getsentry / sentry

Developer-first error tracking and performance monitoring
https://sentry.io
Other
39.33k stars 4.21k forks source link

Add support for read-only access to projects #76860

Open seanhoughtonatvi opened 3 months ago

seanhoughtonatvi commented 3 months ago

Problem Statement

Problem

In large organizations some users need to view issues and especially dashboards related to the overall performance of a project. However, the current IAM system in Sentry requires they have read/write access as a "Contributor". This role allows grants write access to issues and is not appropriate for users who just need to view issues and dashboards.

Proposed Solution

Currently there are only two per-project user roles: "Team Contributor" and "Team Admin". Both have the following permission:

Can view and act on issues (such as assigning and resolving)

(see the Permissions documentation)

User roles are assigned as part of a team membership so to solve this use case it appears that a new "Team Viewer" team role should be added. This role should just have permissions to view issues and dashboards but not alter or interact with the project in any other way.

Alternative (or additional) Solution

Add dashboard permissions that are distinct from the projects that they source data from would also help. This may be a good feature to have in addition to adding a new "Team Viewer" role. Large organizations will likely create three teams for every project myproject-contributors, myproject-admins, and myproject-guests and if distinct dashboard permissions were an option some projects may wish to only add the myproject-guests to the dashboards and not the project itself.

Solution Brainstorm

No response

Product Area

Unknown

getsantry[bot] commented 3 months ago

Assigning to @getsentry/support for routing ⏲️

getsantry[bot] commented 2 months ago

Routing to @getsentry/product-owners-settings-members for triage ⏲️

leedongwei commented 2 months ago

IIRC we had discussions on this a few years ago when introducing team-level roles but we didn't see any requests for it, so we didn't do it to have a simpler role-based access control.

Keeping this issue open so others can chime in if it's useful for them too.

MJ563 commented 1 month ago

Same issue here. A lot of people in our company would benefit from having access to the statistics and dashboards I have configured. Without a "read-only" role I can not invite them. This feature would make a couple more use cases possible for us. Please consider implementinig it. Thanks.