LDAP vs. READ Permissons

Hello,
all users of my SCM Manager installation can view all repositories on the server. The rights to each repository are only with the creators, but still everyone can see them. My SCM is connected to LDAP.
Where could be my error.
Thanks a lot!
Christian

Hey Christian,

it sounds like all users have a group which is permitted to read all repositories. I would check the group _authenticated first. :slight_smile:

Edit: If you use anonymous access for SCM-Manager and the anonymous user account is permitted to see all repositories, all users could see your repositories without even be logged in.

Regards, Eduard

Dear Eduard,
thank you very much for your answer.
I have checked the SCM Anonymous. All permissions are disabled - no check mark.
The users of the _authenticated group are only allowed to create, archive and export repositories.
Thanks and greetings
Christian

Okay, you could also check:

  • Is there any group with “read all repositories” permission? Is anonymous user included?
  • Is this permission set on namespace level? Maybe for a group?

Besides direct permissions there are also “permission roles” which may allow to be read, write or owner for your repositories.

I have only one group, called _authenticated. The checkmark is set at “Members of this group are managed by an external system”. The group is only authorized to create, archive or export repositories.
Where can I check “permission set on namespace level”?
Thanks a lot for your help!

Click this blue gear wheel on top of your repository namespace on your overview. But if you didn’t know about this it should be pretty unlikely. :thinking:

Sorry I was just confused, I know of course they are namespaces. Permissions in all namespaces are empty. There are no group or user permissions transactions.

I was able to solve the problem. The group _authenticated must only have the right to create repositories. As soon as you give it the right to export or archive, every user of this group can also see all repositories. But this was not the case before one of the last updates. I think this is a bug.

Thank you for the report. We will discuss this and look for a solution.