Permissions and Roles

Define and audit system access by assigning roles, whether manually in the UI or via your identity provider.

This ensures all users and groups have the granular permissions their responsibilities require.

Permission Definitions

Permissions are the individual building blocks of access. The following permissions can be combined to create custom roles or used to understand the capabilities of predefined roles.

The following table describes Develocity permissions and lists the corresponding configuration file values:

Permission

Config value

Description

Build data

View Build Scans and build data

viewScan

Allows you to view Build Scans and associated build data.

Publish Build Scans

publishScan

Allows you to publish Build Scans.

Access build data via the API

exportData

Allows you to access the Develocity API.

Delete build scans

deleteScan

Allows you to delete any Build Scan that you have access to.

Test acceleration

Use Test Distribution

testDistribution

Allows you to use Test Distribution.

Use Predictive Test Selection

predictiveTestSelection

Allows you to use Predictive Test Selection.

Build caching

Read Build Cache data

readCache

Allows you to read Build Cache data.

Read and write Build Cache data

writeCache

Allows you to read and write Build Cache data.

Read Build Cache data and write Bazel CAS data

readCacheWriteCas

Allows you to read Build Cache data and write data to the content-addressable storage exposed by the Build Cache’s Bazel functionality. If you typically assign read-only access to the cache for developers and write access only for CI, consider granting this permission to developers who use Bazel. The readCacheWriteCas permission allows developers using Bazel to benefit from richer local Build Scans while maintaining a similar level of security.

Projects

Access all data without an associated project

accessDataWithoutAssociatedProject

Allows you to access and push data that’s not associated with a project.

Access all data with or without associated project

accessAllDataWithOrWithoutAssociatedProject

Allows you to access and push all data for all projects, and data that’s not associated with a project.

Administration

Configure Edge nodes

administerEdges

Allows you to configure Edge node functionality.

Configure Build Caching

administerCache

Allows you to configure Build Cache functionality.

Configure Test Distribution

administerTestDistribution

Allows you to configure Test Distribution functionality.

Configure projects

administerProjects

Allows you to configure projects and project groups for project-level access control from the Administration console or by using the Develocity API.

Configure access control

administerAccessControl

Allows you to configure access control settings, including user management and identity provider configuration.

Configure operational settings

administerOperationalSettings

Allows you to configure operational settings, such as disk space management and email settings.

Generate support bundles

generateSupportBundle

Allows you to generate support bundles.

Permissions such as Configure access control permission and Configure operational settings permission allow privilege escalation.
The Access all data without an associated project and Access all data with or without associated project permissions are granted to all users automatically when project-level access control is disabled.

You manage permissions by assigning roles to users, either in Develocity or by mapping roles from an external identity provider. Both methods are described later on this page.

Develocity includes a basic set of preconfigured roles, shown in the following table.

Predefined Roles

Develocity includes several predefined roles designed to cover the most common user personas.

Role

Display name

Description

Permissions

admin

Administrator

Administer Develocity

Configure Edge nodes
Configure Build Caching
Configure Test Distribution
Configure projects
Configure access control
Configure operational settings
Generate support bundles
Delete build scans

api-client

API Client

Access build data via the API. Doesn’t include access to the administrative API endpoints.

Access build data via the API

ci-agent

CI Agent

Use Develocity for CI builds

Publish Build Scans
Use Test Distribution
Use Predictive Test Selection
Read Build Cache data
Read and write Build Cache data
Access all data without an associated project
Access all data with or without associated project

developer

Developer

Use Develocity

View Build Scans and build data
Publish Build Scans
Use Test Distribution
Use Predictive Test Selection
Read Build Cache data
Read Build Cache data and write Bazel CAS data

For externally managed user accounts (LDAP or SAML 2.0), roles can be managed locally or by group/role membership defined by the provider. When using provider-defined membership, each Develocity role can be mapped to one external group/role.

Custom roles: You can create custom roles to meet specific security requirements by navigating to Administration  Access control  Roles.

Custom Roles

Configure via the User Interface

To create and manage custom roles in the Develocity UI:

  1. Log in to Develocity as a user with the Administrator role.

  2. Navigate to Administration  Access control  Roles.

  3. Select Add Role to create a new role.

  4. Enter a name and description for the role.

  5. Select the desired permissions for the role.

  6. Click Save to store the role.

  7. Click Apply in the upper-right corner to activate the changes.

Changes to access control settings may take up to 20 minutes to propagate through the various components of Develocity.
Custom Role Creation in Develocity UI
Custom Role Creation in Develocity UI

Configure via Unattended Configuration

If you are managing Develocity using a GitOps or automated workflow, you can define the global settings using Unattended Configuration. Depending on your deployment strategy, you can provide these settings either as Integrated configuration within your values.yaml or as a Standalone configuration file.

version: 15
auth:
  anonymousPermissions:
    - viewScan
    - publishScan
    - predictiveTestSelection
  external: null
  projects:
    acceptAnonymousProjects: true
    enabled: false
  roles:
    acme-role:
      assignToNewExternalUsers: false
      description: ACME example role
      displayName: ACME Role
      identityProviderAttributeValue: null
      permissions:
        - publishScan

Deployment Templates

Download the appropriate YAML template to begin your infrastructure configuration.

For Develocity versions 2025.3 and prior, see the 2025.2 Administration Guide or the 2025.3 Administration Manual.

Cluster Deployment

Example template for cluster orchestration.
gradle-enterprise-config-schema-15.yaml SHA256 ASC ASC SHA256
Standalone Deployment

Example template for standalone setup.
gradle-standalone-config-schema-15.yaml | SHA256 | ASC | ASC SHA256

Pre-deployment Checklist

  • Backup: Export your current settings via Administration  Import/export before applying changes.

  • Deployment: After updating your values.yaml, re-deploy using Helm.

  • Impact: This triggers service restarts and may take several minutes to complete.

See Unattended Configuration for details.

Managing Role Assignments

You can assign roles to users through two primary methods:

Manual Assignment (Local)

For local users or specific overrides, manage roles directly in the UI:

  1. Navigate to Administration  Access control  Users.

  2. Select a user and check the desired roles.

  3. Click Save.

Identity Provider Mapping (External)

For SAML or LDAP users, roles are typically mapped from your organization’s groups:

  1. Navigate to Administration  Access control  Identity provider.

  2. In the Role membership section, select Defined by identity provider.

  3. Map your external group names (e.g., dev-team-lead) to Develocity roles (e.g., Administrator).