Remove 'Access management' from 'Creator' access (BB-13850)

Issue #11625 open
Jesse Yowell
staff created an issue

For those who are given 'Creator' access on a repository, they also have admin access over the repo (create / delete / invite ). The problem here is that this person can add users and essentially trigger an auto-upgrade. It would be nice to have creator access without access to 'Access management'

Comments (5)

  1. Charles Chan

    Background: This is especially a concern for team accounts, because we want to grant team members the ability to "Create Repository". However, these members should not be allowed to invite others -- especially those outside of the team.

    I am not sure the internal design of Bitbucket. Perhaps when a person creates a new team owned repo, the system automatically assigns the team account as the "Creator" as well?

    Ultimately, the goal is to be able to support finer grain controls in order to separate the permission for create/delete new repo and the permission for repo access management.

  2. Ken Norris

    Our team account was bit by this. A user, without the financial authority to increase our subscription level, invited a new user who was not part of the team to share a repo created by the team member. This new user exceeded our subscription pool and triggered an automatic upgrade. I do not want to restrict our users from inviting people to share repos - that's why we are using BitBucket in the first place. What I do not want is to have a user commit our company financially when their invitation exceeds the account limit.

  3. Log in to comment