permissions for clone API

[rkg-mm]

Hi,
I am creating CI/CD scripts which shall be used by many projects. One part is to automatically create a new version in DTrack for new releases. We need to utilize the clone API, since we need to take over manual adjustments from e.g. master branch to avoid a lot of manual work again.
I am able to figure out project existance, UUID of source project, but when cloning from source to target version I get an 403.
Turns out, clone API needs PORTFOLIO_MANAGEMENT permission, which I find a bit troubling in this context.

Baiscally: The autocreate option when uploading a BOM is only halfway useful. As soon as you need to manage and maintain different versions of a project and don't want someone to manage a lot of projects by hand for each version, you can't use it. The key of DevSecOps is to automate your tools, especially security tools, as much as possible. So it's necessary to automatically being able to clone a project as well, or to use a combined clone/autocreate option which allows autocreation by cloning.

Giving the Automation group the PORTFOLIO_MANAGEMENT permission seems to be a risk. I am unsure what exactly is possible with this permission additionally then cloning, but project teams are able to read the API key in build pipelines, so whatever is allowed is exposed to all teams then. I think it would make sense to either add a clone-autocreate option or to add a separate permission for cloning projects.

What do you think?

Regards,
Ralf

[rkg-mm]

Uhm, additionally I just noticed that it seems access permissions are not cloned for the project. I would expect to have the same permission settings for the cloned version like for the other, so the same people can still access it. But seems like this is not the case. Is this intended or could be changed?

[stevespringett]

PORTFOLIO_MANAGEMENT can edit and modify every aspect of a project which is ideal for the clone use case since cloning creates new projects, carries over project properties as well as audit decisions. A dedicated clone permission could be useful, but would essentially need every PORTFOLIO_MANAGEMENT permission anyway. If there's a need for a clone permission, pull requests are accepted.

I just noticed that it seems access permissions are not cloned for the project.

Pull requests are accepted.