ability to create new repos or configure the plugins. The users should not be granted the ability to add unauthorized access, but should be able to do everything else. 
Börje Granberg
added a comment - Great idea! That would also be a feasible solution for us. Rather than changing the existing permissions model, I think a good approach would be an add-on that can apply a policy check, such as "project admins who aren't system admins can't change permissions". There are cancelable grant/revoke/changed events at project level where this could be applied.
Specifically, I want project admins to be able to do whatever they want with users and permissions within the project. For me this means somehow limiting users that can be selected by project admins to a subset of users, not the whole of Bitbucket user base. The best way would be by being able to limit the aforementioned users to an LDAP group within the project.