is only available with an active Enterprise license. Please add your license key to activate it. Overview
Permission syncing allows you to sync Access Permission Lists (ACLs) from a code host to Sourcebot. When configured, users signed into Sourcebot will only be able to access repositories
that they have access to on the code host. Practically, this means:
- Code Search results will only include repositories that the user has access to.
- Code navigation results will only include repositories that the user has access to.
- MCP results will only include results from repositories the user has access to.
- Ask Sourcebot (and the underlying LLM) will only have access to repositories that the user has access to.
- File browsing is scoped to the repositories that the user has access to.
Permission syncing can be enabled by setting the PERMISSION_SYNC_ENABLED environment variable to true.
docker run \
-e PERMISSION_SYNC_ENABLED=true \
/* additional args */ \
ghcr.io/sourcebot-dev/sourcebot:latest
Enabling permission syncing on an existing deployment may result in errors that look like “User does not have an OAuth access token…”. This is because the OAuth access token associated with the user’s existing account does not have the correct scopes necessary for permission syncing. To fix, have the user re-authenticate to refresh their access token by either logging out of Sourcebot and logging in again or unlinking and re-linking their account.
| Platform | Permission syncing |
|---|
| GitHub (GHEC & GHEC Server) | ✅ |
| GitLab (Self-managed & Cloud) | ✅ |
| Bitbucket Cloud | 🟠 Partial |
| Bitbucket Data Center | 🟠 Partial |
| Azure DevOps Cloud | 🛑 |
| Azure DevOps Server | 🛑 |
| Gitea | 🛑 |
| Gerrit | 🛑 |
| Generic git host | 🛑 |
Getting started
GitHub
Prerequisites:
- Configure a GitHub connection.
- Configure GitHub as an external identity provider.
- If you are using a self-hosted GitHub instance, you must also set the
baseUrl property of the github identity provider in the config file to the base URL of your GitHub instance (e.g. https://github.example.com).
Permission syncing works with GitHub.com, GitHub Enterprise Cloud, and GitHub Enterprise Server. For organization-owned repositories, users that have read-only access (or above) via the following methods will have their access synced to Sourcebot:
- Outside collaborators
- Organization members that are direct collaborators
- Organization members with access through team memberships
- Organization members with access through default organization permissions
- Organization owners.
Notes:
GitLab
Prerequisites:
- Configure a GitLab connection.
- Configure GitLab as an external identity provider.
- If you are using a self-hosted GitLab instance, you must also set the
baseUrl property of the gitlab identity provider in the config file to the base URL of your GitLab instance (e.g. https://gitlab.example.com).
Permission syncing works with GitLab Self-managed and GitLab Cloud. Users with Guest role or above with membership to a group or project will have their access synced to Sourcebot. Both direct and indirect membership to a group or project will be synced with Sourcebot. For more details, see the GitLab docs.
Notes:
Bitbucket Cloud
Prerequisites:
Permission syncing works with Bitbucket Cloud. OAuth tokens must assume the account and repository scopes.
Partial coverage for repo-driven syncing. Bitbucket Cloud’s repository user permissions API only returns users who have been directly and explicitly granted access to a repository. Users who have access via any of the following are not captured by repo-driven syncing:These users will still gain access via user-driven syncing, which fetches all private repositories accessible to each authenticated user. However, there may be a delay between when a repository is added and when affected users gain access in Sourcebot (up to the userDrivenPermissionSyncIntervalMs interval, which defaults to 24 hours).If your workspace relies heavily on group or project-level permissions rather than direct user grants, we recommend reducing the userDrivenPermissionSyncIntervalMs interval to limit the window of delay.
- A Bitbucket Cloud external identity provider must be configured to (1) correlate a Sourcebot user with a Bitbucket Cloud user, and (2) to list repositories that the user has access to for User driven syncing.
- OAuth tokens require the
account and repository scopes. The repository scope is required to list private repositories during User driven syncing.
Bitbucket Data Center
Prerequisites:
Permission syncing works with Bitbucket Data Center. OAuth tokens must assume the PUBLIC_REPOS and REPO_READ scopes.
Partial coverage for repo-driven syncing. Repo-driven syncing only captures users who have been directly and explicitly granted access to the repository. Users who have access via any of the following are not captured by repo-driven syncing:
- Project-level permissions (inherited by all repos in the project)
- Group membership
These users will still gain access via user-driven syncing, which fetches all repositories accessible to each authenticated user using the REPO_READ scope. However, there may be a delay between when access is granted and when affected users see the repository in Sourcebot (up to the userDrivenPermissionSyncIntervalMs interval, which defaults to 24 hours).If your instance relies heavily on project or group-level permissions, we recommend reducing the userDrivenPermissionSyncIntervalMs interval to limit the window of delay.
- A Bitbucket Data Center external identity provider must be configured to (1) correlate a Sourcebot user with a Bitbucket Data Center user, and (2) to list repositories that the user has access to for User driven syncing.
- The connection token must have Repository Read permissions so Sourcebot can read repository-level user permissions for Repo driven syncing.
- OAuth tokens require the
REPO_READ scope to list accessible repositories during User driven syncing.
Manually refreshing permissions
If a user’s permissions have changed and they need access updated immediately (without waiting for the next scheduled sync), they can trigger a manual refresh from the Linked Accounts page:
- Navigate to Settings → Linked Accounts.
- Click the Connected button next to the relevant code host account.
- Select Refresh Permissions from the dropdown.
The button will show a spinner while the sync is in progress and display a confirmation once it completes.
Overriding enforcement per connection
Each connection supports two flags that control permission enforcement for that connection’s repositories:
enforcePermissions: Controls whether repository permissions are enforced for the connection. When PERMISSION_SYNC_ENABLED is false, this setting has no effect. Defaults to the value of PERMISSION_SYNC_ENABLED.enforcePermissionsForPublicRepos: Controls whether repository permissions are enforced for public repositories in the connection. When true, public repositories are only visible to users with a linked account for the connection’s code host. When false, public repositories are visible to all users. Has no effect when enforcePermissions is false. Defaults to false.
These flags are useful when you want different enforcement behavior across connections. For example, you may want to enforce permissions on an internal GitHub Enterprise connection while leaving a public-facing Gerrit mirror open to all users. Or, you can use enforcePermissionsForPublicRepos to restrict public repositories on a Bitbucket connection so that only users who have authenticated with that host can browse them.
{
"connections": {
"my-github": {
"type": "github",
"enforcePermissions": true
},
"my-bitbucket": {
"type": "bitbucket",
"enforcePermissions": true,
"enforcePermissionsForPublicRepos": true
},
"my-gerrit": {
"type": "gerrit",
"url": "https://gerrit.example.com",
"enforcePermissions": false
}
}
}
PERMISSION_SYNC_ENABLED, enforcePermissions, and enforcePermissionsForPublicRepos:
PERMISSION_SYNC_ENABLED | enforcePermissions | enforcePermissionsForPublicRepos | Private repos enforced? | Public repos enforced? |
|---|
true | true | false | Yes | No |
true | true | true | Yes | Yes |
true | false | any | No | No |
false | any | any | No | No |
How it works
Permission syncing works by periodically syncing ACLs from the code host(s) to Sourcebot to build an internal mapping between Users and Repositories. This mapping is hydrated in two directions:
- User driven : fetches the list of all repositories that a given user has access to.
- Repo driven : fetches the list of all users that have access to a given repository.
User driven and repo driven syncing occurs every 24 hours by default. Repo-driven syncing can be disabled independently using the following environment variable:
| Environment variable | Default | Description |
|---|
PERMISSION_SYNC_REPO_DRIVEN_ENABLED | true | Enables/disables repo-driven syncing. |
| Setting | Type | Default | Minimum |
|---|
repoDrivenPermissionSyncIntervalMs | number | 24 hours | 1 |
userDrivenPermissionSyncIntervalMs | number | 24 hours | 1 |
