We noticed only product_store permissions can create a cleanup plan (with a name and due date) and dev team can add reports to that. How is that going to be useful for developers, meaning dev has to reach out every time if they need a new plan?

[SyamiliV]

We noticed only product admins can create a cleanup plan (with a name and due date) and dev team can add reports to that. How is that going to be useful for developers, meaning dev has to reach out every time if they need a new plan?

[SyamiliV]

There is a risk of deleting existing analysis runs - This could be problematic if developers accidentally or intentionally delete important historical data
we dont want to provide product_store permisisons for dev teams

[SyamiliV]

any input on this?

[bruntib]

Hi @SyamiliV,

Currently, the permission roles are not too granular, and this is by design. I'm not saying, that we can't change them, but the current behavior is intentional.

As for the cleanup plan, we assigned it to "admin" permissions, because we consider admins as a leader of the project, who organizes the daily work. In this regard, the admin is not only managing database connections and such, but does "scrum master"-like activities. The solution in the current setup would be setting project leaders as admins for the given product.

And for run deletion, everyone who can store a run, can also delete them. Currently, any developer can store runs to check their work and compare the results to other runs. These personal runs can be also deleted by them. Is it a valid scenario in your team, that someone should be able to store runs, but not to delete them? If not, then "store" access should be granted to CI people only, and regular developers should get "read" access only.

Could you describe the roles in your team and how it differs from the setup described above?

Thank you!

[SyamiliV]

so basically we are the admin who setup the codechecker tool for all developers, by default only we admins has PRODUCT_ACCESS + PRODUCT_VIEW + PRODUCT_STORE + PRODUCT_ADMIN. And rest for everyone, we created a group and that group has only PRODUCT_ACCESS + PRODUCT_VIEW access. basically they are developers. So i tested myself removed from PRODUCT_ADMIN and became part of PRODUCT_ACCESS + PRODUCT_VIEW + PRODUCT_STORE and i was able to create clean up plan.

[SyamiliV]

as there is no much documentation about cleanup plan, i also would like to know whether the clean up will done automatically once it reaches the due date. Or how often it does the cleanup or it wont do at all? Can u provide more information about the clean up process. We also want the clean up to happen eventually right instead of sitting there.

[bruntib]

It sounds interesting, that you could create a cleanup plan without PRODUCT_ADMIN access. It is supposed to print an error message that you are not authorized to execute this action. Is it possible that your user is the member of a group that has PRODUCT_ADMIN access? Or you could try logout/login after making sure that the admin access is withdrawn.

Maybe, there is a misunderstanding about the purpose of "cleanup plan" feature. The intention behind it was to group specific reports so they can be assigned to some teams to fix. So, by "cleanup" we mean that developers clean them up by fixing them and it is easy to filter these reports. So, the "cleanup plan" feature doesn't perform any activity on the reports, it is just an option for grouping and filtering purposes. Maybe it would be a nice future feature to explicitly assign the cleanup plans to specific users or groups, but this is currently not on our roadmap. Also, improving the documentation is a good idea, thanks for the feedback!