Users and Roles

CodeScene lets you create users and grant them various levels of access depending on their roles.

Adding Users

When logging in with your CodeScene Username and License Key you receive full administrative privileges. Some tasks require these special privileges, such as deleting projects and managing the global configuration. We recommend using the administrator login only for such tasks, and creating user accounts with restricted access for regular work.

By clicking the “Configuration” tab in the top navigation bar, you can access the global configuration page. If you are logged in as the administrator, you should see the Users configuration, as in Fig. 188.

Adding new users

Fig. 188 In the global configuration you can add new users to the system.

Enter the user name and password, and click “Add User” to finish. The password can be changed later if needed, either by the administrator or by the users themselves.

Assigning Roles

The system comes preconfigured with a number of roles. You can assign roles to the users in your system to grant them specific access.

Technical
Technical analyses only.
Developer
Technical, architectural and social analyses
Architect
Technical, architectural and social analyses; project configuration
Test Leader
Hotspot and knowledge map analyses.
Manager
Technical quality guide and social analyses.
Full Read-only Access
All analysis results, but cannot perform any actions. Typically used to display a monitor dashboard.
Bot
This role is intended for third-party integrations like code review or continuous integration bots. This role is allowed to trigger an analysis and access the overview of the result.

In the table of existing users you can see the currently assigned roles. Click on the Role select box, as shown in Fig. 189, to change the assigned role of a user.

Changing the assigned roles

Fig. 189 By clicking the Role select box you can change the assigned role of a user.

Permissions by Role

This is a more detailed description of various permissions associated with the CodeScene roles.

Role Permissions
Technical
  • Change own password
  • Technical analyses - warnings, hotspots, temporal coupling, code churn trends
Developer

Same as Technical plus:

  • Analysis process branches (branch statistics in Project Management -> Console)
  • Social analyses - networks, knowledge map, parallel development, code churn by author, warnings, modus operandi
  • Architectural analyses - hotspots, temporal coupling
Architect

Same as Developer plus:

  • Project configuration including Access Management but not authorised to Delete projects
  • Run a project analysis
  • Project management - Costs and Risks in Project Management
  • Analysis monitor (Project config -> History -> Monitor)
  • Off-boarding simulation
Test Leader
  • Change own password
  • Analysis overview
  • Technical analyses - hotspots
  • Social analyses - knowledge map
Manager
  • Change own password
  • Analysis overview
  • Analysis process branches
  • Technical analyses - hotspots
  • Social analyses - networks, knowledge map, parallel development, code churn by author, warnings, modus operandi
  • Project management - Costs and Risks
  • Analysis monitor
  • Off-boarding simulation
Full Read-only Access
  • Analysis overview
  • Analysis process branches
  • Technical analyses (same as Technical)
  • Social analyses (same as Developer)
  • Architectural analyses (same as Developer)
  • Project management (same as Architect)
  • Analysis monitor
Bot
  • Analysis overview
  • Run a project analysis (used for delta analysis)

Project Access Management

Global Configuration

By default, all projects are visible to all CodeScene users. You can change this setting by selecting “Restrict access to all projects …” in the global configuration as shown in Fig. 190.

Changing the default project access to restricted

When access is restricted, only ‘project collaborators’ are allowed to access a project. Read more about project collaborators in the next section.

Project-specific Configuration

The administrator or users with the Architect role can configure project access management settings on a per-project basis in the project configuration tab Access Management:

Project access management configuration

Project Access Mode

There are three choices for Project Access Mode:

  1. Allow Everyone - everyone is allowed to access the project regardless of the Default Project Access setting in the global configuration
  2. Restrict Access - only project collaborators are allowed to access the project
  3. Inherit Default Setting - use whatever project access mode is set in the global configuration.

Note: The administrator can always access all projects.

Project Collaborators

To add a normal CodeScene user as a collaborator just enter their username and click the Add Collaborator button. For an LDAP user, use the distinguished name of the LDAP user or some of their LDAP groups.

When a collaborator logs in, they will only be able to see projects accessible to them.

If you use the delta analysis API you need to add your Bot user to project collaborators too.

Single Sign-On

By default, CodeScene operates with an internal user database. Alternatively, you can configure another authentication provider, such as LDAP/Active Directory, to perform identity verification for your users, thus avoiding the duplication of your users’ accounts in CodeScene. Users can then log in using the same credentials that they use for other services within your system. Currently, only an LDAP authentication provider is supported.

Note: The users still need to perform the CodeScene login operation. We do not support full SSO integration which would mean that the CodeScene login process could be skipped entirely for authorized users.

LDAP Authentication Provider

A generic LDAP server or Active Directory can be used for user authentication.

LDAP authentication is turned off by default and the configuration fields are hidden as shown in Fig. 192.

Inactive LDAP authentication

Activate LDAP Authentication by clicking on the “Use LDAP Authentication” checkbox and fill in the details as shown in Fig. 193.

Active LDAP authentication

You will need to configure the “LDAP host” address and the “LDAP search base” settings. CodeScene provides default values for the remaining settings, e.g. port and connection timeouts.

The “LDAP search base” is used as a root for LDAP queries searching for data about users and their groups. Make sure to specify a proper base for the search to not miss any relevant user data. See Components of an LDAP Search: for more details.

The “LDAP Bind DN format” is used to create a proper full login name accepted by your LDAP server. It’s usually a full “Distinguished Name”, although Active Directory supports various formats like the “User Principal Name” (e.g. username@mycompany.com). You will use {username} placeholder to configure the username expansion - see the examples on the Configuration page. You can leave this field empty if your users always enter the full login name manually.

We also encourage you to use the “Secure LDAP” connection by checking the “Use Secure LDAP connection” checkbox. In this case, you will need to change the LDAP port too; secure LDAP connections often use port 636.

LDAP Groups Settings

Like normal CodeScene users, users authenticated with the LDAP authentication provider also need to have a “role” assigned to them. This is done with the “LDAP Groups Settings” as shown in Fig. 194.

LDAP Groups Settings

When user data is fetched from an LDAP server, the user’s LDAP groups are matched to the CodeScene’s roles based on the “LDAP Groups Settings” configuration. E.g. if the user is a member of the “CodeScene Managers” LDAP group, then he will have CodeScene’s “Manager” role.

Multiple groups can be assigned to the single LDAP user (unlike the normal CodeScene users).

Moreover, nested groups are supported; that is if an LDAP user is a member of the group “Managers” which is a member of the group “CodeScene Managers” then that LDAP user will have the CodeScene’s “Manager” role too.

Finally, if no matching CodeScene role is found for an LDAP user, the value of “Default CodeScene role” is used. By default, this is set to “Full Read-Only Access”, but it can be changed to a more restrictive role or even a special “No Access” role which will deny access to all LDAP users who aren’t members of a proper CodeScene LDAP group. You can see this in Fig. 195.

LDAP Groups Settings - default role: "No Access"