Currently, managing QP is a global permission that, once assigned, allows a user or a group users to create/edit/delete every QP available on the SonarQube instance.
As a consequence, most SonarQube admin keep this permission for themselves, to prevent any user to edit or delete someone else's QP. This does not scale very well in large companies where the management of quality profiles is too much centralized and therefore not flexible enough for dev teams.
As a user who has the global "Manage QP" permission, I can create a quality profile and give edit rights to specific users and/or groups:
- I go to "Quality Profiles" page
- I create a new QP and land on the page of that QP
- Under the "Rules" tile, I've got another tile called "Permissions" under which I see:
- A short text that says "Grant edit permission to users or groups"
- "Add User" and "Add Group" buttons
- When I click on one of the buttons, this opens a modal to select a user or a group (like for selection members of an org for instance)
- Once I have selected (let's say) a user, it appears in the list of this "Permissions" tile, and there's a red cross close to it if I want to remove it
Note: obviously, this "Permissions" tile is not available on built-in QP because it's must be impossible to grant edit rights on built-in QP (they are read-only by definition).
As a user, when I am on the page of a QP for which I have edit rights, I have the same user experience as the user who has the global "Manage QP" permission, i.e. I can add/remove users or groups.
To keep this MMF as "minimal" as possible and make sure we can make it for LTS, we restricted the scope of this feature to the "edit permission" on a QP. This means that it's not possible to delegate the creation of QP - responsibility which still belongs to the global "Manage QP" permission.