Who can alter the project's branch permission in bitbucket server

Socko-71 December 26, 2018

Auditing wants me to limit the updating on all the master branches of a project. This can be done through the project's branch permissions. Seems though anyone with admin to the project (to create repositories) would be able to change the project's branch setting.  Other than removing all admins from the project how else could the master branch have limited update access.

 

 

1 answer

1 accepted

1 vote
Answer accepted
Stephen Sifers
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 27, 2018

Hello Bob,

This is a great question. To start with Bitbucket permissions, there are 4 levels of permissions. You can find the details into those there here:

 Bitbucket Server provides 4 levels of permissions that are all administered through the UI. The hierarchy of permissions are as follows:

  1. Global Permissions: Who can log into Bitbucket Server, who the system admin is, etc....
  2. Project Permissions: Read, write, and admin permissions at the project (groups of repositories) level.
  3. Repository Permissions: Read, write, and admin permissions on a per repository basis.
  4. Branch Permissions: Write (push) access on a per branch basis.

All permissions can be set on a user or group basis. Bitbucket Server allows you to create groups of users (i.e. contractors, senior developers, etc..) to simplify the management of permissions. To learn more see Users and Groups.

Source document: 4 Levels of Bitbucket Server Permissions

Ideally, you will need to scope your permissions based on the role they are filling for the project or repository. From this, you will need to see how the users fit within the permissions roles and adjust permissions accordingly (and also to how the auditors will agree with).

I hope this helps to clarify the levels of permissions within Bitbucket.

Regards,
Stephen Sifers

Socko-71 December 29, 2018

Thanks for responding but maybe I needed to word the question better

For someone to be able to create a new repository they need to have admin to the project. If a Bit Bucket admin creates a branch permission to allow only a particular group to make any changes to the 'master' branch of all repositories in that same project. Couldn't any of the people who have admin to that project be able to delete/alter that branch permission? Is there anyway to prevent that from happening, short of deleting their admin access.

Again...thanks for responding

Like Stephen Sifers likes this
Stephen Sifers
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 31, 2018

Hello again Bob,

Thanks for the clarification. Since the permission levels are hierarchical, any permission level above Branch level would be able to adjust permissions (Assuming they’re granted Admin permissions). Ideally, if you wanted to avoid permissions changes within branch or projects, you would need to remove admin rights for users. As you stated, you want to attempt to avoid doing so.

In short, with the way permissions are structured, you will need to revoke admin rights for users to prevent them from making permissions changes within the projects and repositories.

There are a few plugins within the Atlassian Marketplace which may extend the permissions of Bitbucket, but they may not be able to deliver what you’re looking for. You can take a look at see if anything matches your requirements.

I hope this helps clarify the permissions.

Regards,
Stephen Sifers

Like Socko-71 likes this
Socko-71 December 31, 2018

That's what I thought...Thanks again for replying

Like Stephen Sifers likes this

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events