The way authorization is implemented in SonarQube is pretty standard. It is possible to create as many users and groups of users as required in the system. The users can then be attached (or not) to (multiple) groups. Groups and / or users are then given (multiple) permissions. The permissions grant access to projects, services and functionalities.

Group

A group is a set of users.

To create a new group, go to Settings > Groups > Add new group:

To add/remove users to/from a group, click on the Select link in the Member column.

Two groups have a special meaning:

Global Permissions

To set global permissions, log in as a System administrator and go to Settings > Global Permissions.

 

Project Permissions

Four different permissions can be set on project-level resources (projects, views, developers):

Note that permissions are not cumulative. For instance, if you want to be able to administer the project, you also have to be granted the Browse permission to be able to access the project.

You can either manually grant permissions for each project to some users and groups or apply permission templates to projects (since version 3.7). 

Manually grant permissions for each project to some users and groups

Log in as a System Administrator and go to Settings > Project Permissions > Projects (was Settings > Roles prior to version 3.7):

Apply permission templates to projects (available since version 3.7)

Create first some permission templates via Settings > Project Permissions > Permission Templates.

Since version 4.1, it is possible to provide a Project key pattern. By default, every new project matching this key pattern will be granted permissions of this template.

Then, apply permission templates to projects (either to a specific one through the Apply permission template link or do some bulk changes through the Bulk Change link).

Note that there is no relation between a project and a permission template, meaning that:

Default project permissions

It is possible to configure the system so that when a new project (project, view, developer) is created, some users/groups are automatically granted permissions on this project.

For versions 3.7+, this is done through permission templates. Go to Settings > Project Permissions > Permission Templates > Set default templates:

For versions prior to 3.7, it is done through the Default roles for new Projects table:

In the example below, once a new project has been created:

Import Source Code

For security reasons, you can prevent SonarQube to upload the source code to the database when analyzing a project. To do so, log in as a System administrator, go to Settings > General Settings > Security and set the Import sources property to false. Note that if you want to restrict the access to the source code, grant See Source Code permission accordingly.

FAQ

I have locked myself out

To recreate a System administrator:

INSERT INTO user_roles(user_id, role) VALUES ((select id from users where login='mylogin'), 'admin');