Permission Comparison for Default Roles
In YouTrack, permissions have different scopes to control where they apply. Global permissions apply to the entire system. Organization-scoped permissions are limited to a specific organization, while project-scoped permissions only apply to a specific project. This ensures users have access only where they need it.
Each default role provided by YouTrack is limited to a specific scope, except for the System Admin role, which is granted all permissions across all scopes.
The following tables provide a comparison of the permissions that are assigned by default to the default roles in YouTrack, grouped by permission scope.
Use this information to determine whether you can use a default role to grant access to users or groups or need to create a new role with a custom set of permissions.
Global Permission Scope
The following roles are assigned permissions with global scopes:
System Admin
Observer
Project Creator
User Manager
Entity | Permission | System Admin | Observer | Project Creator | User Manager |
|---|---|---|---|---|---|
Application | Low-level Admin Read |
| |||
Low-level Admin Write |
| ||||
Project | Create Project |
|
| ||
User | Create User |
|
| ||
Delete User |
| ||||
Read User Full |
|
| |||
Read User Basic |
|
| |||
Update Self |
|
| |||
Update User |
| ||||
Organization | Create Organization |
|
Organization Permission Scope
By default, permissions with organization scopes are only assigned to the System Admin role. This applies to the following permissions:
Read Organization
Update Organization
Delete Organization
Project Permission Scope
By default, permissions with project scopes are assigned to roles that are meant to operate at the project level.
The Project Admin role is designed for users who manage and configure projects.
The Contributor role is for users who actively participate in projects by creating, editing, and managing project content.
The System Admin role is granted project scoped permissions at the global level, which means they have permission to perform project-related actions in all projects. It is also the only role that is granted Override Visibility Restrictions and Delete Project permissions by default.
Entity | Permission | System Admin | Project Admin | Contributor |
|---|---|---|---|---|
Project | Read Project Basic |
|
|
|
Read Project Full |
|
| ||
Update Project |
|
| ||
Delete Project |
| |||
Issue | Read Issue |
|
|
|
Read Issue Private Fields |
|
|
| |
Update Issue |
|
|
| |
Create Issue |
|
|
| |
Delete Issue |
|
|
| |
Link Issues |
|
|
| |
Update Issue Private Fields |
|
|
| |
Apply Commands Silently |
|
| ||
View Watchers |
|
|
| |
Update Watchers |
|
|
| |
View Voters |
|
|
| |
Attachment | Add Attachment |
|
|
|
Update Attachment |
|
|
| |
Delete Attachment |
|
|
| |
Comment | Create Issue Comment |
|
|
|
Delete Issue Comment |
|
|
| |
Delete Not Own and Permanent Comment Delete |
|
| ||
Read Issue Comment |
|
|
| |
Update Issue Comment |
|
|
| |
Update Not Own Issue Comment |
|
| ||
Create Article Comment |
|
|
| |
Delete Article Comment |
|
| ||
Read Article Comment |
|
|
| |
Update Article Comment |
|
| ||
Visibility | Override Visibility Restrictions |
| ||
Issue Work Item | Create Not Own Work Item |
|
| |
Create Work Item |
|
|
| |
Read Work Item |
|
|
| |
Update Not Own Work Item |
|
| ||
Update Work Item |
|
|
| |
Article | Create Article |
|
|
|
Delete Article |
|
| ||
Read Article |
|
|
| |
Update Article |
|
|