Taking Bitbucket permission management to the next level

We have enabled the feature flag for 100% of all workspaces in Bitbucket. Everyone should have access to set project permissions. 

• Blog Post
• Support Documentation

We're excited to announce the upcoming addition of project permissions and permission inheritance to Bitbucket Cloud. These much anticipated changes will improve permission management as we continue to build a more enterprise-ready Bitbucket Cloud experience. Similar to project settings that we released last year, you will soon be able to configure group and user permissions for an entire project.

The project permissions model was intentionally copied from our Bitbucket Server and Data Center product to ensure a seamless experience for our customers migrating to the cloud while also causing minimal disruption for our current cloud customers.

There are quite few changes included in this release that impact how permissions are managed, but it is important to note that nothing should break in your current configuration and your bill will not change. We anticipate rolling out these changes next month.

Project Permissions

Very soon you be able to configure repository permissions for your projects. With this release, admins can grant access to all repositories, old and new, within a project without having to manage each repository individually. Not only does this save significant time for administration, but also ensures that all repositories share consistent permissions and comply with that project's standards.

Projects will have 4 hierarchical levels of permissions: Admin, Create, Write, Read. Each permission in the hierarchy includes all permissions below it. E.g. Admin includes Create and Create includes Write.

• Admin - grants full administrative control of the project and the repositories within. Admins can make any changes to project or repositories settings, including all permissions. For existing projects, the current workspace admins will assume the role of project admin but they can now delegate this responsibility to others.

• Create - grants permission to allow users to create repositories within the project and provides write access to all repositories in that project. 

• Write - grants permission to allow users to commit content on any repositories in the project.

• Read - grants permissions providing users with exactly that, only the ability to read the content within any repositories.

The introduction of project permissions will make projects much more autonomous, enabling admins to better manage repositories at scale and also create more compartmentalization within the workspace for teams to work independently.

Permission Inheritance

To enable project permissions for Bitbucket Cloud we are also introducing permission inheritance. Permission inheritance allows permissions configured within a project to apply to all repositories in that project. Permission inheritance will also give workspace admins more control of the workspace.

To date, Bitbucket Cloud has relied on explicit permissions to grant users and groups Read, Write, or Admin (R,W,A) permission configured in each individual repository’s settings. Only users or groups listed in the repository Users and Groups settings have access to that repository today. Repositories can soon have permissions explicitly configured per repository but also inherit permissions from the containing project. Permissions set within the project or the workspace implicitly apply on the repository and cannot be modified within the repository.

Admin Changes

None of your existing repository permissions will be affected by the release of project permissions and permission inheritance. Everything will continue to function exactly as it does today for end users with no disruption. However, the addition of this new functionality will necessitate some changes in how workspace admins approach permissions in Bitbucket Cloud.

The most impactful change will be that workspace admins have implicit access to everything in the workspace due to permission inheritance. Workspace admins will inherit project admin permissions and repository admin permissions. This ensures that workspace admins retain full control of all workspace content regardless of whether they have explicit access configured for projects and repositories. Workspace admins will rightfully have full control of the workspace but can now delegate project control to project admins, reducing the need for more than a few workspace admins.

To streamline the admin experience we are also removing the Users on plan page and consolidating all of this page's functionality on the User directory. Rather than having two separate lists of workspace users you can now view everything from the User directory. Simply choose the dropdown to filter on Users on plan.

Group Changes

The other changes impact Group settings within the workspace. Today, all workspace permissions are configured for each group within workspace settings. This will not change immediately, but the settings available to set across these groups will change.

• In order to make projects autonomous, we are deprecating the ability to grant permission to create repositories within a workspace. Users will no longer be able to create repositories in any project across the workspace; instead, project admins will control which users or groups can create repositories in their respective projects.

• Because we deprecating the permission to create repositories globally within the workspace, we are introducing a new permission allowing groups to create new projects in the workspace. Previously, only workspace admins were allowed to create new projects. Users who can create projects can then create any repositories within the new project. Workspace admins can now open up the creation of projects to all, none, or just a few users. The creation of projects can be tightly controlled or fully self-service.

• Finally, we are deprecating the ability to configure the automatic assignment of permissions to groups for all new repositories created. This feature was implemented long ago as an alternative mechanism for configuring repository permissions at scale and is being phased out by project permission inheritance. All new repositories will inherit the permissions set at the project level and not require explicit permissions to be configured unless it varies from the project.

Grace Period