--- component: ROOT version: "2026.1" slug: ROOT/administration/permissions-and-roles canonical_url: "https://docs.gradle.com/develocity/2026.1/administration/access-control/permissions-and-roles/" title: "Permissions and Roles" description: "Manage user access in Develocity using Role-Based Access Control (RBAC)." keywords: [] status: current --- # Permissions and Roles Define and audit system access by assigning roles, whether manually in the UI or via your identity provider. This ensures all users and groups have the granular permissions their responsibilities require. ## Permission Definitions Permissions are the individual building blocks of access. The following permissions can be combined to create custom roles or used to understand the capabilities of predefined roles. The following table describes Develocity permissions and lists the corresponding configuration file values:
PermissionConfig valueDescription
Build data
View Build Scans and build dataviewScanAllows you to view Build Scans and associated build data.
Publish Build ScanspublishScanAllows you to publish Build Scans.
Access build data via the APIexportDataAllows you to access the Develocity API.
Delete build scansdeleteScanAllows you to delete any Build Scan that you have access to.
Test acceleration
Use Test DistributiontestDistributionAllows you to use Test Distribution.
Use Predictive Test SelectionpredictiveTestSelectionAllows you to use Predictive Test Selection.
Build caching
Read Build Cache datareadCacheAllows you to read Build Cache data.
Read and write Build Cache datawriteCacheAllows you to read and write Build Cache data.
Read Build Cache data and write Bazel CAS datareadCacheWriteCasAllows you to read Build Cache data and write data to the content-addressable storage exposed by the Build Cache’s Bazel functionality. If you typically assign read-only access to the cache for developers and write access only for CI, consider granting this permission to developers who use Bazel. The readCacheWriteCas permission allows developers using Bazel to benefit from richer local Build Scans while maintaining a similar level of security.
Projects
Access all data without an associated projectaccessDataWithoutAssociatedProjectAllows you to access and push data that’s not associated with a project.
Access all data with or without associated projectaccessAllDataWithOrWithoutAssociatedProjectAllows you to access and push all data for all projects, and data that’s not associated with a project.
Administration
Configure Edge nodesadministerEdgesAllows you to configure Edge node functionality.
Configure Build CachingadministerCacheAllows you to configure Build Cache functionality.
Configure Test DistributionadministerTestDistributionAllows you to configure Test Distribution functionality.
Configure projectsadministerProjectsAllows you to configure projects and project groups for project-level access control from the Administration console or by using the Develocity API.
Configure access controladministerAccessControlAllows you to configure access control settings, including user management and identity provider configuration.
Configure operational settingsadministerOperationalSettingsAllows you to configure operational settings, such as disk space management and email settings.
Generate support bundlesgenerateSupportBundleAllows you to generate support bundles.
> [!WARNING] > Permissions such as Configure access control permission and Configure operational settings permission allow privilege escalation. > [!NOTE] > The [Access all data without an associated project](#access-data-without-associated-project) and [Access all data with or without associated project](#access-all-data-with-or-without-associated-project) permissions are granted to all users automatically when [project-level access control](https://docs.gradle.com/develocity/2026.1/administration/access-control/project-level-access-control/) is disabled. You manage permissions by assigning roles to users, either in Develocity or by mapping roles from an external identity provider. Both methods are described later on this page. Develocity includes a basic set of preconfigured roles, shown in the following table. ## Predefined Roles Develocity includes several predefined roles designed to cover the most common user personas.
RoleDisplay nameDescriptionPermissions
adminAdministratorAdminister DevelocityConfigure Edge nodes Configure Build Caching Configure Test Distribution Configure projects Configure access control Configure operational settings Generate support bundles Delete build scans
api-clientAPI ClientAccess build data via the API. Doesn’t include access to the administrative API endpoints.Access build data via the API
ci-agentCI AgentUse Develocity for CI buildsPublish Build Scans Use Test Distribution Use Predictive Test Selection Read Build Cache data Read and write Build Cache data Access all data without an associated project Access all data with or without associated project
developerDeveloperUse DevelocityView Build Scans and build data Publish Build Scans Use Test Distribution Use Predictive Test Selection Read Build Cache data Read Build Cache data and write Bazel CAS data
For externally managed user accounts (LDAP or SAML 2.0), roles can be managed locally or by group/role membership defined by the provider. When using provider-defined membership, each Develocity role can be mapped to one external group/role. > [!NOTE] > Custom roles: You can create custom roles to meet specific security requirements by navigating to Administration  Access control  Roles. ## Custom Roles ### Configure via the User Interface To create and manage custom roles in the Develocity UI: 1. Log in to Develocity as a user with the **Administrator** role. 2. Navigate to **Administration**  **Access control**  **Roles**. 3. Select **Add Role** to create a new role. 4. Enter a name and description for the role. 5. Select the desired permissions for the role. 6. Click **Save** to store the role. 7. Click **Apply** in the upper-right corner to activate the changes. > [!IMPORTANT] > Changes to access control settings may take up to 20 minutes to propagate through the various components of Develocity. ![Custom Role Creation in Develocity UI](https://docs.gradle.com/develocity/2026.1/administration/access-control/permissions-and-roles/../../_images/dv-ui-custom-role.png) Custom Role Creation in Develocity UI ### Configure via Unattended Configuration If you are managing Develocity using a GitOps or automated workflow, you can define the global settings using [Unattended Configuration](https://docs.gradle.com/develocity/2026.1/administration/unattended-configuration/). Depending on your deployment strategy, you can provide these settings either as Integrated configuration within your _values.yaml_ or as a **Standalone** configuration file. ```yaml version: 15 systemPassword: "«hashed-system-password»" auth: anonymousPermissions: - viewScan - publishScan - predictiveTestSelection external: null projects: acceptAnonymousProjects: true enabled: false roles: acme-role: assignToNewExternalUsers: false description: ACME example role displayName: ACME Role identityProviderAttributeValue: null permissions: - publishScan ``` #### Deployment Templates Download the appropriate YAML template to begin your infrastructure configuration. _For Develocity versions 2025.3 and prior, see the [2025.2 Administration Guide](https://docs.gradle.com/develocity/legacy/helm-admin/2025.2) or the [2025.3 Administration Manual](https://docs.gradle.com/develocity/2025.3/administration/admin-manual/)._
Cluster DeploymentExample template for cluster orchestration. gradle-enterprise-config-schema-15.yaml SHA256 ASC ASC SHA256
Standalone DeploymentExample template for standalone setup. gradle-standalone-config-schema-15.yaml | SHA256 | ASC | ASC SHA256
> [!IMPORTANT] > Pre-deployment Checklist Backup: Export your current settings via Administration  Import/export before applying changes. Deployment: After updating your values.yaml, re-deploy using Helm. Impact: This triggers service restarts and may take several minutes to complete. See Unattended Configuration for details. ## Managing Role Assignments You can assign roles to users through two primary methods: ### Manual Assignment (Local) For local users or specific overrides, manage roles directly in the UI: 1. Navigate to **Administration**  **Access control**  **Users**. 2. Select a user and check the desired roles. 3. Click **Save**. ### Identity Provider Mapping (External) For SAML or LDAP users, roles are typically mapped from your organization’s groups: 1. Navigate to **Administration**  **Access control**  **Identity provider**. 2. In the **Role membership** section, select **Defined by identity provider**. 3. Map your external group names (e.g., `dev-team-lead`) to Develocity roles (e.g., `Administrator`). ## Related Tasks * [Bootstrapping with the System User](https://docs.gradle.com/develocity/2026.1/administration/access-control/system-user/) * [Configuring SAML/LDAP](https://docs.gradle.com/develocity/2026.1/administration/access-control/identity-provider/) * [Restricting Access by Project](https://docs.gradle.com/develocity/2026.1/administration/access-control/project-level-access-control/)