Role and Permission
Role is a set of permissions that can be granted to a user in one or all projects. Permission is an authorization granted to TeamCity user to perform particular operations, for example run build, or modify build configuration settings.
TeamCity authorization supports two modes: simple and per-project.
In simple mode, there are only three types of authorization levels: guest, logged-in user and administrator. In per-project mode, you can assign users Roles in projects or server-wide. Set of permissions in roles are editable.
Changing Authorization Mode
Unless explicitly configured, simple authorization mode is used when TeamCity is working in Professional mode and per-project is used when working in Enterprise mode. To change the authorization mode, use the Enable per-project permissions check box at the Administration|Global Settings page.
Simple Authorization Mode
Administrator | Users with no restrictions (corresponds to System Administrator role in per-project authorization mode) |
|---|---|
Logged-in user | Corresponds to default Project Developer role granted for all projects in per-project authorization mode |
Guest user | Corresponds to default Project Viewer role granted for all projects in per-project authorization mode |
Per-Project Authorization Mode
Roles are assigned to users by administrators on a per-project basis - a user can have different roles in different projects, and hence, the permissions are project-based. A user can have a role in a specific project or in all available projects, or no roles at all. You can Managing Users and User Groups. A role can also be granted to a user group. This means that the role is automatically granted to all the users that are included into the group (both directly or through other groups).
By default, TeamCity provides the following roles:
TeamCity System Administrators have no restrictions in their permissions, and have all of the project administrator's permissions. They can create and manage users accounts, authorize build agents and set up projects and build configurations, edit the TeamCity server settings, manage TeamCity licenses, configure server data cleanup rules, change shared VCS roots, and etc. | |
|---|---|
Project Administrator is a person who can customize general settings of a project, build configuration settings and assign roles to the project users and has all the project developer's and agent manager's permissions. | |
Project Developer is a person who usually commits changes to a project. He/she can start/stop builds, reorder builds in the build queue, label the build sources, review agent details, start investigation of a failed build. | |
Agent Manager is a person responsible for customizing and managing the Build Agent; he/she can change the run configuration policy and enable/disable build agents. | |
Project Viewer has only read-only access to projects and can only view the project. Project Viewer role does not have permissions to view agent details. |
When per-project permissions are enabled, server administrators can modify these roles, delete them, or add new roles with any combination of permissions right in TeamCity Administration web UI, or by modifying the roles-config.xml file stored in < >/config directory. When assigning roles to users, the view role permissions link in the web UI displays a list of permissions for each role in accordance with their current configuration.