Skip to main content

Project-Level Permission Groups Require Organization Read Access to List Scorers

Summary

Users assigned to project-level permission groups may be unable to list or access scorers in the playground without organization-level Read organization permissions. This indicates that the permission group is not functioning as intended and may affect groups created at certain points in time. The issue prevents users from accessing scorers even when they have appropriate project-level Read, Create, or Update permissions configured for the specific project.

Symptoms

  • Users cannot see scorers in the playground despite having project-level permissions
  • Access to playground functionality is lost after being added to a project-level permission group
  • Granting organization-level Read organization permission temporarily resolves the issue
  • Some permission groups work correctly while others with similar configurations do not
  • The issue may affect permission groups that were created at specific points in time rather than all groups

Workarounds

Option 1: Grant Organization-Level Read Access (Immediate)

Grant the affected permission group organization-level Read organization permissions. This provides immediate access but grants broader permissions than necessary for project-specific work.

Steps

  1. Navigate to Settings > Permission groups
  2. Find the affected permission group in the list
  3. Click Permissions
  4. Enable Read organization
  5. Click Save
  6. Verify users can now access scorers in the playground
Create a new permission group with the same project-level permissions as the malfunctioning group. This approach often resolves the underlying issue and maintains proper permission scoping.

Steps

  1. Navigate to Settings > Permission groups
  2. Click Create permission group
  3. Enter a name and description for the new group
  4. Click Create
  5. Navigate to the project’s Configuration page
  6. Click Permissions in the context menu
  7. Search for your new group in the search input
  8. Click the pencil icon next to the group
  9. Select the appropriate project permissions:
  10. Click Save
  11. Add affected users to the new group
  12. Remove users from the old, malfunctioning group
  13. Verify users can now access scorers without organization-level permissions

Option 3: Temporarily Grant Individual Project Access

As an immediate workaround for a single user, grant them direct project-level Read permissions outside of the permission group structure.

Steps

  1. Navigate to the project’s Configuration page
  2. Click Permissions in the context menu
  3. Search for the individual user in the search input
  4. Grant the user Read permission on the project
  5. Click Save

Notes

  • This issue has been filed internally for investigation and should be resolved in a future update
  • Users must have Read permission on a project to see it in the UI, but this should not require organization-level read access
  • The Manage access permission is a super-user permission that allows users to grant themselves any other permission - assign it carefully
  • If you encounter this issue, take note of when the affected permission group was created, as this may help identify the root cause
  • Built-in permission groups (Owners, Engineers, Viewers) are organization-scoped and should not exhibit this behavior
  • After creating a new permission group, verify that users can access scorers without requiring organization-level permissions before migrating all users

When to Contact Support

  • Creating a new permission group does not resolve the issue
  • Multiple permission groups are affected across different projects
  • You need to maintain the existing permission group due to integrations or automation
  • Organization-level read access workaround is not acceptable for your security requirements

References