Roles and permissions, LDAP/Active Directory authentication, user groups, two-factor authentication (new in 2017.2), API tokens, guest access, project security, and the audit log
| Method | How it works | Best for |
|---|---|---|
| Built-in | Username + password stored in TeamCity's database. Default. | Small teams; evaluation; teams without LDAP |
| LDAP | Authenticate against corporate LDAP/Active Directory. User accounts auto-created on first login. | Enterprise teams with AD/LDAP |
| GitHub OAuth | Log in with GitHub account. Requires GitHub OAuth App configured in project connections. | Teams using GitHub for everything; open-source projects |
Multiple authentication methods can be active simultaneously. Configure at Administration → Authentication.
| Role | What they can do |
|---|---|
| System Administrator | Full access — manage server settings, all users, all projects, agents, backup, plugins |
| Project Administrator | Full control over a specific project — create/edit build configs, manage project users, project parameters |
| Developer | Run builds, view logs, pin/tag builds, assign investigation, edit personal build configurations. Cannot edit server-level settings. |
| Viewer | Read-only access — view builds, logs, artifacts. Cannot run builds or change anything. |
Project-level roles are the key to multi-team TeamCity. Each team can be admin of their own project without seeing other teams' configurations.
# Recommended role structure for a multi-team setup:
# System Administrator: CI/DevOps team only (2-3 people)
# Project Administrator: Team lead per project
# Developer: All developers, scoped to their team's project(s)
# Viewer: Stakeholders, QA, managers who need visibility
# Example:
# User: alice@company.com
# System Admin: NO
# Project Admin in: BackendServices (her team)
# Developer in: Frontend (she contributes occasionally)
# Viewer in: Infrastructure (she monitors but doesn't change)A role assigned to a parent project is automatically inherited by all subprojects. Assigning Developer role in the "Techoral" parent project gives the user Developer access to all teams' projects. Use subproject-level assignment for precise access control.
Groups aggregate users for role assignment and notification rules. Assign a role once to a group instead of 20 individuals.
| Group | Description |
|---|---|
| All Users | Every authenticated user. Cannot be deleted. Add global read-only permissions here for internal tools. |
| System Administrators | Built-in system admin group. Members have full server access. |
When LDAP is enabled, TeamCity can sync group membership from LDAP. Users in the AD group CI-Developers can automatically become members of the TeamCity group Developers. Configure in Administration → LDAP Integration → Group Mapping.
TeamCity 2017.2 introduced TOTP-based two-factor authentication. When enabled, users must provide a time-based one-time password (Google Authenticator, Authy, etc.) in addition to their password.
2FA applies to web UI logins. REST API calls using API tokens (section 13.6) bypass 2FA — by design. API tokens are long-lived secrets that represent the same authentication as a logged-in user. This means CI scripts and automation use API tokens, not the user's 2FA credentials. Protect API tokens as you would passwords.
API tokens are long-lived authentication credentials for REST API access. Each user can generate tokens for their own account. A token has the same permissions as the user.
# Bearer token in Authorization header (preferred)
curl -H "Authorization: Bearer YOUR_TOKEN" \
https://ci.yourcompany.com/app/rest/builds?locator=buildType:MyBuild
# Basic auth with token (legacy)
curl -u "username:YOUR_TOKEN" \
https://ci.yourcompany.com/app/rest/buildsCreate a dedicated TeamCity user (e.g., ci-bot) with minimal required permissions (e.g., Developer in specific projects). Generate API tokens under this account for CI scripts. This separates automation credentials from personal accounts — revoking ci-bot's tokens doesn't affect any developer's access.
The Guest user allows unauthenticated read-only access to TeamCity. Enabled at Administration → Authentication → Allow guest login.
Guest access is needed for:
Assign a Viewer role to the "Guest" built-in user for specific projects to limit what they can see. By default, Guest can view the Root project, which includes all projects.
By default, Developer role can trigger any build in their project. To restrict manual triggering of production builds to specific users, use parameter-based protection (prompt parameter with confirmation) or restrict the build config to a sub-group of users by giving only them the Developer role in that specific build config's parent project.
Any role (including Viewer) can view build logs and download artifacts for projects they have access to. If build logs contain sensitive information (database connection strings, API responses), consider cleaning up log output in build steps: use echo "***" instead of printing secret values, and rely on password parameters for masking.
TeamCity records all configuration changes, user logins, and administrative actions in an audit log. Access at Administration → Audit Log.
Recorded events include:
Filter by user, date range, or action type. The audit log is also available via REST API for export to a SIEM system.
TeamCity 2017.2.2 has CSRF protection enabled by default. REST API requests using cookie-based authentication from a browser require an additional Origin or Referer header matching the server URL. Token-based API authentication bypasses CSRF checks.
If you get 403 CSRF check failed errors from custom scripts using cookie auth:
X-TC-CSRF-Token header to your requests (obtain from session cookie)