1. Bitbucket
  2. Public Issue Tracker
  3. master
  4. Issues

Issues

Issue #5148 resolved

Repos transferred to a team retain creator status (and admin privs) (BB-6427)

Benjamin McCann
created an issue

My friends and I started a company together and each owned a few repos. We transferred ownership of those repos to a team account. However, now that the team account owns them we cannot remove the creator under "Access management". Does being "creator" confer you any read or write permissions? If any of us were to leave the company, then the company should be able to remove us from the repos.

Comments (53)

  1. Dylan Etkin

    Hi Ben,

    The creator is like the owner.

    However they only have access as long as they have the create repo permission for that team.

    So if one of your members leaves you should revoke them from your groups (including the one that provides create access).

    Once removed from the group they will lose access to the repo.

    Cheers,

    Dylan

  2. Jon Haynes

    I disagree that this is an invalid ticket. I have created a repository on bitbucket for my team and we have a developer/maintainer development model.

    When I set up the repository initially I needed to push to it as I was doing the migration from subversion.

    But now my role returns to 'normal' as a developer not a maintainer of this project so I wish to change my permission to be read-only as I no longer want to push commits directly to this repository (as that's the maintainers job).

  3. Dmitry Tretyakov

    I disagree with Invalid status too. I've the same case as a previous commenter and I want to revoke access to the repositories which was created by me in the team account.

    When I've no "create repository" rights in the team account I've no admin rights in such repositories, but when get rights to create a new repositories at the same time I get admin rights to such repositories and cannot get rid of them.

  4. David Alger

    I also disagree with the invalid status of this. My scenario is this: one of our developers creates a repo in our teams account to get a project up and running. I don't want that individual to maintain administration rights over the repository, only the teams account (as owner) and I should have admin rights. They still need read/write which is provided by a developer user group which we add to all repos. So now I can't remove the 'admin' status of this user because they created the repository initially.

    Please make a way for us to transfer the 'creator' role of repositories owned by teams accounts!

  5. Erik van Zijst staff

    I agree that this is not an invalid issue. You do raise a real issue of not being able to demote (but not completely removing from the team) the repo creator from admin to read-only.

    However, at this time we have no plans to change the way team permissions are handled and so I'm changing the status to wontfix.

    Everyone is still free to continue discussions and vote on it. Votes help us prioritize future features.

  6. Madhav V

    +1 I still can't remove the creator. Why?.

    The employee that created the repo is no longer working for us. I should be able to change the creator or remove him from it.

  7. Sam Blowes

    +1

    This is a serious issue, and conflicts with our Auditors, SOX, and PCI compliance. To work around it, we have to delete the repository and re add it.

    This should be treated as critical and in my opinion, should not have been open for almost 1 year.

  8. James Yoneda

    Just ran into this myself. The person who created a repo is now on other repos. I don't want to remove them from the overall group, I just need to remove them from this specific repo. I can't. Why???

  9. Matthias Zillig

    +5 ;-) I created the repo for a client. I have contracts to destroy everything after the job. Hmm. Now I still have my user as creator in the admins of his sources. Additionally he is loosing one license. Not really a feel good situation. I've told him to solve security and process problems not to create new issues...

  10. Joseph Keller

    The fact that I cannot remove a creator from a repository is unsettling for software who has a critical purpose to control permissions on created content. Known and problematic issue for 2.5 yrs.

  11. Erik van Zijst staff

    The fact that I cannot remove a creator from a repository is unsettling for software who has a critical purpose to control permissions on created content.

    The fact that the repo was created by a certain user does not automatically give that user any access to it. If you remove the user from the team (by removing them from all groups), they cease to have any level of access to it.

  12. Roger Vaughn

    The fact that the repo was created by a certain user does not automatically give that user any access to it.

    Incorrect. Unless Atlassian has changed this in the past few days, the creator of a repo automatically has admin access to it as long as he or she remains a team member. It is not possible to keep a repo creator in the team but revoke their implicit admin rights to repos they have created.

    Yes, a creator loses those rights if you remove them from all groups, but we can hardly kick all of our users out of our team accounts.

  13. Erik van Zijst staff

    has admin access to it as long as he or she remains a team member.

    I believe that's what I said.

    The thinking behind the current behavior was that if a user is able to create repos under a team (they're in a group that has the ability to create repos), then they should also be able to write to and generally manage that repo. Merely creating the repo, without the ability to then configure its settings (admin access), didn't seem very useful.

    Having said all that, there is a project underway to rethink how teams on Bitbucket and other Atlassian products should work and so it's not inconceivable that things might change in the (not so short-term) future.

  14. Lior Zamir

    The thinking behind the current behavior was that if a user is able to create repos under a team (they're in a group that has the ability to create repos), then they should also be able to write to and generally manage that repo. Merely creating the repo, without the ability to then configure its settings (admin access), didn't seem very useful.

    It may seem logical that a repository's creator has rights to the repos he creates, but if he transfers his repository, why must he retain these permissions?

  15. Alejandro Guerrieri

    Precisely, the fact that ownership cannot be completely controlled by an administrator makes it very enterprise-unfriendly. It is not unusual for people to start a project in their personal account and then transfer it to the corporate account. This limitation makes it impossible for the company to actually control the ownership of those cases.

  16. Erik van Zijst staff

    Actually, that's a very good point. Transfers should probably not retain the original creator. I had not considered repo transfers (poor reading on my part, it's in the issue description, but mostly went by the title).

  17. Max Wolter

    This has been an issue for 2.5 years now. It's a major blocker for any company that enforces any sort of decent risk management & compliance policies.

    Having a repository creator is completely unnecessary, all that's needed is the owner, who can transfer the repository as he/she sees fit.

  18. Wojciech Duda

    Voted for fixes, transfer should remove the creator. Very troublesome as our team had to forcefully remove a person that tried to hurt the company, and they were creator on some repositories.

    Also Erik van Zijst, did you just admit of NOT READING a ticket description but setting to WONTFIX at some point anyway?

  19. Juan Nin

    Being able to remove a creator is a must in my opinion. Not only when doing a transfer, but as others mentioned, you should be able to just remove a creator.

    Someone might create a repository and later be moved to another project, where the user is still a member of your Team but you don't want him to have access anymore to that repository, or due to whatever reason you don't want the user to have admin rights over that repository anymore.

  20. Marcus Bertrand staff

    Hi all,

    We've changed the behavior of creator access. From now on, when a user creates a repository, they will be added to the repository explicitly under access management with admin access. You are now able to remove that user by visiting the repository's settings.

    This change allows any team admin the ability to restrict or remove the creator from the repository at any time. For existing repositories, we're working through every repository on Bitbucket to convert the creator to have direct access, assuming that user still belongs to the team, and still has the ability to create repositories under that team. When we encounter a creator who does not, we will remove them from the repo entirely.

    This behavior and the previous 'magic' creator access has always depended on the 'can create repositories' permission that is found on the User groups management screen of your Team admin. If a user can create a repository, the assumption is that they should also be able to add other users. We will continue to make this assumption at this time, but we are considering further changes, such as not allowing any users outside of the team to be added directly to a repository.

    If you don't see this change in your repo yet, you can make any small change to your repository description (or any other field on general settings) to trigger the update now. We should be done converting all the creators soon.

    Cheers, Marcus

  21. Aris Synodinos

    Is there a configuration in Bitbucket that sets the default access of a repository creator. Marcus Bertrand states that the repository creator becomes admin by default, but can be removed at a later stage. It would be useful if the repository creator could only get write access to the repository he created, to avoid the hassle of always going in the repos and removing them from admins.

  22. Log in to comment