Roles and Permissions
This document explains how access control works in Codity and what permissions different users have.
Access Model
Codity uses a repository-based access model:
- Access is determined by your permissions in the version control system
- If you can access a repository in GitHub/GitLab/Azure DevOps, you can access it in Codity
- Organization/group membership determines repository visibility
User Roles
Repository Admin
Who has this role:
- Users with admin access to a repository in the version control system
What they can do:
- Connect/disconnect repositories
- Configure review instructions
- View all metrics and insights
- Manage repository settings
Repository Member
Who has this role:
- Users with read or write access to a repository
What they can do:
- View repository metrics and insights
- See review comments in pull requests/merge requests
- Trigger test generation (if enabled)
- Provide feedback on reviews
Organization Admin
Who has this role:
- Users with admin access to an organization/group
What they can do:
- Everything repository admins can do
- Manage organization-level settings
- View organization-wide metrics
- Manage organization members' access
Permission Inheritance
Permissions in Codity inherit from your version control system:
- GitHub: Permissions come from GitHub organization/repository settings
- GitLab: Permissions come from GitLab group/project settings
- Azure DevOps: Permissions come from Azure DevOps organization/project settings
Key point: Codity doesn't maintain a separate permission system. Your access in Codity matches your access in the version control system.
What You Can Access
Based on Repository Access
- Full access: If you have admin access to a repository, you can manage it in Codity
- Read access: If you have read access, you can view metrics and insights
- No access: If you don't have access to a repository, you won't see it in Codity
Based on Organization Access
- Organization admin: Can view and manage all repositories in the organization
- Organization member: Can view repositories you have access to
- No organization access: Cannot see organization repositories
Permission Scopes
Repository-Level Permissions
| Permission | Admin | Member | Viewer |
|---|---|---|---|
| View repository | |||
| View metrics | |||
| View review comments | |||
| Configure review instructions | |||
| Connect/disconnect repository | |||
| Manage settings |
Organization-Level Permissions
| Permission | Org Admin | Org Member |
|---|---|---|
| View organization repositories | (own access) | |
| View organization metrics | (own access) | |
| Manage organization settings | ||
| Manage member access |
Access Control Best Practices
For Administrators
- Review access regularly: Ensure only authorized users have access
- Use organization-level access: Grant access at organization level when possible
- Monitor usage: Review who is accessing what repositories
- Rotate tokens: Update tokens regularly for security
For Users
- Request access: If you need access to a repository, request it in the version control system
- Understand limitations: Know what you can and cannot do based on your role
- Report issues: Report any access issues to administrators
Common Permission Issues
"Repository Not Found"
Symptoms:
- Repository doesn't appear in dashboard
- "Access denied" when trying to view repository
Causes:
- No access to repository in version control system
- Repository not connected to Codity
- Organization/group membership changed
How to Fix:
- Verify repository access in version control system
- Request access if needed
- Check if repository is connected to Codity
"Cannot Configure Settings"
Symptoms:
- Settings page shows "Access denied"
- Cannot save review instructions
Causes:
- Insufficient permissions (not a repository admin)
- Token doesn't have write permissions
How to Fix:
- Verify you have admin access to repository
- Check token permissions
- Request admin access if needed
"Cannot View Metrics"
Symptoms:
- Dashboard shows "No data" or empty
- Cannot see review history
Causes:
- No access to repository
- Repository not connected
- No reviews have been performed
How to Fix:
- Verify repository access
- Check if repository is connected
- Wait for reviews to be performed
Security Considerations
Token Permissions
- Minimal scopes: Tokens should have only necessary scopes
- Regular rotation: Rotate tokens regularly
- Revoke unused: Revoke tokens that are no longer needed
Access Auditing
- Monitor access: Review who has access to what
- Regular audits: Conduct regular access audits
- Remove unused access: Remove access for users who no longer need it