Today is a big day for Bitbucket Cloud as we begin rolling out project permissions and permission inheritance to align with Bitbucket Server and Data Center. We will be progressively rolling this out over the next month, so you will see the changes in your workspace before the end of April.
Project permissions has been a long anticipated update for Bitbucket Cloud and represents one of the largest administration improvements for Bitbucket Cloud since we rolled out Workspaces in April 2020. With this release, project admins can grant access to all repositories, old and new, within a project without having to manage each repository individually. We are very excited to share these changes with you.
What is changing?
We followed Bitbucket Server and Data Center as a model for our updates to Bitbucket Cloud's permission management; not only to ensure a seamless transition to the cloud for migrations but also to empower all existing Bitbucket Cloud admins with a more powerful toolset to manage their workspaces.
With the introduction of project permissions, we also implemented permission inheritance, so any permissions set within the project are inherited by any repositories in that project as well. This inheritance extends to the workspace as well so that workspace admin permissions are inherited by all projects.
What are the benefits?
- Scale and Efficiency
- Team Autonomy
- Better Security
Scale and efficiency
All permissions set on a project are inherited by each repository, so when a new repository is added all of the project permissions immediately apply, therefore requiring no permission management on the repository.
As an example, when we rolled out these changes internally for dogfooding we were able to eliminate thousands of repository permissions with dozens of project permissions. Auditing and maintaining a small subset of permissions on projects saves us a lot of precious time.
Team autonomy
Before project permissions, all repositories existed in a flat structure within a workspace, which means projects provided little more than categorization. Now repositories are structured in a hierarchy, within projects with isolation controls, so that teams can own their own projects within a workspace with full control of their own repositories.
To facilitate better boundaries among projects, we are introducing 2 new roles for projects as well:
- Project Admin allows explicit admin control of all project settings and permissions as well implicit admin control of all repository settings and permissions. This allows workspace admins to delegate control of projects to teams.
- Repository Create grants users or groups the permission to create new repositories within the project.
Better security
The addition of project permissions and inheritance makes the security model much more flexible, while also allowing for a much more secure configuration as well.
As mentioned above, workspace admin permissions are inherited by the project and each repository. This means that workspace admins now have full control of their workspace and access to everything. Workspace admins can no longer be removed from repository permissions, preventing repositories from being managed in the dark.
Because many customers currently have numerous workspace admins to compensate for a lack of delegation to projects, you may find it helpful to evaluate your current number of workspace admins and reduce that number accordingly.
Now that workspace admins have more control over the permissions granted from the workspace to repositories within each project, a few workspace admins should be able to delegate the management of projects to others, giving greater autonomy while following a more manageable workflow.
Finally, we are replacing the repository create permission for a group in a workspace with a new permission to create projects. This means that users can no longer create repositories in any random project, but must instead, have the permission to create a repository within a specific project. Groups can be granted the permission to create new projects but have no access to another team's projects.
This is been a wonderful project (no pun intended) to work on, and we encourage everyone to take full advantage of what project permissions brings to Bitbucket Cloud.
Please refer to our community post for more details on the changes introduced by project permissions and permission inheritance.