YouTrack Permissions
A permission is an authorization granted to a user to perform particular operations. Permissions are granted to a user within a role, but not directly.
A role is a set of permissions which defines the level of access for a user to particular functionality and operations.
All permissions are divided into two categories:
Global permissions are granted within YouTrack's global scope and do not depend on a specific project. For example, you can't grant permission to create users in a single project, you can do it only in the system-wide scope. Global permissions are marked with a global badge in the permissions list.
Per-project permissions allow actions related to a specific project. For example, a role with the Read Project Basic permission grants users and groups access to view project properties and content for a specific project. If these users don't have the Read Project Basic permission for other projects in YouTrack, they don't have access to them.
The permissions listed on this page grant access to work with the entities that are managed in the YouTrack service. The permissions are grouped by the entity that they provide access to in YouTrack.
For a list of permissions that are used by the built-in Hub service to regulate access to administrative actions, see Hub Permissions.
Permission Updates for YouTrack 2019.3
When your installation is upgraded to YouTrack version 2019.3, the permissions shown in the following table are removed from the application automatically. Actions that previously required these permissions now require permissions from the Hub service that grant similar levels of access.
Permission | Description | Now Requires |
|---|---|---|
Read Not Own Profile | View profile of any user. | Read User Full |
Update Not Own Profile | Edit the profile of any user. Allows users to edit or delete tags and saved searches on the profile pages of other users. | Update User |
These permissions granted users access to read and update the YouTrack profiles for other users. The YouTrack profile is the collection of user preferences, personal tags and saved searches, and notification settings that each user can configure for their account.
This update removes the Read Not Own Profile and Update Not Own Profile permissions from all existing roles. The permissions that are now required to perform these actions are not granted automatically. If you created custom roles that were meant to restrict users from viewing or changing this information, you may need to grant the corresponding permission from the Hub service to allow access to this information.
This change specifically affects the default Project Admin role. After the update, users who are assigned this role no longer have the Read Not Own Profile. This means that they can no longer read YouTrack profile settings for other user accounts.
Permission Updates for YouTrack 2019.2
In the 2019.2.55152 release, we updated the YouTrack permission scheme.
Changes to the Permission Scheme
The following table lists the permissions that were added in this update:
Permission | Description |
|---|---|
Read Report | Previously, the ability to read reports was not explicitly managed by the permission scheme. Any user who was a member of a group that had permission to view and use the report could view it and read the information shown on it, even without having permission to read issues in the projects that were displayed on the report. The new Read Report permission gives users permission to view reports that display data from issues in a specific project. This permission gives administrators fine-grained control over who is allowed to access information in projects that store sensitive data. When your installation is upgraded to version 2019.2.55152, this permission is automatically granted to any role that was previously granted either Read Issue or Create Issue. |
Create Report | The ability to create reports was previously granted by the Create Tag, Saved Search or Report permission. The new Create Report permission gives users permission to create reports that display data from issues in a specific project. Permission to create tags and saved searches is now granted separately. When your installation is upgraded to version 2019.2.55152, this permission is automatically granted to any role that was previously granted the Create Tag, Saved Search or Report permission. |
Share Report | The ability to share a report was previously available to any user who had the Create Tag, Saved Search or Report permission. The new Share Report permission gives users permission to share reports that display data from issues in a specific project. When your installation is upgraded to version 2019.2.55152, this permission is automatically granted to any role that was previously granted the Share Tag or Saved Search permission. |
Create Tag or Saved Search | Replaces the Create Tag, Saved Search or Report permission. When granted, allows for the creation of tags and saved searches. The ability to create reports is now granted explicitly by the Create Report permission. When your installation is upgraded to version 2019.2.55152, this permission is automatically granted to any role that was previously granted the Create Tag, Saved Search or Report permission. |
Create Work Item | The ability to add work items to issues was previously granted with the Update Work Item permission. The new Create Work Item permission gives users permission to add work items to issues in a specific project. The ability to update work items is granted separately. With the addition of a dedicated permission for creating work items, we also redefined the Read Work Item permission. Users with Create Work Item permission are now granted the ability to read their own work items even when they aren't explicitly granted Read Work Item permission. This follows the same model of permission inheritance that was previously applied to issue and comment creation. For more information, see Inherent Permissions. When your installation is upgraded to version 2019.2.55152, this permission is automatically granted to any role that was previously granted the Update Work Item permission. |
The following permission was removed in this update:
Permission | Description |
|---|---|
Create Tag, Saved Search or Report | This permission was replaced with the Create Tag or Saved Search permission. The ability to create reports is now granted explicitly by the Create Report permission. |
Implied and Dependent Permissions
We've added implicit links between permissions where actions that are granted by one permission are technically impossible without the other. This approach makes it easier to define custom roles with the appropriate access rights.
When you add a permission with implied permissions to a role, the implied permissions are added to the role automatically.
When you remove a permission with dependent permissions to a role, the dependent permissions are removed from the role automatically.
When your installation is upgraded to version 2019.2.55152, all of the permissions that are implicitly linked to other permissions are automatically added to any role that requires the implied permission.
For example, the Read Project Basic permission is added to any role that grants users either Read Issue or Create Issue permission in a project. It's technically impossible to view or create issues without being able to read basic project properties like the project name and project ID, so the Read Project Basic permission is granted implicitly.
To view the sets of implied and dependent permissions, select a permission and open the Details panel in the sidebar.
Inherent Permissions
When you have permission to create something in YouTrack, you inherit the permission to read and update your own content. You still require explicit permission to read and update content that was posted by other users. This behavior applies to issue reporters, commenters, and work authors.
Issue reporters always have permission to view public fields, update public fields, and add links to the issues that they created. This means that users who are granted the Create Issue permission in a project can perform these actions with the issues they reported even when they don't have Read Issue, Update Issue, and Link Issues permissions.
However, users can't delete their own issues without the Delete Issue permission.
Users who have the Create Comment permission inherit the permission to read and update their own comments, even when they don't have Read Comment and Update Comment permissions.
Users with the Create Work Item permission inherit the permission to read and update their own work items, even when they don't have Read Work Item and Update Work Item permissions.
This also applies to users who have the Add Attachment permission. Users who attach files to an issue inherit the ability to modify these files and restrict their visibility without the Update Attachment permission.
Issue
Permission | Description |
|---|---|
Create Issue | Create (report) issues in a project. Users with this permission can view public fields, update public fields, and add links to the issues they reported even when they don't have Read Issue, Update Issue, and Link Issues permissions. Implies Read Project Basic. |
Delete Issue | Delete issues. |
Link Issues | Add links that define relationships between issues. Users with the Create Issue permission inherit the permission to add links to their own issues whether they are granted this permission or not. However, they can only add links to issues that they have permission to read. |
Override Visibility Restrictions | View issues, comments, and attachments that are hidden by visibility settings. |
Read Issue | View issues and read public fields. Users with the Create Issue permission inherit the permission to read their own issues whether they are granted this permission or not. Implies Read Project Basic. |
Read Issue Private Fields | View private fields in issues. Implies Read Project Basic. |
Update Issue | Update the values for public fields in issues. Users with the Create Issue permission inherit the permission to update their own issues whether they are granted this permission or not. |
Update Issue Private Fields | Update the values for private fields in issues. Implies Read Issue Private Fields. |
Update Watchers | Add other users to the list of watchers for an issue. |
View Voters | View the list of users who have voted for an issue (available in single issue view). Implies Read Project Basic. |
View Watchers | View the list of users who are watching an issue (available in single issue view). Implies Read Project Basic. |
IssueAttachment
Permission | Description |
|---|---|
Add Attachment | Attach files to issues. |
Delete Attachment | Delete any file that is attached to an issue. All users can delete the files that they attached to issues themselves even when they are not explicitly granted this permission. |
Update Attachment | Modify files attached to issues and restrict attachment visibility. All users can update visibility settings for the files that they attached to issues themselves even when they are not explicitly granted this permission. |
IssueComment
Permission | Description |
|---|---|
Create Comment | Add comments to issues. Users with this permission inherit the permission to read and update their own comments, even when they don't have Read Comment and Update Comment permissions. |
Delete Comment | Delete comments that they have added to issues. |
Delete Not Own and Permanent Comment Delete | Delete comments that were added to issues by other users and delete comments permanently. Implies Read Comment. |
Read Comment | View comments that have been added to issues. Users with the Create Comment permission inherit the permission to view their own comments whether they are granted this permission or not. |
Update Comment | Edit comments that they have added to issues. |
Update Not Own Comment | Edit comments that were added to issues by other users. Implies Read Comment. |
IssueWorkItem
Permission | Description |
|---|---|
Create Not Own Work Item | Create work items and set another user as the work author. Implies Create Work Item. |
Create Work Item | Add work items to issues. Users with this permission inherit the permission to read and update their own work items, even when they don't have Read Work Item and Update Work Item permissions. |
Read Work Item | View the list of work items in an issue. Users with the Create Work Item permission inherit the permission to read their own work items whether they are granted this permission or not. |
Update Not Own Work Item | Edit work items created by other users. Implies Read Work Item and Update Work Item. |
Update Work Item | Add and edit work items to an issue. Users with the Create Work Item permission inherit the permission to update their own work items whether they are granted this permission or not. |
Report
Permission | Description |
|---|---|
Create Report | Create reports that present data from issues in a project. Implies Read Report. |
Read Report | View reports that present date from issues in a project. |
Share Report | Update the settings that allow members of specific groups to view and use a report or edit the report settings. Implies Read Report. |
WatchFolder
Permission | Description |
|---|---|
Create Tag or Saved Search | Create tags and saved searches. |
Delete Tag or Saved Search | Delete the tags and saved searches that they have created. |
Edit Tag or Saved Search | Edit the tags and saved searches that they have created. Allows users to edit tags and saved searches if the user is a member of the group that is allowed to edit the tag or saved search. |
Share Tag or Saved Search | Update the settings that allow members of specific groups to view and use a tag or saved search or edit its settings. |