YouTrack Server 2023.3 Help

YouTrack Permissions

A permission is an authorization granted to a user to perform an action. Permissions are granted to a user within a role, but not directly.

A role is a set of permissions which defines the level of access for a user to particular functionality and operations.

All permissions are divided into two categories:

  • Global permissions are granted within YouTrack's global scope and do not depend on a specific project. For example, you can't grant permission to create users in a single project, you can do it only in the system-wide scope. Global permissions are marked with a global badge in the permissions list.

  • Per-project permissions allow actions related to a specific project. For example, a role with the Read Project Basic permission grants users and groups access to view project properties and content for a specific project. If these users don't have the Read Project Basic permission for other projects in YouTrack, they don't have access to them.

The permissions listed on this page grant access to work with the entities that are managed in YouTrack.

Inherent Permissions

When you have permission to create something in YouTrack, you inherit the permission to read your own content. Separate permissions are required to update your own comments and work items, but not your own issues. You also require explicit permission to read and update content that was posted by other users.

  • Issue reporters always have permission to view public fields, update public fields, and add links to the issues that they created. This means that users who are granted the Create Issue permission in a project can perform these actions with the issues they reported even when they don't have Read Issue, Update Issue, and Link Issues permissions.

    This also applies to users who have the Add Attachment permission. Users who attach files to an issue inherit the ability to modify these files and restrict their visibility without the Update Attachment permission.

    However, users can't delete their own issues without the Delete Issue permission.

  • Users who have the Create Issue Comment permission inherit the permission to read their own comments, even when they don't have the Read Issue Comment permission. The ability to edit your own comments requires the Update Issue Comment permission.

  • Users with the Create Work Item permission inherit the permission to read their own work items, even when they don't have the Read Work Item permission. The ability to edit your own work item requires the Update Work Item permission.

  • For articles in the knowledge base, users with the Create Article Comment permission inherit the permission to read and update their own comments, even when they don't have the Update Article Comment permission. The Create Article Comment implicitly grants the Read Article Comment permission.

Implied and Dependent Permissions

Implicit links connect permissions where actions that are granted by one permission are technically impossible without the other. This approach makes it easier to define custom roles with the appropriate access rights.

  • When you add a permission with implied permissions to a role, the implied permissions are added to the role automatically.

  • When you remove a permission with dependent permissions to a role, the dependent permissions are removed from the role automatically.

For example, the Read Project Basic permission (from the Hub service) is automatically added to a role when you add either Read Issue or Create Issue permission from the YouTrack service. It's technically impossible to view or create issues without being able to read basic project properties like the project name and project ID, so the Read Project Basic permission is granted implicitly.

To view the sets of implied and dependent permissions, select a permission and open the Details panel in the sidebar.

Details sidebar showing the implied and dependent permissions for the Read Issue Private Fields permission.

System

The following permissions are not related to specific entities in the system. These permissions are available at the global level.

Permission

Description

Low-level Admin Read

Read-only access to low-level administrative settings. Includes permission to view integrations with third-party services and metrics.

Low-level Admin Write

Manage low-level administrative actions. Includes permission to integrate with third-party services and back up the database.

Implies Low-level Admin Read.

Article

Permission

Description

Create Article

Add articles to the knowledge base for a specific project.

Implies Read Article.

Delete Article

Delete articles from the knowledge base in a specific project.

Implies Read Article.

Read Article

View articles and article content in the knowledge base for a specific project.

Note that users are only able to view articles in projects where they have the Read Project Basic permission.

Update Article

Edit existing articles in the knowledge base for a specific project.

Implies Read Article.

Article Comment

Permission

Description

Create Article Comment

Add comments to existing articles in the knowledge base for a specific project.

Implies Read Article Comment.

Users with this permission can edit or delete their own comments as well.

Delete Article Comment

Delete comments that have been posted to articles in the knowledge base for a specific project.

This includes comments that were posted by other users.

Implies Read Article Comment.

Read Article Comment

View comments that have been posted to articles in the knowledge base for a specific project.

Update Article Comment

Edit comments that have been posted to articles in the knowledge base for a specific project.

This includes comments that were posted by other users.

Implies Read Article Comment.

The following permissions grant access to group-related actions. Groups are used as resources in a project. These permissions are all available at the per-project level.

Permission

Description

Create Group

Create new groups.

Delete Group

Delete groups.

Implies Read Group.

Read Group

View the list of groups and read group properties. When combined with other permissions, the following access rights are granted:

  • With permission to read both parent and child groups, view subgroups.

  • With Read User Basic, view the list of members.

Update Group

Edit group properties. When combined with other permissions, the following access rights are granted:

  • With permission to update both parent and child groups, manage subgroups.

  • With Read User Basic, update group memberships.

Implies Read Group.

Permission

Description

Apply Commands Silently

Update issue attributes using a command without sending update notification messages to users who subscribe to issue updates.

Create Issue

Create (report) issues in a project.

Users with this permission can view public fields, update public fields, and add links to the issues they reported even when they don't have Read Issue, Update Issue, and Link Issues permissions.

Implies Read Project Basic.

Delete Issue

Delete issues.

Link Issues

Add links that define relationships between issues.

Users with the Create Issue permission inherit the permission to add links to their own issues whether they are granted this permission or not. However, they can only add links to issues that they have permission to read.

Override Visibility Restrictions

View issues, comments, and attachments that are hidden by visibility settings.

Implies Read Issue Private Fields.

Read Issue

View issues and read public fields.

Users with the Create Issue permission inherit the permission to read their own issues whether they are granted this permission or not.

Implies Read Project Basic.

Read Issue Private Fields

View private fields in issues.

Implies Read Project Basic.

Update Issue

Update the values for public fields in issues.

Users with the Create Issue permission inherit the permission to update their own issues whether they are granted this permission or not.

Update Issue Private Fields

Update the values for private fields in issues.

Implies Read Issue Private Fields and Update Issue.

Update Watchers

Add other users to the list of watchers for an issue.

View Voters

View the list of users who have voted for an issue (available in single issue view).

Implies Read Project Basic.

View Watchers

View the list of users who are watching an issue (available in single issue view).

Implies Read Project Basic.

Permission

Description

Add Attachment

Attach files to issues.

Delete Attachment

Delete any file that is attached to an issue.

All users can delete the files that they attached to issues themselves even when they are not explicitly granted this permission.

Update Attachment

Modify files attached to issues and restrict attachment visibility.

All users can update visibility settings for the files that they attached to issues themselves even when they are not explicitly granted this permission.

Permission

Description

Create Issue Comment

Add comments to issues.

Users with this permission inherit the permission to read their own comments, even when they don't have the Read Issue Comment permission. The ability to edit a comment requires the Update Issue Comment permission.

Delete Issue Comment

Delete comments that have been added to issues.

Delete Not Own and Permanent Comment Delete

Delete comments that were added to issues by other users and delete comments permanently.

Implies Read Comment.

Read Issue Comment

View comments that have been added to issues.

Users with the Create Comment permission inherit the permission to view their own comments whether they are granted this permission or not.

Update Issue Comment

Edit comments that have been added to issues.

Update Not Own Issue Comment

Edit comments that were added to issues by other users.

Implies Read Comment.

Permission

Description

Create Not Own Work Item

Create work items and set another user as the work author.

Implies Create Work Item.

Create Work Item

Add work items to issues.

Users with this permission inherit the permission to read their own work items, even when they don't have the Read Work Item permission. The ability to edit a work item requires the Update Work Item permission.

Read Work Item

View the list of work items in an issue.

Users with the Create Work Item permission inherit the permission to read their own work items whether they are granted this permission or not.

Update Not Own Work Item

Edit work items created by other users. Also grants permission to create work items on behalf of other users.

Implies Read Work Item and Update Work Item.

Update Work Item

Edit work items that they have added to issues.

The following permissions grant access to organization-related actions. These permissions are all available at the global level.

Permission

Description

Create Organization

Add new organizations to the system.

Implies Read Organization.

Delete Organization

Permanently remove organization records from the system.

Implies Read Organization.

Read Organization

View organizations and their attributes.

Update Organization

Edit organization attributes, manage project assignments and access rights.

Implies Read Organization.

The following permissions grant access to project-related actions.

  • The Create Project permission is granted at the global level.

  • All other project-related permissions are granted on a per-project basis.

Permission

Description

Create Project

Create new projects.

Delete Project

Delete projects.

Implies Read Project Full.

Read Project Basic

View basic project properties. Basic project properties include the name, description, logo, and project owner.

When combined with other permissions, the following access rights are granted:

  • With Read User Basic, users can view the list of users who are members of the project team.

  • With Low-level Admin Read, users can view the list of resources for a project. The list of resources in the project is also available to members of groups who are granted access in the settings for the service.

Read Project Full

View all project properties. Users who are granted this permission can view the complete set of project settings, including custom fields, VCS and build server integrations, notifications, time tracking, and workflows.

When combined with other permissions, the following access rights are granted:

  • With Read Role, users can view roles that are granted to the project team and the roles that are assigned to other users and groups in the project.

  • With Low-level Admin Read, users can view the list of resources for a project. The list of resources in the project is also available to members of groups who are granted access in the settings for the service.

Implies Read Project Basic.

Update Project

Edit project properties and content, manage resources.

Implies Read Project Full.

Permission

Description

Create Report

Create reports that present data from issues in a project.

Implies Read Report.

Read Report

View reports that present date from issues in a project.

Share Report

Update the settings that allow members of specific groups to view and use a report or edit the report settings.

Implies Read Report.

The following permissions grant access to role-related actions. These permissions are all available at the global level.

Permission

Description

Manage Role

Modify the permission scheme using any of the following operations:

  • Add new roles to the system.

  • Edit role properties.

  • Modify the set of permissions that are assigned to a role.

  • Delete roles.

Implies Read Role

Read Role

View the list of roles and the set of permissions that are assigned to each role. When combined with other permissions, the following access rights are granted:

  • With Read Project Full, users can view roles that are granted to the project team and the roles that are assigned to other users and groups in the project.

  • With Low-level Admin Read, users can view the set of permissions that are provided by the service. The list of permissions is also available to members of groups who are granted access in the settings for the service.

The following permissions grant access to user-related actions. These permissions are all available at the global level.

Permission

Description

Create User

Create new user accounts. Invite users to register their own accounts.

Delete User

Delete user accounts.

Implies Read User Full.

Read User Basic

View the list of registered users and read the ID, username, name, and avatar for each user. With Update Group, users can manage group memberships.

Users who don't have permission to read this information only see anonymized versions of other user accounts in the system. To learn more, see Anonymized Users.

Read User Full

View all properties for all registered users, including authorization details.

Implies Read User Basic.

Update Self

Edit own profile data.

Update User

Edit user profile data. Ban, merge, and anonymize user accounts.

Implies Update Self and Read User Full.

Permission

Description

Create Tag or Saved Search

Create tags and saved searches.

Delete Tag or Saved Search

Delete the tags and saved searches that they have created.

Edit Tag or Saved Search

Edit the tags and saved searches that they have created. Allows users to edit tags and saved searches if the user is a member of the group that is allowed to edit the tag or saved search.

Share Tag, Saved Search, Agile Board, or Gantt Chart

Update settings that give other users the ability to view, use, or edit tags, saved searches, agile boards, and Gantt charts.

Last modified: 22 March 2024