Access control
With roles and permissions management, you can ensure that each member has the right level of access to perform their duties without compromising the security of your codebase. In this documentation, we’ll walk you through how to manage team members, assign roles, and control access to your team’s repositories.
Repository permission levels for a team
People with admin permissions can manage access level of an individual to a team owned repository.
Each permission level increases access to a repository’s content and settings. Choose the level that is the most appropriate for a person’s role in your project without giving people more access than they need.
In the order of least to most access, the permission levels for a repository are:
- Read-only: Recommended for non-code contributors who only want to view the dashboard, without modifying anything.
- Write: Recommended for people who actively push code to the project, who need the ability to modify settings.
- Admin: Recommended for people who need full access, including the ability to add or remove people to the repository.
Organization administrators can set base permissions that apply to all members of a team when accessing any of the team’s repositories. For more information, see Setting base permissions for a team.
For more information about giving people and teams access to repositories, see Managing access to your organization’s repositories.
| Action | Admin | Write | Read-only |
|---|---|---|---|
| View issues | |||
| View past runs | |||
| View metrics | |||
| View overview widgets | |||
| Customize overview widgets | |||
| Install Autofix App | |||
| Create Autofixes | |||
| Can view DSN | |||
| Generate SSH key-pair | |||
| Change default analysis branch | |||
| Change issue types to report | |||
| Change issues to type to block PRs on | |||
| Deactivate analysis on repository | |||
| Add/remove members | |||
| Update role of existing members | |||
| Ignore issues | ^ | ^ | |
| Modify metric thresholds | ^^ | ^^ | |
| Suppress failed metrics | ^^^ | ^^^ |
^ If Allow contributors or members to ignore issues is checked.
^^ If Allow contributors or members to modify metric thresholds is checked.
^^^ If Allow contributors or members to suppress failed metrics is checked.
Set base (default) permissions for your team
Team Administrators can set base permissions for the team owned repositories.
About base permissions
Base permissions apply to all members of a team when accessing any of the team’s repositories. Base permissions do not apply to contributors, or administrators.
If someone with admin permissions to a team’s repository, grants a member a higher level of permission for the repository, the higher level of permission overrides the base permission.
For a newly added team, the default repository permission on DeepSource is set to the same value that you’ve configured on GitHub. For other VCS, by default, team members will have Write permissions to all team repositories.
For open source repositories, all members (and contributors) have write permissions in spite of the selection of base permissions.
Setting base permissions
- Go to the Dashboard
- Select the team from the account switcher on the top-left.
- Click on the Settings tab on the left sidebar.
- On the Settings page, select Access Control next to the billing.
- In the Member Base Permissions section, select the new Base Permission.
Manage an individual’s access to a team repository
People with admin permissions can manage the access of team members and contributors to a team repository.
Adding a collaborator
You can add members who are already in your team to the repository, either as a member or a contributor. To add new members, please invite them to your team first.
Contributors can only be added as collaborators for open source repositories. For private repositories, contributors first need to be promoted to members.
To add a collaborator:
- Go to the repository dashboard.
- Go to the Settings tab.
- Click on the Collaborators tab under Settings.
- Click Add collaborator.
- Type their name, or email address in the search box. Once you find the individual, click on their name.
If you cannot find someone, make sure that they are added to the team.
- Select the required permission level, and click Confirm and add.
Change permission for a member
- Go to the Repository dashboard.
- Go to the Settings tab.
- Click on the Collaborators tab under Settings.
- Find the individual from the list or use the search bar to find the user. Click on the drop-down menu on the right-side with the user’s permission level.
- Choose the new permission level, and click Confirm and grant permissions.
Sync members from VCS provider
About sync
When roles and permissions are changed for any of your team members on your VCS Provider (GitHub, GitLab, or BitBucket), the settings on DeepSource can be updated accordingly by running a Sync.
Running sync
- Go to the Dashboard.
- Switch to the correct team from the account switcher on the top left corner.
- Go to Settings from the central navigation bar.
- On the settings page, click on the Access control tab from the left sidebar.
- Click on the Sync manually button to sync access settings from GitHub/GitLab/BitBucket.
- A modal will inform you that this action cannot be undone. If you still want to continue, click Sync access settings.
Automatic sync with GitHub
By setting up Automatic Sync (currently only available for GitHub), we can sync access settings for you without any manual intervention. Whenever the permissions, or roles are changed on GitHub, whether repository-wide or organization-wide, we are notified via a webhook, and we update the settings automatically. This means that if a user exists on both GitHub and DeepSource, their access settings will automatically be synced from GitHub in the following events:
- When you remove an organization member on GitHub, they get removed from the DeepSource team as well.
- When you add a new team member on DeepSource that is a member of your organization on GitHub as well, they get added as a repository collaborator on all repositories[1] with the same permission as on GitHub.
- When you add, edit permission, or remove a repository collaborator from a repository on GitHub, the same is replicated on DeepSource.
- When a user signs-up on DeepSource via GitHub OAuth, they are automatically added to the DeepSource teams with the same role they have on the corresponding GitHub organizations.
- When you add an organization member on GitHub, they automatically get added to the corresponding DeepSource team as well.
Released in v3.21.0
- Only superuser will be taken to installation page post-signup.
Released in v3.22.0
[1] For large teams i.e. teams having more than 1000 repositories, this sync is done only for the repositories which are activated on DeepSource to avoid GitHub’s API rate limit from being exhausted.
Setting up automatic sync
Team Administrators can set up DeepSource to automatically sync access settings from GitHub.
- Go to the Dashboard.
- Switch to the correct team from the account switcher in the top left corner.
- Go to Settings from the central navigation bar.
- On the settings page, click on the Access control tab from the left sidebar.
- Toggle on the switch next to Automatically sync access settings from GitHub.
- Automatic Sync has been set up.
title: “Managing people’s access to team with roles”
Permission levels for teams
Teams can have administrators, members, and contributors.
- Administrators have complete administrative access to your team. They can manage billing, add or remove team members, and change roles for other members of the team.
- Members have the ability to activate analysis on new repositories. This is the default role.
- Contributors don’t have any team level access. Adding a contributor doesn’t add against a seat on the paid plan.
| Team Action | Administrator | Member | Contributor |
|---|---|---|---|
| Change plan (Pricing) | |||
| Update number of seats | |||
| Update billing details | |||
| Manage team members | |||
| View Access Control Dashboard | |||
| Delete team account | |||
| Set granular ignore permissions | |||
| Activate analysis on repositories | |||
| Sync list of repositories from VCS |
Change role for a team member
A team administrator can change roles for any team member (except for the team owner).
- Go to the Dashboard.
- Go to the account switcher on the top left corner, select the team in which you want to change the role of a member.
- Go to the My team tab on the left sidebar.
- Find the member you want to change the role for. Click on the drop down arrow on the right side, and select the new role.
- Read the message in the modal, and if you want to continue, click Confirm and update.
Granular access control permissions
People with admin permissions can manage who is allowed to ignore issues, modify metric thresholds or suppress failed metrics on team owned repositories.
- Go to the Dashboard, click on the account switcher on the top left corner, select the team in which you want to make the change.
- Go to Settings in the navigation bar.
- On the settings page, click on the Access control tab from the left side bar.
Issue, metric thresholds, and suppress metric permissions
Team Administrators to grant or revoke permissions to members and contributors for ignoring issues, modifying metric thresholds, and suppressing failed metrics. This helps ensure that the right people have the appropriate level of access to manage issues and metrics effectively.
To grant or revoke these permissions, go to the Issue, Metric Thresholds, and Suppress Metric Permissions section. From there, you can select which level of access to grant: member, contributor, or both. You can also choose to revoke access if necessary.