YouTrack InCloud 2018.2 Help

Hub Permissions

A permission is an authorization granted to a user to perform particular operations. Permissions are granted to a user within a role, but not directly.

A role is a set of permissions which defines the level of access for a user to particular functionality and operations.

Permissions that let users perform administrative operations in YouTrack are provided by the Hub service. Permissions for the Hub service are divided in two categories:

  • Global permissions are granted at the global scope and do not depend on a specific project. For example, you cannot grant permission to create user accounts in a single project, you can do it only in the system-wide scope. Global permissions are marked with the globe icon (iconGlobe) in the list of permissions.
  • Per-project permissions allow actions related to a specific project. For example, a role with the Read Project Basic permission grants users and groups access to view project properties and content for a specific project. If these users don't have the Read Project Basic permission for other projects in YouTrack, they don't have access to them.

Permissions Updates for YouTrack 2018.2

In the 2018.2.45073 release, we made a few modifications to the permission scheme for the Hub service. The following table lists the permissions that were introduced in this update:

PermissionDescription
Read User BasicGrants users the ability to view a limited amount of information from the user profile. This includes the user ID, login, name, and avatar.
Read User FullProvides the same level of access that was previously granted with Read User. This grants users the ability to view all properties for all registered users, including authorization details.
Read Project BasicGrants users the ability to view the name, description, logo, and project owner for a project.
Read Project FullProvides the same level of access that was previously granted with Read Project. This grants users the ability to view all properties for a project.

The following table lists the permissions that were removed in this update:

PermissionDescription
Read UserReplaced with Read User Full.
Read ProjectReplaced with Read Project Full.
Add Role in Project

Remove Role in Project
Removed. To manage the roles that are assigned to users and groups in a project, you only need Read Role and Update Project permissions.
Read Auth ModuleReplaced with Low-level Admin Read.
Create Auth Module

Update Auth Module

Delete Auth Module
Replaced with Low-level Admin Write.

The following permissions are used by the built-in Hub service to regulate access to administrative actions.

Generic Permissions

The following permissions are not related to specific entities in the system. These permissions are available at the global level.

PermissionDescription
Low-level Admin Write iconGlobeManage low-level administrative actions. Includes permission to integrate with third-party services and back up the database. Requires Low-level Admin Read
Low-level Admin Read iconGlobeRead-only access to low-level administrative settings. Includes permission to view integrations with third-party services and metrics.

The following permissions grant access to project-related actions.

PermissionDescription
Create Project iconGlobeCreate new projects.
Read Project BasicView basic project properties and content. When combined with other permissions, the following access rights are granted:
  • With Read User Basic, users can view the list of users who are members of the project team.
  • With Read Service, users can view the list of resources for a project. The list of resources in the project is also available to members of groups who are granted access in the settings for the service.
Basic project properties include the name, description, logo, and project owner.
Read Project FullView all project properties and content. When combined with other permissions, the following access rights are granted:
  • With Read Role, users can view roles that are granted to the project team and the roles that are assigned to other users and groups in the project.
  • With Read Service, users can view the list of resources for a project. The list of resources in the project is also available to members of groups who are granted access in the settings for the service.
Update ProjectEdit project properties and content, manage resources.
Delete ProjectDelete projects.

The following permissions grant access to role-related actions. These permissions are all available at the global level.

PermissionDescription
Create Role iconGlobeCreate new roles.
Read Role iconGlobeView the list of roles and the set of permissions that are assigned to each role. When combined with other permissions, the following access rights are granted:
  • With Read Project Full, users can view roles that are granted to the project team and the roles that are assigned to other users and groups in the project.
  • With Read Service, users can view the set of permissions that are provided by the service. The list of permissions is also available to members of groups who are granted access in the settings for the service.
Update Role iconGlobeEdit role properties. Modify the set of permissions that are assigned to a role.
Delete Role iconGlobeDelete roles.

The following permissions grant access to service-related actions. These permissions are all available at the global level.

PermissionDescription
Create Service iconGlobeRegister new services.
Read Service iconGlobeView the list of services and read service properties. View service resources, permissions, and default roles.
Update Service iconGlobeEdit service properties. Create, update, or delete resources, permissions, and default roles.
Delete Service iconGlobeDelete services.

The following permissions grant access to user-related actions. These permissions all available at the global level.

PermissionDescription
Create User iconGlobeCreate new user accounts. Invite users to register their own accounts.
Read User Basic iconGlobeView the list of registered users and read the ID, login, name, and avatar for each user. With Update Group, users can manage group memberships.
Read User Full iconGlobeView all properties for all registered users, including authorization details.
Update User iconGlobeEdit user profile data. Ban, merge, and anonymize user accounts.
Delete User iconGlobeDelete user accounts.
Read Self iconGlobeView all properties, including authorization details for the user who is currently logged in.
Update Self iconGlobeEdit own profile data.

The following permissions grant access to group-related actions. Groups are used as resources in a project. These permissions are all available at the per-project level.

PermissionDescription
Create GroupCreate new groups.
Read GroupView the list of groups and read group properties. When combined with other permissions, the following access rights are granted:
  • With permission to read both parent and child groups, view subgroups.
  • With Read User Basic, view the list of members.
Update GroupEdit group properties. When combined with other permissions, the following access rights are granted:
  • With permission to update both parent and child groups, manage subgroups.
  • With Read User Basic, update group memberships.
Delete GroupDelete groups.
Last modified: 18 September 2018