Hub 2022.3 Help

Hub Permissions

A permission is an authorization granted to a user to perform particular operations. Permissions are granted to a user within a role, but not directly.

A role is a set of permissions which defines the level of access for a user to particular functionality and operations.

Permissions in Hub are divided in two categories:

  • Global permissions are granted at the global scope and do not depend on a specific project. For example, you cannot grant permission to create user accounts in a single project, you can do it only in the system-wide scope. Global permissions are marked with a global badge in the list of permissions.

  • Per-project permissions allow actions related to a specific project. For example, a role with the Read Project Basic permission grants users and groups access to view project properties and content for a specific project. If these users don't have the Read Project Basic permission for other projects in Hub, they don't have access to them.

Permission Updates for Hub 2021.1.13156

In the 2021.1.13156 release, we made a few modifications to the permission scheme in Hub. The following table lists the changes that were applied in this update:

Permission

Description

Create Role

Update Role

Delete Role

The granular access that was previously granted by these separate roles has been replaced with a single Manage Role permission.

In situations where a subset of these three permissions were granted to a role, the permission assignments are removed during upgrade to Hub versions 2021.1.13156.

The permission to view roles is still managed by the Read Role permission.

Read Service

Create Service

Update Service

Delete Service

These permissions have been removed from Hub. Access to services that are connected to Hub is now managed as follows:

  • Operations that were previously available to users with the Read Service permission are now available only to users who have the Low-level Admin Read permission.

  • The ability to create, update, and delete a service is only allowed for users who have the Low-level Admin Write permission.

In situations where any of these permissions were granted to a role, the permission assignments are removed during upgrade to Hub versions 2021.1.13156.

Read Self

This permission has been removed from Hub. All users are granted implicit permission to view all profile attributes for their own accounts, including custom attributes and authorization details.

Implied and Dependent Permissions

Implicit links connect permissions where actions that are granted by one permission are technically impossible without the other. This approach makes it easier to define custom roles with the appropriate access rights.

  • When you add a permission with implied permissions to a role, the implied permissions are added to the role automatically.

  • When you remove a permission with dependent permissions to a role, the dependent permissions are removed from the role automatically.

For example, the Read Project Basic permission (from the Hub service) is automatically added to a role when you add either Read Issue or Create Issue permission from the YouTrack service. It's technically impossible to view or create issues without being able to read basic project properties like the project name and project ID, so the Read Project Basic permission is granted implicitly.

To view the sets of implied and dependent permissions, select a permission and open the Details panel in the sidebar.

Details sidebar showing the implied and dependent permissions for the Read Issue Private Fields permission.

Generic Permissions

The following permissions are not related to specific entities in the system. These permissions are available at the global level.

Permission

Description

Low-level Admin Write

Manage low-level administrative actions. Includes permission to integrate with third-party services and back up the database. Implies Low-level Admin Read.

Low-level Admin Read

Read-only access to low-level administrative settings. Includes permission to view integrations with third-party services and metrics.

The following permissions grant access to group-related actions. User groups are used as resources in a project. These permissions are all available at the per-project level.

Permission

Description

Create Group

Create new groups.

Delete Group

Delete groups.

Implies Read Group.

Read Group

View the list of groups and read group properties. When combined with other permissions, the following access rights are granted:

  • With permission to read both parent and child groups, view subgroups.

  • With Read User Basic, view the list of members.

Update Group

Edit group properties. When combined with other permissions, the following access rights are granted:

  • With permission to update both parent and child groups, manage subgroups.

  • With Read User Basic, update group memberships.

Implies Read Group.

The following permissions grant access to organization-related actions. These permissions are all available at the global level.

Permission

Description

Create Organization

Add new organizations to the system.

Implies Read Organization.

Delete Organization

Permanently remove organization records from the system.

Implies Read Organization.

Read Organization

View organizations and their attributes.

Update Organization

Edit organization attributes, manage project assignments and access rights.

Implies Read Organization.

The following permissions grant access to project-related actions.

  • The Create Project permission is granted at the global level.

  • All other project-related permissions are granted on a per-project basis.

Permission

Description

Create Project

Create new projects.

Delete Project

Delete projects.

Implies Read Project Full.

Read Project Basic

View basic project properties. Basic project properties include the name, description, logo, and project owner.

When combined with other permissions, the following access rights are granted:

  • With Read User Basic, users can view the list of users who are members of the project team.

  • With Low-level Admin Read, users can view the list of resources for a project. The list of resources in the project is also available to members of groups who are granted access in the settings for the service.

Read Project Full

View all project properties. Users who are granted this permission can view the complete set of project settings.

When combined with other permissions, the following access rights are granted:

  • With Read Role, users can view roles that are granted to the project team and the roles that are assigned to other users and groups in the project.

  • With Low-level Admin Read, users can view the list of resources for a project. The list of resources in the project is also available to members of groups who are granted access in the settings for the service.

Implies Read Project Basic.

Update Project

Edit project properties and content, manage resources.

Implies Read Project Full.

The following permissions grant access to role-related actions. These permissions are all available at the global level.

Permission

Description

Manage Role

Modify the permission scheme using any of the following operations:

  • Add new roles to the system.

  • Edit role properties.

  • Modify the set of permissions that are assigned to a role.

  • Delete roles.

Implies Read Role

Read Role

View the list of roles and the set of permissions that are assigned to each role. When combined with other permissions, the following access rights are granted:

  • With Read Project Full, users can view roles that are granted to the project team and the roles that are assigned to other users and groups in the project.

  • With Low-level Admin Read, users can view the set of permissions that are provided by the service. The list of permissions is also available to members of groups who are granted access in the settings for the service.

The following permissions grant access to user-related actions. These permissions all available at the global level.

Permission

Description

Create User

Create new user accounts. Invite users to register their own accounts.

Delete User

Delete user accounts.

Implies Read User Full.

Read User Basic

View the list of registered users and read the ID, username, name, and avatar for each user. Does not grant permission to view values for custom attributes. With Update Group, users can manage group memberships.

Read User Full

View all properties for all registered users, including custom attributes and authorization details.

Implies Read User Basic.

Update Self

Edit all profile attributes for their own accounts.

Update User

Edit all user profile data. Ban, merge, and anonymize user accounts.

Implies Update Self and Read User Full.

Last modified: 07 February 2023