How to give external contract developers access to certain branches only? Edited

Let us say I have 10 repos, one is called Frobble , and I want some outsourced contractor team to work on one branch of one repo

 

i have created a group in my main account settings and set the permission as "external-contractors have NO access to this account repos"

 

then I have gone to the repo I want them to work on (Frobble) settings and given the external-contractors Group read access to that whole repo. I did this because I can't find a way to grant read access to only a single branch. It's not ideal, but..

so they can now read the branch I'm interested in them working on. I went into branch permissions for the "extdev" branch I created and hoped to give the team write access to this branch, but when I start typing the group name "external-contractors" in the box to grant write access, that group doesn't appear as a suggestion. I can add individual users from the group, and I can add some (but not all) other groups on my account..

 

what gives? How do I arrange a situation where I get what I want? Ideally, external dev group would only have readwrite to a specific branch, but if impossible, they should have read access to a whole single repo and write access to one branch within..

1 answer

0 votes

It works the other way. Branch permissions are for restricting the rights to groups/users who already have that right in the repo.

You need to provide "write" access to both groups in the repository permission but restrict the "write" access only to the internal group on all branches except the one that is open to external group.

Confusing! So As a setup I should have:

extern-developers GROUP (bitbucket settings) that has NO access to this account repos

a permission on the Frobble repo that grants WRITE access to the extern-developers group 

a permission on only the extdev branch of Frobble repo, giving the members of extern-developers write permissions

 

So, even though "extern-developers" have WRITE access to the entire Frobble repo, they can only write to branches theyre specifically named on? What happens if they try to commit to another branch?

And what about me, who is a member of the "internal-developers" group and also has write permissions to Frobble repo, but not named in any branch permission? Can I write to it or not? DO I need a "can write to branch pattern * " setting?

 

How does giving someone write permission to a branch, when they already have write permission to the entire repo, restrict them to writing to just that branch? Highly illogical

I think you got confused. "..but restrict the "write" access only to the internal group on all branches except the one that is open to external group."

In this case, you give write access on the repo to both extern-developers and internal-developers. But then restrict the "write" access on all branches except extdev branch to internal-developers. That way, people in internal-developers can write to all branches. People in extern-developers can only write to extdev branch. Makes sense?

Still confused, sorry! You wrote:

restrict the "write" access on all branches except extdev branch to internal-developers. That way, people in internal-developers can write to all branches

 

If internal-developers have had their write access on every branch (apart from extdev) taken away, how do they then have write access on every branch?

Did you mean to say:

 

restrict the "write" access on all branches except extdev branch to external-developers

 

How do I remove write access anyway? The branch permissions setup looks like it can only give permission, not take it away?

When you set a branch restriction, it is restrictive. You prevent changes, except by the the group you added.

So, it takes away permission from everyone else.

Suppose this were code, are you saying the logic is:

user_has_write_access_to_repoX 
AND
(
user_has_branch_permission_granting_write_access_to_branchX
OR
user_is_not_mentioned_in_any_branch_permission_at_all
)

 

More like this in the last OR clause:

"no_user_is_mentioned_in_the_branch_permission_at_all"

So the logic is more like:



user_has_access_to_the_account_repos
AND
user_has_write_access_to_repoX
AND
(
user_has_branch_permission_granting_write_access_to_branchX
OR
no_branch_permissions_are_set_at_all_on_repoX
)

 (I forgot to put a clause in about the account repo access)

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Nov 06, 2018 in Bitbucket

Upgrade Best Practices

Hello! My name is Mark Askew and I am a Premier Support Engineer for products Bitbucket Server/Data Center, Fisheye & Crucible. Today, I want to bring the discussion that Jennifer, Matt, and ...

421 views 5 9
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you