From 3910ba6b24b5897ec740f64d7b7113df50da2dfa Mon Sep 17 00:00:00 2001
From: Pierre <pierre.guillot@sonarsource.com>
Date: Fri, 10 Jun 2022 18:30:02 +0200
Subject: [PATCH] SONAR-16479 remove root user concept

---
 .../sonar/db/audit/model/UserNewValue.java    |  10 -
 .../main/java/org/sonar/db/user/UserDao.java  |   8 -
 .../main/java/org/sonar/db/user/UserDto.java  |  17 --
 .../java/org/sonar/db/user/UserMapper.java    |   7 -
 .../org/sonar/db/user/UserMapper.xml          |  29 ---
 server/sonar-db-dao/src/schema/schema-sq.ddl  |   1 -
 .../java/org/sonar/db/user/UserDaoTest.java   | 184 ----------------
 .../db/user/UserDaoWithPersisterTest.java     |   4 +-
 .../java/org/sonar/db/DbTester.java           |   7 -
 .../org/sonar/db/user/RootFlagAssertions.java |  65 ------
 .../java/org/sonar/db/user/UserDbTester.java  |   6 -
 .../MigrationConfigurationModule.java         |   2 +
 .../migration/version/v96/DbVersion96.java}   |  17 +-
 .../v96/DropRootColumnFromUsersTable.java}    |  14 +-
 .../version/v96/DbVersion96Test.java}         |  27 ++-
 .../v96/DropRootColumnFromUsersTableTest.java |  54 +++++
 .../schema.sql                                |  29 +++
 .../authentication/SafeModeUserSession.java   |   5 -
 .../server/user/AbstractUserSession.java      |  44 +---
 .../org/sonar/server/user/DoPrivileged.java   |   5 -
 .../sonar/server/user/ServerUserSession.java  |   8 -
 .../server/user/ThreadLocalUserSession.java   |  10 -
 .../org/sonar/server/user/UserSession.java    |  17 --
 .../SafeModeUserSessionTest.java              |   1 -
 .../authentication/UserRegistrarImplTest.java |   3 -
 .../server/user/ServerUserSessionTest.java    | 173 +--------------
 .../user/ThreadLocalUserSessionTest.java      |  25 ---
 .../tester/AbstractMockUserSession.java       |   2 +-
 .../tester/AnonymousMockUserSession.java      |   5 -
 .../sonar/server/tester/MockUserSession.java  |  10 -
 .../sonar/server/tester/UserSessionRule.java  |  20 --
 .../server/user/TestUserSessionFactory.java   |   5 -
 .../index/WebAuthorizationTypeSupport.java    |   4 -
 .../index/ComponentIndexLoginTest.java        |   9 -
 .../index/ComponentIndexSearchTest.java       |  29 +--
 ...omponentIndexSearchWindowExceededTest.java |  71 +++++++
 .../server/issue/index/IssueIndexTest.java    |  15 --
 .../index/ProjectMeasuresIndexTest.java       |   9 -
 .../WebAuthorizationTypeSupportTest.java      |   9 -
 .../measure/ws/ComponentTreeAction.java       |   2 +-
 .../server/qualitygate/ws/SearchAction.java   |   6 -
 .../org/sonar/server/root/ws/RootsWs.java     |  43 ----
 .../sonar/server/root/ws/SearchAction.java    |  90 --------
 .../sonar/server/root/ws/SetRootAction.java   |  80 -------
 .../sonar/server/root/ws/UnsetRootAction.java |  81 -------
 .../sonar/server/root/ws/package-info.java    |  23 --
 .../sonar/server/ce/ws/TaskActionTest.java    |  36 ++--
 .../server/component/ws/ShowActionTest.java   |  22 +-
 .../ws/SearchEventsActionNewIssuesTest.java   |  22 +-
 .../ws/SearchEventsActionQualityGateTest.java |  26 ++-
 .../developers/ws/SearchEventsActionTest.java |  19 +-
 .../measure/ws/ComponentActionTest.java       |  33 ++-
 .../measure/ws/ComponentTreeActionTest.java   |  52 +++--
 .../server/measure/ws/SearchActionTest.java   |  15 --
 .../server/notification/ws/AddActionTest.java |   2 +-
 .../project/ws/BulkDeleteActionTest.java      |  13 +-
 .../projectanalysis/ws/DeleteActionTest.java  |   2 +-
 .../projectlink/ws/SearchActionTest.java      |  20 +-
 .../server/projecttag/ws/SetActionTest.java   |  14 +-
 .../qualitygate/ws/SearchActionTest.java      |  16 --
 .../ws/QProfilesWsMediumTest.java             |  12 +-
 .../org/sonar/server/root/ws/RootsWsTest.java |  55 -----
 .../server/root/ws/SearchActionTest.java      | 150 -------------
 .../server/root/ws/SetRootActionTest.java     | 169 ---------------
 .../server/root/ws/UnsetRootActionTest.java   | 200 ------------------
 .../server/setting/ws/ResetActionTest.java    |   4 +-
 .../sonar/server/ui/ws/GlobalActionTest.java  |  12 +-
 .../server/user/ws/CreateActionTest.java      |   9 +-
 .../server/user/ws/GroupsActionTest.java      |   4 +-
 .../platformlevel/PlatformLevel4.java         |   4 -
 70 files changed, 373 insertions(+), 1823 deletions(-)
 delete mode 100644 server/sonar-db-dao/src/testFixtures/java/org/sonar/db/user/RootFlagAssertions.java
 rename server/{sonar-webserver-webapi/src/main/java/org/sonar/server/root/ws/RootWsModule.java => sonar-db-migration/src/main/java/org/sonar/server/platform/db/migration/version/v96/DbVersion96.java} (67%)
 rename server/{sonar-webserver-webapi/src/main/java/org/sonar/server/root/ws/RootsWsAction.java => sonar-db-migration/src/main/java/org/sonar/server/platform/db/migration/version/v96/DropRootColumnFromUsersTable.java} (66%)
 rename server/{sonar-webserver-webapi/src/test/java/org/sonar/server/root/ws/RootsWsModuleTest.java => sonar-db-migration/src/test/java/org/sonar/server/platform/db/migration/version/v96/DbVersion96Test.java} (60%)
 create mode 100644 server/sonar-db-migration/src/test/java/org/sonar/server/platform/db/migration/version/v96/DropRootColumnFromUsersTableTest.java
 create mode 100644 server/sonar-db-migration/src/test/resources/org/sonar/server/platform/db/migration/version/v96/DropRootColumnFromUsersTableTest/schema.sql
 create mode 100644 server/sonar-webserver-es/src/test/java/org/sonar/server/component/index/ComponentIndexSearchWindowExceededTest.java
 delete mode 100644 server/sonar-webserver-webapi/src/main/java/org/sonar/server/root/ws/RootsWs.java
 delete mode 100644 server/sonar-webserver-webapi/src/main/java/org/sonar/server/root/ws/SearchAction.java
 delete mode 100644 server/sonar-webserver-webapi/src/main/java/org/sonar/server/root/ws/SetRootAction.java
 delete mode 100644 server/sonar-webserver-webapi/src/main/java/org/sonar/server/root/ws/UnsetRootAction.java
 delete mode 100644 server/sonar-webserver-webapi/src/main/java/org/sonar/server/root/ws/package-info.java
 delete mode 100644 server/sonar-webserver-webapi/src/test/java/org/sonar/server/root/ws/RootsWsTest.java
 delete mode 100644 server/sonar-webserver-webapi/src/test/java/org/sonar/server/root/ws/SearchActionTest.java
 delete mode 100644 server/sonar-webserver-webapi/src/test/java/org/sonar/server/root/ws/SetRootActionTest.java
 delete mode 100644 server/sonar-webserver-webapi/src/test/java/org/sonar/server/root/ws/UnsetRootActionTest.java

diff --git a/server/sonar-db-dao/src/main/java/org/sonar/db/audit/model/UserNewValue.java b/server/sonar-db-dao/src/main/java/org/sonar/db/audit/model/UserNewValue.java
index bd5dc75b561..adee5893c28 100644
--- a/server/sonar-db-dao/src/main/java/org/sonar/db/audit/model/UserNewValue.java
+++ b/server/sonar-db-dao/src/main/java/org/sonar/db/audit/model/UserNewValue.java
@@ -55,9 +55,6 @@ public class UserNewValue extends NewValue {
   @Nullable
   private Boolean local;
 
-  @Nullable
-  private Boolean root;
-
   @Nullable
   private Long lastConnectionDate;
 
@@ -77,7 +74,6 @@ public class UserNewValue extends NewValue {
     this.externalLogin = userDto.getExternalLogin();
     this.externalIdentityProvider = userDto.getExternalIdentityProvider();
     this.local = userDto.isLocal();
-    this.root = userDto.isRoot();
     this.lastConnectionDate = userDto.getLastConnectionDate();
   }
 
@@ -129,11 +125,6 @@ public class UserNewValue extends NewValue {
     return this.local;
   }
 
-  @CheckForNull
-  public Boolean isRoot() {
-    return this.root;
-  }
-
   @CheckForNull
   public Long getLastConnectionDate() {
     return this.lastConnectionDate;
@@ -152,7 +143,6 @@ public class UserNewValue extends NewValue {
     addField(sb, "\"externalLogin\": ", this.externalLogin, true);
     addField(sb, "\"externalIdentityProvider\": ", this.externalIdentityProvider, true);
     addField(sb, "\"local\": ", ObjectUtils.toString(this.local), false);
-    addField(sb, "\"root\": ", ObjectUtils.toString(this.root), false);
     addField(sb, "\"lastConnectionDate\": ", this.lastConnectionDate == null ?
       "" : DateUtils.formatDateTime(this.lastConnectionDate), true);
     endString(sb);
diff --git a/server/sonar-db-dao/src/main/java/org/sonar/db/user/UserDao.java b/server/sonar-db-dao/src/main/java/org/sonar/db/user/UserDao.java
index a43b6706747..a859286377e 100644
--- a/server/sonar-db-dao/src/main/java/org/sonar/db/user/UserDao.java
+++ b/server/sonar-db-dao/src/main/java/org/sonar/db/user/UserDao.java
@@ -102,10 +102,6 @@ public class UserDao implements Dao {
     return mapper(dbSession).selectUsers(query);
   }
 
-  public long countRootUsersButLogin(DbSession dbSession, String login) {
-    return mapper(dbSession).countRootUsersButLogin(login);
-  }
-
   public UserDto insert(DbSession session, UserDto dto) {
     long now = system2.now();
     mapper(session).insert(dto.setUuid(uuidFactory.create()).setCreatedAt(now).setUpdatedAt(now));
@@ -133,10 +129,6 @@ public class UserDao implements Dao {
     mapper(session).dismissSonarlintAd(login);
   }
 
-  public void setRoot(DbSession session, String login, boolean root) {
-    mapper(session).setRoot(login, root, system2.now());
-  }
-
   public void deactivateUser(DbSession dbSession, UserDto user) {
     mapper(dbSession).deactivateUser(user.getLogin(), system2.now());
     auditPersister.deactivateUser(dbSession, new UserNewValue(user.getUuid(), user.getLogin()));
diff --git a/server/sonar-db-dao/src/main/java/org/sonar/db/user/UserDto.java b/server/sonar-db-dao/src/main/java/org/sonar/db/user/UserDto.java
index a6ab38a2d42..71dcfd94b7c 100644
--- a/server/sonar-db-dao/src/main/java/org/sonar/db/user/UserDto.java
+++ b/server/sonar-db-dao/src/main/java/org/sonar/db/user/UserDto.java
@@ -52,7 +52,6 @@ public class UserDto implements UserId {
   private String homepageType;
   private String homepageParameter;
   private boolean local = true;
-  private boolean root = false;
   private boolean resetPassword = false;
   private boolean sonarlintAdSeen = false;
 
@@ -244,22 +243,6 @@ public class UserDto implements UserId {
     return this;
   }
 
-  public boolean isRoot() {
-    return root;
-  }
-
-  /**
-   * Setters is not accessible as MyBatis doesn't need setter to set the field and dedicated SQL requests must be used
-   * to update the root flag of a user:
-   * <ul>
-   *   <li>a user can not be created root</li>
-   *   <li>the generic update method of a user can not change its root flag</li>
-   * </ul>
-   */
-  protected void setRoot(boolean root) {
-    this.root = root;
-  }
-
   public boolean isResetPassword() {
     return resetPassword;
   }
diff --git a/server/sonar-db-dao/src/main/java/org/sonar/db/user/UserMapper.java b/server/sonar-db-dao/src/main/java/org/sonar/db/user/UserMapper.java
index c1f4b60cad4..802b1f1a30e 100644
--- a/server/sonar-db-dao/src/main/java/org/sonar/db/user/UserMapper.java
+++ b/server/sonar-db-dao/src/main/java/org/sonar/db/user/UserMapper.java
@@ -68,17 +68,10 @@ public interface UserMapper {
 
   void updateSonarlintLastConnectionDate(@Param("login") String login, @Param("now") long now);
 
-  /**
-   * Count actives users which are root and which login is not the specified one.
-   */
-  long countRootUsersButLogin(@Param("login") String login);
-
   void insert(@Param("user") UserDto userDto);
 
   void update(@Param("user") UserDto userDto);
 
-  void setRoot(@Param("login") String login, @Param("root") boolean root, @Param("now") long now);
-
   void deactivateUser(@Param("login") String login, @Param("now") long now);
 
   void clearHomepages(@Param("homepageType") String type, @Param("homepageParameter") String value, @Param("now") long now);
diff --git a/server/sonar-db-dao/src/main/resources/org/sonar/db/user/UserMapper.xml b/server/sonar-db-dao/src/main/resources/org/sonar/db/user/UserMapper.xml
index 4f34375559b..858b063cc51 100644
--- a/server/sonar-db-dao/src/main/resources/org/sonar/db/user/UserMapper.xml
+++ b/server/sonar-db-dao/src/main/resources/org/sonar/db/user/UserMapper.xml
@@ -17,7 +17,6 @@
         u.external_login as "externalLogin",
         u.external_identity_provider as "externalIdentityProvider",
         u.user_local as "local",
-        u.is_root as "root",
         u.reset_password as "resetPassword",
         u.homepage_type as "homepageType",
         u.homepage_parameter as "homepageParameter",
@@ -102,12 +101,6 @@
             <if test="searchText != null">
                 AND (u.login LIKE #{searchTextSql, jdbcType=VARCHAR} ESCAPE '/' OR u.name LIKE #{searchTextSql, jdbcType=VARCHAR} ESCAPE '/')
             </if>
-            <if test="mustBeRoot != null and mustBeRoot==true">
-                AND u.is_root = ${_true}
-            </if>
-            <if test="mustBeRoot != null and mustBeRoot==false">
-                AND u.is_root = ${_false}
-            </if>
         </where>
         ORDER BY u.name
     </select>
@@ -149,17 +142,6 @@
         WHERE u.external_login=#{externalLogin, jdbcType=VARCHAR} AND u.external_identity_provider=#{externalIdentityProvider, jdbcType=VARCHAR}
     </select>
 
-    <select id="countRootUsersButLogin" parameterType="String" resultType="long">
-        select
-        count(1)
-        from
-        users u
-        where
-        u.active = ${_true}
-        and u.is_root = ${_true}
-        and u.login &lt;&gt; #{login}
-    </select>
-
     <sql id="deactivateUserUpdatedFields">
         active = ${_false},
         email = null,
@@ -211,15 +193,6 @@
         login = #{login, jdbcType=VARCHAR}
     </update>
 
-    <update id="setRoot">
-        update users set
-        is_root = #{root, jdbcType=BOOLEAN},
-        updated_at = #{now, jdbcType=BIGINT}
-        where
-        login = #{login, jdbcType=VARCHAR}
-        and active = ${_true}
-    </update>
-
     <insert id="insert" parameterType="map" useGeneratedKeys="false">
         insert into users (
         uuid,
@@ -235,7 +208,6 @@
         salt,
         crypted_password,
         hash_method,
-        is_root,
         last_sonarlint_connection,
         sonarlint_ad_seen,
         reset_password,
@@ -257,7 +229,6 @@
         #{user.salt,jdbcType=VARCHAR},
         #{user.cryptedPassword,jdbcType=VARCHAR},
         #{user.hashMethod,jdbcType=VARCHAR},
-        #{user.root,jdbcType=BOOLEAN},
         #{user.lastSonarlintConnectionDate,jdbcType=BIGINT},
         #{user.sonarlintAdSeen,jdbcType=BOOLEAN},
         #{user.resetPassword,jdbcType=BOOLEAN},
diff --git a/server/sonar-db-dao/src/schema/schema-sq.ddl b/server/sonar-db-dao/src/schema/schema-sq.ddl
index 2effb531681..a91a86418f5 100644
--- a/server/sonar-db-dao/src/schema/schema-sq.ddl
+++ b/server/sonar-db-dao/src/schema/schema-sq.ddl
@@ -981,7 +981,6 @@ CREATE TABLE "USERS"(
     "EXTERNAL_LOGIN" CHARACTER VARYING(255) NOT NULL,
     "EXTERNAL_IDENTITY_PROVIDER" CHARACTER VARYING(100) NOT NULL,
     "EXTERNAL_ID" CHARACTER VARYING(255) NOT NULL,
-    "IS_ROOT" BOOLEAN NOT NULL,
     "USER_LOCAL" BOOLEAN,
     "HOMEPAGE_TYPE" CHARACTER VARYING(40),
     "HOMEPAGE_PARAMETER" CHARACTER VARYING(40),
diff --git a/server/sonar-db-dao/src/test/java/org/sonar/db/user/UserDaoTest.java b/server/sonar-db-dao/src/test/java/org/sonar/db/user/UserDaoTest.java
index 883437e4c8f..b43af0453c0 100644
--- a/server/sonar-db-dao/src/test/java/org/sonar/db/user/UserDaoTest.java
+++ b/server/sonar-db-dao/src/test/java/org/sonar/db/user/UserDaoTest.java
@@ -214,118 +214,6 @@ public class UserDaoTest {
     assertThat(users).isEmpty();
   }
 
-  @Test
-  public void selectUsers_returns_both_only_root_or_only_non_root_depending_on_mustBeRoot_and_mustNotBeRoot_calls_on_query() {
-    UserDto user1 = insertUser(true);
-    UserDto root1 = insertRootUser(newUserDto());
-    UserDto user2 = insertUser(true);
-    UserDto root2 = insertRootUser(newUserDto());
-
-    assertThat(underTest.selectUsers(session, UserQuery.builder().build()))
-      .extracting(UserDto::getLogin)
-      .containsOnly(user1.getLogin(), user2.getLogin(), root1.getLogin(), root2.getLogin());
-    assertThat(underTest.selectUsers(session, UserQuery.builder().mustBeRoot().build()))
-      .extracting(UserDto::getLogin)
-      .containsOnly(root1.getLogin(), root2.getLogin());
-    assertThat(underTest.selectUsers(session, UserQuery.builder().mustNotBeRoot().build()))
-      .extracting(UserDto::getLogin)
-      .containsOnly(user1.getLogin(), user2.getLogin());
-  }
-
-  @Test
-  public void countRootUsersButLogin_returns_0_when_there_is_no_user_at_all() {
-    assertThat(underTest.countRootUsersButLogin(session, "bla")).isZero();
-  }
-
-  @Test
-  public void countRootUsersButLogin_returns_0_when_there_is_no_root() {
-    underTest.insert(session, newUserDto());
-    session.commit();
-
-    assertThat(underTest.countRootUsersButLogin(session, "bla")).isZero();
-  }
-
-  @Test
-  public void countRootUsersButLogin_returns_0_when_there_is_no_active_root() {
-    insertNonRootUser(newUserDto());
-    insertInactiveRootUser(newUserDto());
-    session.commit();
-
-    assertThat(underTest.countRootUsersButLogin(session, "bla")).isZero();
-  }
-
-  @Test
-  public void countRootUsersButLogin_returns_count_of_all_active_roots_when_there_specified_login_does_not_exist() {
-    insertRootUser(newUserDto());
-    insertNonRootUser(newUserDto());
-    insertRootUser(newUserDto());
-    insertRootUser(newUserDto());
-    insertInactiveRootUser(newUserDto());
-    insertInactiveRootUser(newUserDto());
-    session.commit();
-
-    assertThat(underTest.countRootUsersButLogin(session, "bla")).isEqualTo(3);
-  }
-
-  @Test
-  public void countRootUsersButLogin_returns_count_of_all_active_roots_when_specified_login_is_not_root() {
-    insertRootUser(newUserDto());
-    String login = insertNonRootUser(newUserDto()).getLogin();
-    insertRootUser(newUserDto());
-    insertRootUser(newUserDto());
-    insertInactiveRootUser(newUserDto());
-    insertInactiveRootUser(newUserDto());
-    session.commit();
-
-    assertThat(underTest.countRootUsersButLogin(session, login)).isEqualTo(3);
-  }
-
-  @Test
-  public void countRootUsersButLogin_returns_count_of_all_active_roots_when_specified_login_is_inactive_root() {
-    insertRootUser(newUserDto());
-    insertNonRootUser(newUserDto());
-    insertRootUser(newUserDto());
-    insertRootUser(newUserDto());
-    String inactiveRootLogin = insertInactiveRootUser(newUserDto()).getLogin();
-    insertInactiveRootUser(newUserDto());
-    session.commit();
-
-    assertThat(underTest.countRootUsersButLogin(session, inactiveRootLogin)).isEqualTo(3);
-  }
-
-  @Test
-  public void countRootUsersButLogin_returns_count_of_all_active_roots_minus_one_when_specified_login_is_active_root() {
-    insertRootUser(newUserDto());
-    insertNonRootUser(newUserDto());
-    insertRootUser(newUserDto());
-    String rootLogin = insertRootUser(newUserDto()).getLogin();
-    insertInactiveRootUser(newUserDto());
-    insertInactiveRootUser(newUserDto());
-    session.commit();
-
-    assertThat(underTest.countRootUsersButLogin(session, rootLogin)).isEqualTo(2);
-  }
-
-  private UserDto insertInactiveRootUser(UserDto dto) {
-    insertRootUser(dto);
-    dto.setActive(false);
-    underTest.update(session, dto);
-    session.commit();
-    return dto;
-  }
-
-  private UserDto insertRootUser(UserDto dto) {
-    underTest.insert(session, dto);
-    underTest.setRoot(session, dto.getLogin(), true);
-    session.commit();
-    return dto;
-  }
-
-  private UserDto insertNonRootUser(UserDto dto) {
-    underTest.insert(session, dto);
-    session.commit();
-    return dto;
-  }
 
   @Test
   public void insert_user_with_default_values() {
@@ -345,7 +233,6 @@ public class UserDaoTest {
     assertThat(user.isActive()).isTrue();
     assertThat(user.isResetPassword()).isFalse();
     assertThat(user.isLocal()).isTrue();
-    assertThat(user.isRoot()).isFalse();
 
     assertThat(user.getScmAccountsAsList()).isEmpty();
     assertThat(user.getScmAccounts()).isNull();
@@ -396,7 +283,6 @@ public class UserDaoTest {
     assertThat(user.getExternalIdentityProvider()).isEqualTo("github");
     assertThat(user.getExternalId()).isEqualTo("EXT_ID");
     assertThat(user.isLocal()).isTrue();
-    assertThat(user.isRoot()).isFalse();
     assertThat(user.getHomepageType()).isEqualTo("project");
     assertThat(user.getHomepageParameter()).isEqualTo("OB1");
   }
@@ -457,7 +343,6 @@ public class UserDaoTest {
     assertThat(reloaded.getExternalIdentityProvider()).isEqualTo("github");
     assertThat(reloaded.getExternalId()).isEqualTo("EXT_ID");
     assertThat(reloaded.isLocal()).isFalse();
-    assertThat(reloaded.isRoot()).isFalse();
     assertThat(reloaded.getHomepageType()).isEqualTo("project");
     assertThat(reloaded.getHomepageParameter()).isEqualTo("OB1");
     assertThat(reloaded.getLastConnectionDate()).isEqualTo(10_000_000_000L);
@@ -484,7 +369,6 @@ public class UserDaoTest {
     assertThat(userReloaded.getScmAccounts()).isNull();
     assertThat(userReloaded.getSalt()).isNull();
     assertThat(userReloaded.getCryptedPassword()).isNull();
-    assertThat(userReloaded.isRoot()).isFalse();
     assertThat(userReloaded.getUpdatedAt()).isEqualTo(NOW);
     assertThat(userReloaded.getHomepageType()).isNull();
     assertThat(userReloaded.getHomepageParameter()).isNull();
@@ -568,8 +452,6 @@ public class UserDaoTest {
       .setCryptedPassword("650d2261c98361e2f67f90ce5c65a95e7d8ea2fg")
       .setHomepageType("project")
       .setHomepageParameter("OB1"));
-    UserDto user2 = db.users().insertUser();
-    underTest.setRoot(session, user2.getLogin(), true);
 
     UserDto dto = underTest.selectByLogin(session, user1.getLogin());
     assertThat(dto.getUuid()).isEqualTo(user1.getUuid());
@@ -580,14 +462,11 @@ public class UserDaoTest {
     assertThat(dto.getScmAccountsAsList()).containsOnly("ma", "marius33");
     assertThat(dto.getSalt()).isEqualTo("79bd6a8e79fb8c76ac8b121cc7e8e11ad1af8365");
     assertThat(dto.getCryptedPassword()).isEqualTo("650d2261c98361e2f67f90ce5c65a95e7d8ea2fg");
-    assertThat(dto.isRoot()).isFalse();
     assertThat(dto.getCreatedAt()).isEqualTo(user1.getCreatedAt());
     assertThat(dto.getUpdatedAt()).isEqualTo(user1.getUpdatedAt());
     assertThat(dto.getHomepageType()).isEqualTo("project");
     assertThat(dto.getHomepageParameter()).isEqualTo("OB1");
 
-    dto = underTest.selectByLogin(session, user2.getLogin());
-    assertThat(dto.isRoot()).isTrue();
   }
 
   @Test
@@ -668,69 +547,6 @@ public class UserDaoTest {
     assertThat(underTest.selectByExternalLoginAndIdentityProvider(session, "unknown", "unknown")).isNull();
   }
 
-  @Test
-  public void setRoot_does_not_fail_on_non_existing_login() {
-    underTest.setRoot(session, "unkown", true);
-    underTest.setRoot(session, "unkown", false);
-  }
-
-  @Test
-  public void setRoot_set_root_flag_of_specified_user_to_specified_value_and_updates_udpateAt() {
-    String login = insertActiveUser().getLogin();
-    UserDto otherUser = insertActiveUser();
-    assertThat(underTest.selectByLogin(session, login).isRoot()).isFalse();
-    assertThat(underTest.selectByLogin(session, otherUser.getLogin()).isRoot()).isFalse();
-
-    // does not fail when changing to same value
-    system2.setNow(15_000L);
-    commit(() -> underTest.setRoot(session, login, false));
-    verifyRootAndUpdatedAt(login, false, 15_000L);
-    verifyRootAndUpdatedAt(otherUser.getLogin(), false, otherUser.getUpdatedAt());
-
-    // change value
-    system2.setNow(26_000L);
-    commit(() -> underTest.setRoot(session, login, true));
-    verifyRootAndUpdatedAt(login, true, 26_000L);
-    verifyRootAndUpdatedAt(otherUser.getLogin(), false, otherUser.getUpdatedAt());
-
-    // does not fail when changing to same value
-    system2.setNow(37_000L);
-    commit(() -> underTest.setRoot(session, login, true));
-    verifyRootAndUpdatedAt(login, true, 37_000L);
-    verifyRootAndUpdatedAt(otherUser.getLogin(), false, otherUser.getUpdatedAt());
-
-    // change value back
-    system2.setNow(48_000L);
-    commit(() -> underTest.setRoot(session, login, false));
-    verifyRootAndUpdatedAt(login, false, 48_000L);
-    verifyRootAndUpdatedAt(otherUser.getLogin(), false, otherUser.getUpdatedAt());
-  }
-
-  private void verifyRootAndUpdatedAt(String login1, boolean root, long updatedAt) {
-    UserDto userDto = underTest.selectByLogin(session, login1);
-    assertThat(userDto.isRoot()).isEqualTo(root);
-    assertThat(userDto.getUpdatedAt()).isEqualTo(updatedAt);
-  }
-
-  @Test
-  public void setRoot_has_no_effect_on_root_flag_of_inactive_user() {
-    String nonRootInactiveUser = insertUser(false).getLogin();
-    commit(() -> underTest.setRoot(session, nonRootInactiveUser, true));
-    assertThat(underTest.selectByLogin(session, nonRootInactiveUser).isRoot()).isFalse();
-
-    // create inactive root user
-    UserDto rootUser = insertActiveUser();
-    commit(() -> underTest.setRoot(session, rootUser.getLogin(), true));
-    rootUser.setActive(false);
-    commit(() -> underTest.update(session, rootUser));
-    UserDto inactiveRootUser = underTest.selectByLogin(session, rootUser.getLogin());
-    assertThat(inactiveRootUser.isRoot()).isTrue();
-    assertThat(inactiveRootUser.isActive()).isFalse();
-
-    commit(() -> underTest.setRoot(session, inactiveRootUser.getLogin(), false));
-    assertThat(underTest.selectByLogin(session, inactiveRootUser.getLogin()).isRoot()).isTrue();
-  }
-
   @Test
   public void scrollByLUuids() {
     UserDto u1 = insertUser(true);
diff --git a/server/sonar-db-dao/src/test/java/org/sonar/db/user/UserDaoWithPersisterTest.java b/server/sonar-db-dao/src/test/java/org/sonar/db/user/UserDaoWithPersisterTest.java
index 6a4fadf7b84..fddc9be3482 100644
--- a/server/sonar-db-dao/src/test/java/org/sonar/db/user/UserDaoWithPersisterTest.java
+++ b/server/sonar-db-dao/src/test/java/org/sonar/db/user/UserDaoWithPersisterTest.java
@@ -109,10 +109,10 @@ public class UserDaoWithPersisterTest {
     assertThat(newValue)
       .extracting(UserNewValue::getUserUuid, UserNewValue::getUserLogin, UserNewValue::getName, UserNewValue::getEmail, UserNewValue::isActive,
         UserNewValue::getScmAccounts, UserNewValue::getExternalId, UserNewValue::getExternalLogin, UserNewValue::getExternalIdentityProvider,
-        UserNewValue::isLocal, UserNewValue::isRoot, UserNewValue::getLastConnectionDate)
+        UserNewValue::isLocal, UserNewValue::getLastConnectionDate)
       .containsExactly(updatedUser.getUuid(), updatedUser.getLogin(), updatedUser.getName(), updatedUser.getEmail(), updatedUser.isActive(),
         updatedUser.getScmAccounts(), updatedUser.getExternalId(), updatedUser.getExternalLogin(), updatedUser.getExternalIdentityProvider(),
-        updatedUser.isLocal(), updatedUser.isRoot(), updatedUser.getLastConnectionDate());
+        updatedUser.isLocal(), updatedUser.getLastConnectionDate());
     assertThat(newValue.toString())
       .contains("name")
       .contains(DateUtils.formatDateTime(updatedUser.getLastConnectionDate()));
diff --git a/server/sonar-db-dao/src/testFixtures/java/org/sonar/db/DbTester.java b/server/sonar-db-dao/src/testFixtures/java/org/sonar/db/DbTester.java
index 39d31e38b12..1e2f4154dd8 100644
--- a/server/sonar-db-dao/src/testFixtures/java/org/sonar/db/DbTester.java
+++ b/server/sonar-db-dao/src/testFixtures/java/org/sonar/db/DbTester.java
@@ -52,7 +52,6 @@ import org.sonar.db.qualitygate.QualityGateDbTester;
 import org.sonar.db.qualityprofile.QualityProfileDbTester;
 import org.sonar.db.rule.RuleDbTester;
 import org.sonar.db.source.FileSourceTester;
-import org.sonar.db.user.RootFlagAssertions;
 import org.sonar.db.user.UserDbTester;
 import org.sonar.db.webhook.WebhookDbTester;
 import org.sonar.db.webhook.WebhookDeliveryDbTester;
@@ -80,7 +79,6 @@ public class DbTester extends AbstractDbTester<TestDbImpl> {
   private final RuleDbTester ruleDbTester;
   private final NewCodePeriodDbTester newCodePeriodTester;
   private final NotificationDbTester notificationDbTester;
-  private final RootFlagAssertions rootFlagAssertions;
   private final QualityProfileDbTester qualityProfileDbTester;
   private final MeasureDbTester measureDbTester;
   private final FileSourceTester fileSourceTester;
@@ -109,7 +107,6 @@ public class DbTester extends AbstractDbTester<TestDbImpl> {
     this.issueDbTester = new IssueDbTester(this);
     this.ruleDbTester = new RuleDbTester(this);
     this.notificationDbTester = new NotificationDbTester(this);
-    this.rootFlagAssertions = new RootFlagAssertions(this);
     this.qualityProfileDbTester = new QualityProfileDbTester(this);
     this.measureDbTester = new MeasureDbTester(this);
     this.fileSourceTester = new FileSourceTester(this);
@@ -195,10 +192,6 @@ public class DbTester extends AbstractDbTester<TestDbImpl> {
     return qualityGateDbTester;
   }
 
-  public RootFlagAssertions rootFlag() {
-    return rootFlagAssertions;
-  }
-
   public IssueDbTester issues() {
     return issueDbTester;
   }
diff --git a/server/sonar-db-dao/src/testFixtures/java/org/sonar/db/user/RootFlagAssertions.java b/server/sonar-db-dao/src/testFixtures/java/org/sonar/db/user/RootFlagAssertions.java
deleted file mode 100644
index 0dc7655e2d1..00000000000
--- a/server/sonar-db-dao/src/testFixtures/java/org/sonar/db/user/RootFlagAssertions.java
+++ /dev/null
@@ -1,65 +0,0 @@
-/*
- * SonarQube
- * Copyright (C) 2009-2022 SonarSource SA
- * mailto:info AT sonarsource DOT com
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 3 of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public License
- * along with this program; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
- */
-package org.sonar.db.user;
-
-import java.util.Map;
-import org.sonar.db.DbTester;
-
-import static org.assertj.core.api.Assertions.assertThat;
-
-public class RootFlagAssertions {
-  private final DbTester db;
-
-  public RootFlagAssertions(DbTester db) {
-    this.db = db;
-  }
-
-  public void verify(UserDto userDto, boolean root, long updatedAt) {
-    Map<String, Object> row = db.selectFirst("select is_root as \"isRoot\", updated_at as \"updatedAt\" from users where login = '" + userDto.getLogin() + "'");
-    Object isRoot = row.get("isRoot");
-    assertThat(isRoot)
-      .as("Root flag of user '%s' is same as when created", userDto.getLogin())
-      .isEqualTo(isRoot instanceof Long ? toLong(root) : root);
-    assertThat(row.get("updatedAt"))
-      .as("UpdatedAt of user '%s' has not changed since created")
-      .isEqualTo(updatedAt);
-  }
-
-  public void verify(UserDto userDto, boolean root) {
-    Map<String, Object> row = db.selectFirst("select is_root as \"isRoot\", updated_at as \"updatedAt\" from users where login = '" + userDto.getLogin() + "'");
-    Object isRoot = row.get("isRoot");
-    assertThat(isRoot)
-      .as("Root flag of user '%s' is '%s'", userDto.getLogin(), root)
-      .isEqualTo(isRoot instanceof Long ? toLong(root) : root);
-    assertThat(row.get("updatedAt"))
-      .as("UpdatedAt of user '%s' has changed since insertion", userDto.getLogin())
-      .isNotEqualTo(userDto.getUpdatedAt());
-  }
-
-  private static Long toLong(boolean root) {
-    return root ? 1L : 0L;
-  }
-
-  public void verify(String login, boolean root) {
-    assertThat(db.getDbClient().userDao().selectByLogin(db.getSession(), login).isRoot())
-      .as("Root flag of user '%s' is '%s'", login, root)
-      .isEqualTo(root);
-  }
-}
diff --git a/server/sonar-db-dao/src/testFixtures/java/org/sonar/db/user/UserDbTester.java b/server/sonar-db-dao/src/testFixtures/java/org/sonar/db/user/UserDbTester.java
index c942060e71c..90abfd0e603 100644
--- a/server/sonar-db-dao/src/testFixtures/java/org/sonar/db/user/UserDbTester.java
+++ b/server/sonar-db-dao/src/testFixtures/java/org/sonar/db/user/UserDbTester.java
@@ -88,12 +88,6 @@ public class UserDbTester {
     return updatedUser;
   }
 
-  public UserDto makeRoot(UserDto userDto) {
-    dbClient.userDao().setRoot(db.getSession(), userDto.getLogin(), true);
-    db.commit();
-    return dbClient.userDao().selectByLogin(db.getSession(), userDto.getLogin());
-  }
-
   public UserDto insertAdminByUserPermission() {
     UserDto user = insertUser();
     insertPermissionOnUser(user, ADMINISTER);
diff --git a/server/sonar-db-migration/src/main/java/org/sonar/server/platform/db/migration/MigrationConfigurationModule.java b/server/sonar-db-migration/src/main/java/org/sonar/server/platform/db/migration/MigrationConfigurationModule.java
index 64034841c3d..8fdfebb70ad 100644
--- a/server/sonar-db-migration/src/main/java/org/sonar/server/platform/db/migration/MigrationConfigurationModule.java
+++ b/server/sonar-db-migration/src/main/java/org/sonar/server/platform/db/migration/MigrationConfigurationModule.java
@@ -34,6 +34,7 @@ import org.sonar.server.platform.db.migration.version.v92.DbVersion92;
 import org.sonar.server.platform.db.migration.version.v93.DbVersion93;
 import org.sonar.server.platform.db.migration.version.v94.DbVersion94;
 import org.sonar.server.platform.db.migration.version.v95.DbVersion95;
+import org.sonar.server.platform.db.migration.version.v96.DbVersion96;
 
 public class MigrationConfigurationModule extends Module {
   @Override
@@ -48,6 +49,7 @@ public class MigrationConfigurationModule extends Module {
       DbVersion93.class,
       DbVersion94.class,
       DbVersion95.class,
+      DbVersion96.class,
 
       // migration steps
       MigrationStepRegistryImpl.class,
diff --git a/server/sonar-webserver-webapi/src/main/java/org/sonar/server/root/ws/RootWsModule.java b/server/sonar-db-migration/src/main/java/org/sonar/server/platform/db/migration/version/v96/DbVersion96.java
similarity index 67%
rename from server/sonar-webserver-webapi/src/main/java/org/sonar/server/root/ws/RootWsModule.java
rename to server/sonar-db-migration/src/main/java/org/sonar/server/platform/db/migration/version/v96/DbVersion96.java
index 0cabaddb2d9..8af0bdcc4a9 100644
--- a/server/sonar-webserver-webapi/src/main/java/org/sonar/server/root/ws/RootWsModule.java
+++ b/server/sonar-db-migration/src/main/java/org/sonar/server/platform/db/migration/version/v96/DbVersion96.java
@@ -17,16 +17,17 @@
  * along with this program; if not, write to the Free Software Foundation,
  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
  */
-package org.sonar.server.root.ws;
+package org.sonar.server.platform.db.migration.version.v96;
 
-import org.sonar.core.platform.Module;
+import org.sonar.server.platform.db.migration.step.MigrationStepRegistry;
+import org.sonar.server.platform.db.migration.version.DbVersion;
+
+public class DbVersion96 implements DbVersion {
 
-public class RootWsModule extends Module {
   @Override
-  protected void configureModule() {
-    add(RootsWs.class,
-      SetRootAction.class,
-      UnsetRootAction.class,
-      SearchAction.class);
+  public void addSteps(MigrationStepRegistry registry) {
+    registry
+      .add(6500, "remove root column from users table", DropRootColumnFromUsersTable.class)
+    ;
   }
 }
diff --git a/server/sonar-webserver-webapi/src/main/java/org/sonar/server/root/ws/RootsWsAction.java b/server/sonar-db-migration/src/main/java/org/sonar/server/platform/db/migration/version/v96/DropRootColumnFromUsersTable.java
similarity index 66%
rename from server/sonar-webserver-webapi/src/main/java/org/sonar/server/root/ws/RootsWsAction.java
rename to server/sonar-db-migration/src/main/java/org/sonar/server/platform/db/migration/version/v96/DropRootColumnFromUsersTable.java
index f5a4e0e3e38..af76e35f283 100644
--- a/server/sonar-webserver-webapi/src/main/java/org/sonar/server/root/ws/RootsWsAction.java
+++ b/server/sonar-db-migration/src/main/java/org/sonar/server/platform/db/migration/version/v96/DropRootColumnFromUsersTable.java
@@ -17,10 +17,18 @@
  * along with this program; if not, write to the Free Software Foundation,
  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
  */
-package org.sonar.server.root.ws;
+package org.sonar.server.platform.db.migration.version.v96;
 
-import org.sonar.server.ws.WsAction;
+import org.sonar.db.Database;
+import org.sonar.server.platform.db.migration.step.DropColumnChange;
 
-public interface RootsWsAction extends WsAction {
+public class DropRootColumnFromUsersTable extends DropColumnChange {
+
+  public static final String TABLE_NAME = "users";
+  public static final String COLUMN_NAME = "is_root";
+
+  public DropRootColumnFromUsersTable(Database db) {
+    super(db, TABLE_NAME, COLUMN_NAME);
+  }
 
 }
diff --git a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/root/ws/RootsWsModuleTest.java b/server/sonar-db-migration/src/test/java/org/sonar/server/platform/db/migration/version/v96/DbVersion96Test.java
similarity index 60%
rename from server/sonar-webserver-webapi/src/test/java/org/sonar/server/root/ws/RootsWsModuleTest.java
rename to server/sonar-db-migration/src/test/java/org/sonar/server/platform/db/migration/version/v96/DbVersion96Test.java
index 4f545125978..f614abea6a9 100644
--- a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/root/ws/RootsWsModuleTest.java
+++ b/server/sonar-db-migration/src/test/java/org/sonar/server/platform/db/migration/version/v96/DbVersion96Test.java
@@ -17,20 +17,27 @@
  * along with this program; if not, write to the Free Software Foundation,
  * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
  */
-package org.sonar.server.root.ws;
+package org.sonar.server.platform.db.migration.version.v96;
 
 import org.junit.Test;
-import org.sonar.core.platform.ListContainer;
 
-import static org.assertj.core.api.Assertions.assertThat;
+import static org.sonar.server.platform.db.migration.version.DbVersionTestUtils.verifyMigrationNotEmpty;
+import static org.sonar.server.platform.db.migration.version.DbVersionTestUtils.verifyMinimumMigrationNumber;
 
-public class RootsWsModuleTest {
-  private RootWsModule underTest = new RootWsModule();
+public class DbVersion96Test {
+
+
+  private final DbVersion96 underTest = new DbVersion96();
 
   @Test
-  public void verify_number_of_components_added_by_module() {
-    ListContainer container = new ListContainer();
-    underTest.configure(container);
-    assertThat(container.getAddedObjects()).hasSize(4);
+  public void migrationNumber_starts_at_6401() {
+    verifyMinimumMigrationNumber(underTest, 6500);
   }
-}
+
+  @Test
+  public void verify_migration_count() {
+    verifyMigrationNotEmpty(underTest);
+  }
+
+
+}
\ No newline at end of file
diff --git a/server/sonar-db-migration/src/test/java/org/sonar/server/platform/db/migration/version/v96/DropRootColumnFromUsersTableTest.java b/server/sonar-db-migration/src/test/java/org/sonar/server/platform/db/migration/version/v96/DropRootColumnFromUsersTableTest.java
new file mode 100644
index 00000000000..c95fe696769
--- /dev/null
+++ b/server/sonar-db-migration/src/test/java/org/sonar/server/platform/db/migration/version/v96/DropRootColumnFromUsersTableTest.java
@@ -0,0 +1,54 @@
+/*
+ * SonarQube
+ * Copyright (C) 2009-2022 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package org.sonar.server.platform.db.migration.version.v96;
+
+import java.sql.SQLException;
+import java.sql.Types;
+import org.junit.Rule;
+import org.junit.Test;
+import org.sonar.db.CoreDbTester;
+import org.sonar.server.platform.db.migration.step.DdlChange;
+
+public class DropRootColumnFromUsersTableTest {
+
+  private static final String COLUMN_NAME = "is_root";
+  private static final String TABLE_NAME = "users";
+
+  @Rule
+  public final CoreDbTester db = CoreDbTester.createForSchema(DropRootColumnFromUsersTableTest.class, "schema.sql");
+
+  private final DdlChange dropRuleDescriptionColumn = new DropRootColumnFromUsersTable(db.database());
+
+  @Test
+  public void migration_should_drop_is_root_column() throws SQLException {
+    db.assertColumnDefinition(TABLE_NAME, COLUMN_NAME, Types.BOOLEAN, null, false);
+    dropRuleDescriptionColumn.execute();
+    db.assertColumnDoesNotExist(TABLE_NAME, COLUMN_NAME);
+  }
+
+  @Test
+  public void migration_should_be_reentrant() throws SQLException {
+    db.assertColumnDefinition(TABLE_NAME, COLUMN_NAME, Types.BOOLEAN, null, false);
+    dropRuleDescriptionColumn.execute();
+    // re-entrant
+    dropRuleDescriptionColumn.execute();
+    db.assertColumnDoesNotExist(TABLE_NAME, COLUMN_NAME);
+  }
+}
\ No newline at end of file
diff --git a/server/sonar-db-migration/src/test/resources/org/sonar/server/platform/db/migration/version/v96/DropRootColumnFromUsersTableTest/schema.sql b/server/sonar-db-migration/src/test/resources/org/sonar/server/platform/db/migration/version/v96/DropRootColumnFromUsersTableTest/schema.sql
new file mode 100644
index 00000000000..36147baf353
--- /dev/null
+++ b/server/sonar-db-migration/src/test/resources/org/sonar/server/platform/db/migration/version/v96/DropRootColumnFromUsersTableTest/schema.sql
@@ -0,0 +1,29 @@
+CREATE TABLE "USERS"(
+    "UUID" CHARACTER VARYING(255) NOT NULL,
+    "LOGIN" CHARACTER VARYING(255) NOT NULL,
+    "NAME" CHARACTER VARYING(200),
+    "EMAIL" CHARACTER VARYING(100),
+    "CRYPTED_PASSWORD" CHARACTER VARYING(100),
+    "SALT" CHARACTER VARYING(40),
+    "HASH_METHOD" CHARACTER VARYING(10),
+    "ACTIVE" BOOLEAN DEFAULT TRUE,
+    "SCM_ACCOUNTS" CHARACTER VARYING(4000),
+    "EXTERNAL_LOGIN" CHARACTER VARYING(255) NOT NULL,
+    "EXTERNAL_IDENTITY_PROVIDER" CHARACTER VARYING(100) NOT NULL,
+    "EXTERNAL_ID" CHARACTER VARYING(255) NOT NULL,
+    "IS_ROOT" BOOLEAN NOT NULL,
+    "USER_LOCAL" BOOLEAN,
+    "HOMEPAGE_TYPE" CHARACTER VARYING(40),
+    "HOMEPAGE_PARAMETER" CHARACTER VARYING(40),
+    "LAST_CONNECTION_DATE" BIGINT,
+    "CREATED_AT" BIGINT,
+    "UPDATED_AT" BIGINT,
+    "RESET_PASSWORD" BOOLEAN NOT NULL,
+    "LAST_SONARLINT_CONNECTION" BIGINT,
+    "SONARLINT_AD_SEEN" BOOLEAN DEFAULT FALSE
+);
+ALTER TABLE "USERS" ADD CONSTRAINT "PK_USERS" PRIMARY KEY("UUID");
+CREATE UNIQUE INDEX "USERS_LOGIN" ON "USERS"("LOGIN" NULLS FIRST);
+CREATE INDEX "USERS_UPDATED_AT" ON "USERS"("UPDATED_AT" NULLS FIRST);
+CREATE UNIQUE INDEX "UNIQ_EXTERNAL_ID" ON "USERS"("EXTERNAL_IDENTITY_PROVIDER" NULLS FIRST, "EXTERNAL_ID" NULLS FIRST);
+CREATE UNIQUE INDEX "UNIQ_EXTERNAL_LOGIN" ON "USERS"("EXTERNAL_IDENTITY_PROVIDER" NULLS FIRST, "EXTERNAL_LOGIN" NULLS FIRST);
diff --git a/server/sonar-webserver-auth/src/main/java/org/sonar/server/authentication/SafeModeUserSession.java b/server/sonar-webserver-auth/src/main/java/org/sonar/server/authentication/SafeModeUserSession.java
index 6864bce8424..84fa83ae551 100644
--- a/server/sonar-webserver-auth/src/main/java/org/sonar/server/authentication/SafeModeUserSession.java
+++ b/server/sonar-webserver-auth/src/main/java/org/sonar/server/authentication/SafeModeUserSession.java
@@ -99,11 +99,6 @@ public class SafeModeUserSession extends AbstractUserSession {
     return false;
   }
 
-  @Override
-  public boolean isRoot() {
-    return false;
-  }
-
   @Override
   public boolean isSystemAdministrator() {
     return false;
diff --git a/server/sonar-webserver-auth/src/main/java/org/sonar/server/user/AbstractUserSession.java b/server/sonar-webserver-auth/src/main/java/org/sonar/server/user/AbstractUserSession.java
index 224b7fca858..d361e8b385e 100644
--- a/server/sonar-webserver-auth/src/main/java/org/sonar/server/user/AbstractUserSession.java
+++ b/server/sonar-webserver-auth/src/main/java/org/sonar/server/user/AbstractUserSession.java
@@ -83,67 +83,45 @@ public abstract class AbstractUserSession implements UserSession {
 
   @Override
   public final boolean hasPermission(GlobalPermission permission) {
-    return isRoot() || hasPermissionImpl(permission);
+    return hasPermissionImpl(permission);
   }
 
   protected abstract boolean hasPermissionImpl(GlobalPermission permission);
 
   @Override
   public final boolean hasComponentPermission(String permission, ComponentDto component) {
-    if (isRoot()) {
-      return true;
-    }
     String projectUuid = defaultString(component.getMainBranchProjectUuid(), component.projectUuid());
     return hasProjectUuidPermission(permission, projectUuid);
   }
 
   @Override
   public final boolean hasProjectPermission(String permission, ProjectDto project) {
-    if (isRoot()) {
-      return true;
-    }
     return hasProjectUuidPermission(permission, project.getUuid());
   }
 
   @Override
   public final boolean hasProjectPermission(String permission, String projectUuid) {
-    if (isRoot()) {
-      return true;
-    }
     return hasProjectUuidPermission(permission, projectUuid);
   }
 
   @Override
   public final boolean hasChildProjectsPermission(String permission, ComponentDto component) {
-    if (isRoot()) {
-      return true;
-    }
     String applicationUuid = defaultString(component.getMainBranchProjectUuid(), component.projectUuid());
     return hasChildProjectsPermission(permission, applicationUuid);
   }
 
   @Override
   public final boolean hasChildProjectsPermission(String permission, ProjectDto project) {
-    if (isRoot()) {
-      return true;
-    }
     return hasChildProjectsPermission(permission, project.getUuid());
   }
 
   @Override
   public final boolean hasPortfolioChildProjectsPermission(String permission, ComponentDto portfolio) {
-    if (isRoot()) {
-      return true;
-    }
-
     return hasPortfolioChildProjectsPermission(permission, portfolio.uuid());
   }
 
   @Override
   public final boolean hasComponentUuidPermission(String permission, String componentUuid) {
-    if (isRoot()) {
-      return true;
-    }
     Optional<String> projectUuid = componentUuidToProjectUuid(componentUuid);
     return projectUuid
       .map(s -> hasProjectUuidPermission(permission, s))
@@ -160,17 +138,11 @@ public abstract class AbstractUserSession implements UserSession {
 
   @Override
   public final List<ComponentDto> keepAuthorizedComponents(String permission, Collection<ComponentDto> components) {
-    if (isRoot()) {
-      return new ArrayList<>(components);
-    }
     return doKeepAuthorizedComponents(permission, components);
   }
 
   @Override
   public List<ProjectDto> keepAuthorizedProjects(String permission, Collection<ProjectDto> projects) {
-    if (isRoot()) {
-      return new ArrayList<>(projects);
-    }
     return doKeepAuthorizedProjects(permission, projects);
   }
 
@@ -194,14 +166,6 @@ public abstract class AbstractUserSession implements UserSession {
       .collect(MoreCollectors.toList());
   }
 
-  @Override
-  public UserSession checkIsRoot() {
-    if (!isRoot()) {
-      throw new ForbiddenException(INSUFFICIENT_PRIVILEGES_MESSAGE);
-    }
-    return this;
-  }
-
   @Override
   public final UserSession checkLoggedIn() {
     if (!isLoggedIn()) {
@@ -228,7 +192,7 @@ public abstract class AbstractUserSession implements UserSession {
 
   @Override
   public UserSession checkProjectPermission(String projectPermission, ProjectDto project) {
-    if (isRoot() || hasProjectUuidPermission(projectPermission, project.getUuid())) {
+    if (hasProjectUuidPermission(projectPermission, project.getUuid())) {
       return this;
     }
 
@@ -237,7 +201,7 @@ public abstract class AbstractUserSession implements UserSession {
 
   @Override
   public UserSession checkChildProjectsPermission(String projectPermission, ComponentDto component) {
-    if (isRoot() || !APP.equals(component.qualifier()) || hasChildProjectsPermission(projectPermission, component)) {
+    if (!APP.equals(component.qualifier()) || hasChildProjectsPermission(projectPermission, component)) {
       return this;
     }
 
@@ -246,7 +210,7 @@ public abstract class AbstractUserSession implements UserSession {
 
   @Override
   public UserSession checkChildProjectsPermission(String projectPermission, ProjectDto application) {
-    if (isRoot() || !APP.equals(application.getQualifier()) || hasChildProjectsPermission(projectPermission, application)) {
+    if (!APP.equals(application.getQualifier()) || hasChildProjectsPermission(projectPermission, application)) {
       return this;
     }
 
diff --git a/server/sonar-webserver-auth/src/main/java/org/sonar/server/user/DoPrivileged.java b/server/sonar-webserver-auth/src/main/java/org/sonar/server/user/DoPrivileged.java
index 0ac01236152..0994a6ec857 100644
--- a/server/sonar-webserver-auth/src/main/java/org/sonar/server/user/DoPrivileged.java
+++ b/server/sonar-webserver-auth/src/main/java/org/sonar/server/user/DoPrivileged.java
@@ -96,11 +96,6 @@ public final class DoPrivileged {
         return false;
       }
 
-      @Override
-      public boolean isRoot() {
-        return true;
-      }
-
       @Override
       public Optional<IdentityProvider> getIdentityProvider() {
         return Optional.empty();
diff --git a/server/sonar-webserver-auth/src/main/java/org/sonar/server/user/ServerUserSession.java b/server/sonar-webserver-auth/src/main/java/org/sonar/server/user/ServerUserSession.java
index 914b2a985f6..80ec73f6257 100644
--- a/server/sonar-webserver-auth/src/main/java/org/sonar/server/user/ServerUserSession.java
+++ b/server/sonar-webserver-auth/src/main/java/org/sonar/server/user/ServerUserSession.java
@@ -121,11 +121,6 @@ public class ServerUserSession extends AbstractUserSession {
     return userDto != null;
   }
 
-  @Override
-  public boolean isRoot() {
-    return userDto != null && userDto.isRoot();
-  }
-
   @Override
   public Optional<IdentityProvider> getIdentityProvider() {
     return ofNullable(userDto).map(d -> computeIdentity(d).getIdentityProvider());
@@ -351,9 +346,6 @@ public class ServerUserSession extends AbstractUserSession {
   }
 
   private boolean loadIsSystemAdministrator() {
-    if (isRoot()) {
-      return true;
-    }
     return hasPermission(GlobalPermission.ADMINISTER);
   }
 }
diff --git a/server/sonar-webserver-auth/src/main/java/org/sonar/server/user/ThreadLocalUserSession.java b/server/sonar-webserver-auth/src/main/java/org/sonar/server/user/ThreadLocalUserSession.java
index 1d8866c1b16..2adc5d4bbb4 100644
--- a/server/sonar-webserver-auth/src/main/java/org/sonar/server/user/ThreadLocalUserSession.java
+++ b/server/sonar-webserver-auth/src/main/java/org/sonar/server/user/ThreadLocalUserSession.java
@@ -100,16 +100,6 @@ public class ThreadLocalUserSession implements UserSession {
     return get().isLoggedIn();
   }
 
-  @Override
-  public UserSession checkIsRoot() {
-    return get().checkIsRoot();
-  }
-
-  @Override
-  public boolean isRoot() {
-    return get().isRoot();
-  }
-
   @Override
   public UserSession checkLoggedIn() {
     get().checkLoggedIn();
diff --git a/server/sonar-webserver-auth/src/main/java/org/sonar/server/user/UserSession.java b/server/sonar-webserver-auth/src/main/java/org/sonar/server/user/UserSession.java
index f10db0d1dfc..feb73aaebd0 100644
--- a/server/sonar-webserver-auth/src/main/java/org/sonar/server/user/UserSession.java
+++ b/server/sonar-webserver-auth/src/main/java/org/sonar/server/user/UserSession.java
@@ -149,18 +149,6 @@ public interface UserSession {
    */
   boolean isLoggedIn();
 
-  /**
-   * Whether the user has root privileges. If {@code true}, then user automatically
-   * benefits from all the permissions on all projects.
-   */
-  boolean isRoot();
-
-  /**
-   * Ensures that {@link #isRoot()} returns {@code true} otherwise throws a
-   * {@link org.sonar.server.exceptions.ForbiddenException}.
-   */
-  UserSession checkIsRoot();
-
   /**
    * Ensures that user is logged in otherwise throws {@link org.sonar.server.exceptions.UnauthorizedException}.
    */
@@ -169,7 +157,6 @@ public interface UserSession {
   /**
    * Returns {@code true} if the permission is granted, otherwise {@code false}.
    *
-   * Always returns {@code true} if {@link #isRoot()} is {@code true}.
    */
   boolean hasPermission(GlobalPermission permission);
 
@@ -185,9 +172,6 @@ public interface UserSession {
    *
    * If the component does not exist, then returns {@code false}.
    *
-   * Always returns {@code true} if {@link #isRoot()} is {@code true}, even if
-   * component does not exist.
-   *
    * @param component non-null component.
    * @param permission project permission as defined by {@link org.sonar.server.permission.PermissionService}
    */
@@ -263,7 +247,6 @@ public interface UserSession {
    *
    * Returns {@code true} if:
    * <ul>
-   *   <li>{@link #isRoot()} is {@code true}</li>
    *   <li>user is administrator</li>
    * </ul>
    */
diff --git a/server/sonar-webserver-auth/src/test/java/org/sonar/server/authentication/SafeModeUserSessionTest.java b/server/sonar-webserver-auth/src/test/java/org/sonar/server/authentication/SafeModeUserSessionTest.java
index 0278a2eab3f..8cf6876dbda 100644
--- a/server/sonar-webserver-auth/src/test/java/org/sonar/server/authentication/SafeModeUserSessionTest.java
+++ b/server/sonar-webserver-auth/src/test/java/org/sonar/server/authentication/SafeModeUserSessionTest.java
@@ -43,7 +43,6 @@ public class SafeModeUserSessionTest {
   @Test
   public void session_has_no_permissions() {
     assertThat(underTest.shouldResetPassword()).isFalse();
-    assertThat(underTest.isRoot()).isFalse();
     assertThat(underTest.isSystemAdministrator()).isFalse();
     assertThat(underTest.hasPermissionImpl(GlobalPermission.ADMINISTER)).isFalse();
     assertThat(underTest.hasProjectUuidPermission(UserRole.USER, "foo")).isFalse();
diff --git a/server/sonar-webserver-auth/src/test/java/org/sonar/server/authentication/UserRegistrarImplTest.java b/server/sonar-webserver-auth/src/test/java/org/sonar/server/authentication/UserRegistrarImplTest.java
index accef48c744..97991e5945b 100644
--- a/server/sonar-webserver-auth/src/test/java/org/sonar/server/authentication/UserRegistrarImplTest.java
+++ b/server/sonar-webserver-auth/src/test/java/org/sonar/server/authentication/UserRegistrarImplTest.java
@@ -104,7 +104,6 @@ public class UserRegistrarImplTest {
     assertThat(user.getExternalLogin()).isEqualTo(USER_LOGIN);
     assertThat(user.getExternalIdentityProvider()).isEqualTo("github");
     assertThat(user.getExternalId()).isEqualTo("ABCD");
-    assertThat(user.isRoot()).isFalse();
     checkGroupMembership(user, defaultGroup);
   }
 
@@ -132,7 +131,6 @@ public class UserRegistrarImplTest {
     assertThat(user.getExternalIdentityProvider()).isEqualTo("sonarqube");
     assertThat(user.getExternalId()).isEqualTo("ABCD");
     assertThat(user.isLocal()).isFalse();
-    assertThat(user.isRoot()).isFalse();
     checkGroupMembership(user, defaultGroup);
   }
 
@@ -479,7 +477,6 @@ public class UserRegistrarImplTest {
     assertThat(userDto.getExternalId()).isEqualTo(USER_IDENTITY.getProviderId());
     assertThat(userDto.getExternalLogin()).isEqualTo(USER_IDENTITY.getProviderLogin());
     assertThat(userDto.getExternalIdentityProvider()).isEqualTo(GH_IDENTITY_PROVIDER.getKey());
-    assertThat(userDto.isRoot()).isFalse();
   }
 
   @Test
diff --git a/server/sonar-webserver-auth/src/test/java/org/sonar/server/user/ServerUserSessionTest.java b/server/sonar-webserver-auth/src/test/java/org/sonar/server/user/ServerUserSessionTest.java
index c3ea59725e7..47a4197b6f0 100644
--- a/server/sonar-webserver-auth/src/test/java/org/sonar/server/user/ServerUserSessionTest.java
+++ b/server/sonar-webserver-auth/src/test/java/org/sonar/server/user/ServerUserSessionTest.java
@@ -137,62 +137,6 @@ public class ServerUserSessionTest {
     assertThat(newUserSession(notActive).isActive()).isFalse();
   }
 
-  @Test
-  public void isRoot_is_false_is_flag_root_is_false_on_UserDto() {
-    UserDto root = db.users().insertUser();
-    root = db.users().makeRoot(root);
-    assertThat(newUserSession(root).isRoot()).isTrue();
-
-    UserDto notRoot = db.users().insertUser();
-    assertThat(newUserSession(notRoot).isRoot()).isFalse();
-  }
-
-  @Test
-  public void checkIsRoot_throws_IPFE_if_flag_root_is_false_on_UserDto() {
-    UserDto user = db.users().insertUser();
-    UserSession underTest = newUserSession(user);
-
-    assertThatForbiddenExceptionIsThrown(underTest::checkIsRoot);
-  }
-
-  @Test
-  public void checkIsRoot_does_not_fail_if_flag_root_is_true_on_UserDto() {
-    UserDto root = db.users().insertUser();
-    root = db.users().makeRoot(root);
-
-    UserSession underTest = newUserSession(root);
-
-    assertThat(underTest.checkIsRoot()).isSameAs(underTest);
-  }
-
-  @Test
-  public void hasComponentUuidPermission_returns_true_when_flag_root_is_true_on_UserDto_no_matter_if_user_has_project_permission_for_given_uuid() {
-    UserDto root = db.users().insertUser();
-    root = db.users().makeRoot(root);
-    ComponentDto project = db.components().insertPrivateProject();
-    ComponentDto file = db.components().insertComponent(newFileDto(project));
-
-    UserSession underTest = newUserSession(root);
-
-    assertThat(underTest.hasComponentUuidPermission(USER, file.uuid())).isTrue();
-    assertThat(underTest.hasComponentUuidPermission(CODEVIEWER, file.uuid())).isTrue();
-    assertThat(underTest.hasComponentUuidPermission(ADMIN, file.uuid())).isTrue();
-    assertThat(underTest.hasComponentUuidPermission("whatever", "who cares?")).isTrue();
-  }
-
-  @Test
-  public void checkComponentUuidPermission_succeeds_if_user_has_permission_for_specified_uuid_in_db() {
-    UserDto root = db.users().insertUser();
-    root = db.users().makeRoot(root);
-    ComponentDto project = db.components().insertPrivateProject();
-    ComponentDto file = db.components().insertComponent(newFileDto(project));
-
-    UserSession underTest = newUserSession(root);
-
-    assertThat(underTest.checkComponentUuidPermission(USER, file.uuid())).isSameAs(underTest);
-    assertThat(underTest.checkComponentUuidPermission("whatever", "who cares?")).isSameAs(underTest);
-  }
-
   @Test
   public void checkComponentUuidPermission_fails_with_FE_when_user_has_not_permission_for_specified_uuid_in_db() {
     UserDto user = db.users().insertUser();
@@ -203,19 +147,6 @@ public class ServerUserSessionTest {
     assertThatForbiddenExceptionIsThrown(() -> session.checkComponentUuidPermission(USER, "another-uuid"));
   }
 
-  @Test
-  public void checkChildProjectsPermission_succeeds_if_user_is_root() {
-    UserDto root = db.users().insertUser();
-    root = db.users().makeRoot(root);
-    ComponentDto project = db.components().insertPrivateProject();
-    ComponentDto application = db.components().insertPrivateApplication();
-    db.components().addApplicationProject(application, project);
-
-    UserSession underTest = newUserSession(root);
-
-    assertThat(underTest.checkChildProjectsPermission(USER, application)).isSameAs(underTest);
-  }
-
   @Test
   public void checkChildProjectsPermission_succeeds_if_user_has_permissions_on_all_application_child_projects() {
     UserDto user = db.users().insertUser();
@@ -262,19 +193,10 @@ public class ServerUserSessionTest {
 
   @Test
   public void checkPermission_succeeds_when_user_has_the_specified_permission() {
-    UserDto root = db.users().insertUser();
-    root = db.users().makeRoot(root);
-    db.users().insertPermissionOnUser(root, PROVISIONING);
+    UserDto adminUser = db.users().insertAdminByUserPermission();
+    db.users().insertPermissionOnUser(adminUser, PROVISIONING);
 
-    newUserSession(root).checkPermission(PROVISION_PROJECTS);
-  }
-
-  @Test
-  public void checkPermission_succeeds_when_user_is_root() {
-    UserDto root = db.users().insertUser();
-    root = db.users().makeRoot(root);
-
-    newUserSession(root).checkPermission(PROVISION_PROJECTS);
+    newUserSession(adminUser).checkPermission(PROVISION_PROJECTS);
   }
 
   @Test
@@ -651,17 +573,6 @@ public class ServerUserSessionTest {
     assertThat(hasComponentPermissionByDtoOrUuid(underTest, "p1", project)).isFalse();
   }
 
-  @Test
-  public void hasComponentPermissionByDtoOrUuid_returns_true_for_any_project_or_permission_for_root_user() {
-    UserDto root = db.users().insertUser();
-    root = db.users().makeRoot(root);
-    ComponentDto publicProject = db.components().insertPublicProject();
-
-    ServerUserSession underTest = newUserSession(root);
-
-    assertThat(hasComponentPermissionByDtoOrUuid(underTest, "does not matter", publicProject)).isTrue();
-  }
-
   @Test
   public void hasComponentPermissionByDtoOrUuid_keeps_cache_of_permissions_of_logged_in_user() {
     UserDto user = db.users().insertUser();
@@ -805,74 +716,6 @@ public class ServerUserSessionTest {
         .containsExactly(copyProject1, copyProject2, copyProject4, copyProject5);
   }
 
-  @Test
-  public void keepAuthorizedComponents_returns_all_specified_components_if_root() {
-    UserDto root = db.users().insertUser();
-    root = db.users().makeRoot(root);
-    UserSession underTest = newUserSession(root);
-
-    ComponentDto project1 = db.components().insertPublicProject();
-    ComponentDto project2 = db.components().insertPrivateProject();
-    ComponentDto project3 = db.components().insertPrivateProject();
-    ComponentDto project4 = db.components().insertPrivateProject();
-    ComponentDto project5 = db.components().insertPrivateProject();
-    ComponentDto project6 = db.components().insertPrivateProject();
-
-    ComponentDto portfolio = db.components().insertPrivatePortfolio();
-
-    ComponentDto subPortfolio = db.components().insertComponent(newSubPortfolio(portfolio));
-
-    ComponentDto app = db.components().insertPrivateApplication();
-
-    ComponentDto app2 = db.components().insertPrivateApplication();
-
-    // Add public project1 to private portfolio
-    db.components().addPortfolioProject(portfolio, project1);
-    db.components().insertComponent(newProjectCopy(project1, portfolio));
-
-    // Add private project2 to private portfolio
-    db.components().addPortfolioProject(portfolio, project2);
-    db.components().insertComponent(newProjectCopy(project2, portfolio));
-
-    // Add private project4 to sub-portfolio
-    db.components().addPortfolioProject(subPortfolio, project4);
-    db.components().insertComponent(newProjectCopy(project4, subPortfolio));
-    db.components().addPortfolioReference(portfolio, subPortfolio.uuid());
-
-    // Add private project3 without permissions to private portfolio
-    db.components().addPortfolioProject(portfolio, project3);
-    db.components().insertComponent(newProjectCopy(project3, portfolio));
-
-    // Add private project5 to app
-    db.components().addApplicationProject(app, project5);
-    db.components().insertComponent(newProjectCopy(project5, app));
-    db.components().addPortfolioReference(portfolio, app.uuid());
-
-    // Add private project6 to private app2
-    db.components().addApplicationProject(app2, project6);
-    db.components().insertComponent(newProjectCopy(project6, app2));
-    db.components().addPortfolioReference(portfolio, app2.uuid());
-
-    assertThat(underTest.keepAuthorizedComponents(ADMIN, Arrays.asList(portfolio))).hasSize(1);
-    assertThat(underTest.keepAuthorizedComponents(ADMIN, Arrays.asList(portfolio))).containsExactly(portfolio);
-
-    assertThat(underTest.keepAuthorizedComponents(ADMIN, Arrays.asList(app, subPortfolio, app2))).hasSize(3);
-    assertThat(underTest.keepAuthorizedComponents(ADMIN, Arrays.asList(app, subPortfolio, app2))).containsExactly(app, subPortfolio, app2);
-
-    assertThat(underTest.keepAuthorizedComponents(ADMIN, Arrays.asList(project1, project2, project3, project4, project5, project6))).hasSize(6);
-    assertThat(underTest.keepAuthorizedComponents(ADMIN, Arrays.asList(project1, project2, project3, project4, project5, project6))).containsExactly(project1, project2, project3, project4, project5, project6);
-  }
-
-  @Test
-  public void isSystemAdministrator_returns_true_if_org_feature_is_enabled_and_user_is_root() {
-    UserDto root = db.users().insertUser();
-    root = db.users().makeRoot(root);
-
-    UserSession session = newUserSession(root);
-
-    assertThat(session.isSystemAdministrator()).isTrue();
-  }
-
   @Test
   public void isSystemAdministrator_returns_false_if_org_feature_is_enabled_and_user_is_not_root() {
     UserDto user = db.users().insertUser();
@@ -918,16 +761,6 @@ public class ServerUserSessionTest {
     session.checkIsSystemAdministrator();
   }
 
-  @Test
-  public void checkIsSystemAdministrator_succeeds_if_system_administrator() {
-    UserDto root = db.users().insertUser();
-    root = db.users().makeRoot(root);
-
-    UserSession session = newUserSession(root);
-
-    session.checkIsSystemAdministrator();
-  }
-
   @Test
   public void checkIsSystemAdministrator_throws_ForbiddenException_if_not_system_administrator() {
     UserDto user = db.users().insertUser();
diff --git a/server/sonar-webserver-auth/src/test/java/org/sonar/server/user/ThreadLocalUserSessionTest.java b/server/sonar-webserver-auth/src/test/java/org/sonar/server/user/ThreadLocalUserSessionTest.java
index 4f8a5e463c9..f1fc01c2a3c 100644
--- a/server/sonar-webserver-auth/src/test/java/org/sonar/server/user/ThreadLocalUserSessionTest.java
+++ b/server/sonar-webserver-auth/src/test/java/org/sonar/server/user/ThreadLocalUserSessionTest.java
@@ -78,31 +78,6 @@ public class ThreadLocalUserSessionTest {
     assertThat(threadLocalUserSession.hasProjectPermission(USER, new ProjectDto().getUuid())).isFalse();
   }
 
-  @Test
-  public void get_session_for_root_user() {
-    GroupDto group = GroupTesting.newGroupDto();
-    MockUserSession expected = new MockUserSession("root")
-      .setUuid("root-uuid")
-      .setResetPassword(true)
-      .setLastSonarlintConnectionDate(1000L)
-      .setGroups(group);
-    expected.setRoot(true);
-    threadLocalUserSession.set(expected);
-
-    UserSession session = threadLocalUserSession.get();
-    assertThat(session).isSameAs(expected);
-    assertThat(threadLocalUserSession.getLastSonarlintConnectionDate()).isEqualTo(1000L);
-    assertThat(threadLocalUserSession.getLogin()).isEqualTo("root");
-    assertThat(threadLocalUserSession.getUuid()).isEqualTo("root-uuid");
-    assertThat(threadLocalUserSession.isLoggedIn()).isTrue();
-    assertThat(threadLocalUserSession.shouldResetPassword()).isTrue();
-    assertThat(threadLocalUserSession.getGroups()).extracting(GroupDto::getUuid).containsOnly(group.getUuid());
-    assertThat(threadLocalUserSession.hasChildProjectsPermission(USER, new ComponentDto())).isTrue();
-    assertThat(threadLocalUserSession.hasChildProjectsPermission(USER, new ProjectDto())).isTrue();
-    assertThat(threadLocalUserSession.hasPortfolioChildProjectsPermission(USER, new ComponentDto())).isTrue();
-    assertThat(threadLocalUserSession.hasProjectPermission(USER, new ProjectDto().getUuid())).isTrue();
-  }
-
   @Test
   public void get_session_for_anonymous() {
     AnonymousMockUserSession expected = new AnonymousMockUserSession();
diff --git a/server/sonar-webserver-auth/src/testFixtures/java/org/sonar/server/tester/AbstractMockUserSession.java b/server/sonar-webserver-auth/src/testFixtures/java/org/sonar/server/tester/AbstractMockUserSession.java
index bf21b59d8d6..ed2cf0c2ac1 100644
--- a/server/sonar-webserver-auth/src/testFixtures/java/org/sonar/server/tester/AbstractMockUserSession.java
+++ b/server/sonar-webserver-auth/src/testFixtures/java/org/sonar/server/tester/AbstractMockUserSession.java
@@ -217,7 +217,7 @@ public abstract class AbstractMockUserSession<T extends AbstractMockUserSession>
 
   @Override
   public boolean isSystemAdministrator() {
-    return isRoot() || systemAdministrator;
+    return systemAdministrator;
   }
 
   public T setResetPassword(boolean b) {
diff --git a/server/sonar-webserver-auth/src/testFixtures/java/org/sonar/server/tester/AnonymousMockUserSession.java b/server/sonar-webserver-auth/src/testFixtures/java/org/sonar/server/tester/AnonymousMockUserSession.java
index 704345cf6eb..072fb261d15 100644
--- a/server/sonar-webserver-auth/src/testFixtures/java/org/sonar/server/tester/AnonymousMockUserSession.java
+++ b/server/sonar-webserver-auth/src/testFixtures/java/org/sonar/server/tester/AnonymousMockUserSession.java
@@ -30,11 +30,6 @@ public class AnonymousMockUserSession extends AbstractMockUserSession<AnonymousM
     super(AnonymousMockUserSession.class);
   }
 
-  @Override
-  public boolean isRoot() {
-    return false;
-  }
-
   @Override
   public boolean isActive() {
     return false;
diff --git a/server/sonar-webserver-auth/src/testFixtures/java/org/sonar/server/tester/MockUserSession.java b/server/sonar-webserver-auth/src/testFixtures/java/org/sonar/server/tester/MockUserSession.java
index b199c30275a..9ae3c3c8de9 100644
--- a/server/sonar-webserver-auth/src/testFixtures/java/org/sonar/server/tester/MockUserSession.java
+++ b/server/sonar-webserver-auth/src/testFixtures/java/org/sonar/server/tester/MockUserSession.java
@@ -38,7 +38,6 @@ import static org.sonar.server.user.UserSession.IdentityProvider.SONARQUBE;
 public class MockUserSession extends AbstractMockUserSession<MockUserSession> {
   private final String login;
   private String uuid;
-  private boolean root = false;
   private String name;
   private List<GroupDto> groups = new ArrayList<>();
   private UserSession.IdentityProvider identityProvider;
@@ -81,20 +80,11 @@ public class MockUserSession extends AbstractMockUserSession<MockUserSession> {
     return true;
   }
 
-  @Override
-  public boolean isRoot() {
-    return root;
-  }
-
   @Override
   public boolean isActive() {
     return true;
   }
 
-  public void setRoot(boolean root) {
-    this.root = root;
-  }
-
   @Override
   public String getLogin() {
     return this.login;
diff --git a/server/sonar-webserver-auth/src/testFixtures/java/org/sonar/server/tester/UserSessionRule.java b/server/sonar-webserver-auth/src/testFixtures/java/org/sonar/server/tester/UserSessionRule.java
index c8fc0b37f98..894f7d12291 100644
--- a/server/sonar-webserver-auth/src/testFixtures/java/org/sonar/server/tester/UserSessionRule.java
+++ b/server/sonar-webserver-auth/src/testFixtures/java/org/sonar/server/tester/UserSessionRule.java
@@ -120,16 +120,6 @@ public class UserSessionRule implements TestRule, UserSession {
     return this;
   }
 
-  public UserSessionRule setRoot() {
-    ensureMockUserSession().setRoot(true);
-    return this;
-  }
-
-  public UserSessionRule setNonRoot() {
-    ensureMockUserSession().setRoot(false);
-    return this;
-  }
-
   public UserSessionRule setSystemAdministrator() {
     ensureMockUserSession().setSystemAdministrator(true);
     return this;
@@ -345,16 +335,6 @@ public class UserSessionRule implements TestRule, UserSession {
     return currentUserSession.isLoggedIn();
   }
 
-  @Override
-  public boolean isRoot() {
-    return currentUserSession.isRoot();
-  }
-
-  @Override
-  public UserSession checkIsRoot() {
-    return currentUserSession.checkIsRoot();
-  }
-
   @Override
   public UserSession checkLoggedIn() {
     currentUserSession.checkLoggedIn();
diff --git a/server/sonar-webserver-auth/src/testFixtures/java/org/sonar/server/user/TestUserSessionFactory.java b/server/sonar-webserver-auth/src/testFixtures/java/org/sonar/server/user/TestUserSessionFactory.java
index 92d1d056781..afd0ab1ab9b 100644
--- a/server/sonar-webserver-auth/src/testFixtures/java/org/sonar/server/user/TestUserSessionFactory.java
+++ b/server/sonar-webserver-auth/src/testFixtures/java/org/sonar/server/user/TestUserSessionFactory.java
@@ -107,11 +107,6 @@ public class TestUserSessionFactory implements UserSessionFactory {
       return user != null;
     }
 
-    @Override
-    public boolean isRoot() {
-      throw notImplemented();
-    }
-
     @Override
     protected boolean hasPermissionImpl(GlobalPermission permission) {
       throw notImplemented();
diff --git a/server/sonar-webserver-es/src/main/java/org/sonar/server/permission/index/WebAuthorizationTypeSupport.java b/server/sonar-webserver-es/src/main/java/org/sonar/server/permission/index/WebAuthorizationTypeSupport.java
index b096918433c..ebf6d16dd01 100644
--- a/server/sonar-webserver-es/src/main/java/org/sonar/server/permission/index/WebAuthorizationTypeSupport.java
+++ b/server/sonar-webserver-es/src/main/java/org/sonar/server/permission/index/WebAuthorizationTypeSupport.java
@@ -49,10 +49,6 @@ public class WebAuthorizationTypeSupport {
    * user has read access.
    */
   public QueryBuilder createQueryFilter() {
-    if (userSession.isRoot()) {
-      return QueryBuilders.matchAllQuery();
-    }
-
     BoolQueryBuilder filter = boolQuery();
 
     // anyone
diff --git a/server/sonar-webserver-es/src/test/java/org/sonar/server/component/index/ComponentIndexLoginTest.java b/server/sonar-webserver-es/src/test/java/org/sonar/server/component/index/ComponentIndexLoginTest.java
index 20208440784..f19682a05fb 100644
--- a/server/sonar-webserver-es/src/test/java/org/sonar/server/component/index/ComponentIndexLoginTest.java
+++ b/server/sonar-webserver-es/src/test/java/org/sonar/server/component/index/ComponentIndexLoginTest.java
@@ -69,13 +69,4 @@ public class ComponentIndexLoginTest extends ComponentIndexTest {
     assertSearchResults("sonarqube", project);
   }
 
-  @Test
-  public void do_not_check_permissions_when_logged_in_user_is_root() {
-    userSession.logIn().setRoot();
-    ComponentDto project = newProject("sonarqube", "Quality Product");
-    indexer.index(project);
-    // do not give any permissions to that project
-
-    assertSearchResults("sonarqube", project);
-  }
 }
diff --git a/server/sonar-webserver-es/src/test/java/org/sonar/server/component/index/ComponentIndexSearchTest.java b/server/sonar-webserver-es/src/test/java/org/sonar/server/component/index/ComponentIndexSearchTest.java
index 8fbec429516..9d15fe3a156 100644
--- a/server/sonar-webserver-es/src/test/java/org/sonar/server/component/index/ComponentIndexSearchTest.java
+++ b/server/sonar-webserver-es/src/test/java/org/sonar/server/component/index/ComponentIndexSearchTest.java
@@ -29,7 +29,6 @@ import org.sonar.api.resources.Qualifiers;
 import org.sonar.api.utils.System2;
 import org.sonar.db.DbTester;
 import org.sonar.db.component.ComponentDto;
-import org.sonar.db.component.ComponentTesting;
 import org.sonar.server.es.EsTester;
 import org.sonar.server.es.SearchIdResult;
 import org.sonar.server.es.SearchOptions;
@@ -40,7 +39,6 @@ import org.sonar.server.tester.UserSessionRule;
 
 import static java.util.Collections.singleton;
 import static org.assertj.core.api.Assertions.assertThat;
-import static org.sonar.server.component.index.ComponentIndexDefinition.TYPE_COMPONENT;
 
 public class ComponentIndexSearchTest {
   @Rule
@@ -48,7 +46,7 @@ public class ComponentIndexSearchTest {
   @Rule
   public DbTester db = DbTester.create(System2.INSTANCE);
   @Rule
-  public UserSessionRule userSession = UserSessionRule.standalone();
+  public UserSessionRule userSession = UserSessionRule.standalone().logIn();
   @Rule
   public ComponentTextSearchFeatureRule features = new ComponentTextSearchFeatureRule();
 
@@ -115,18 +113,6 @@ public class ComponentIndexSearchTest {
     assertThat(result.getUuids()).containsExactlyInAnyOrder(projects.get(3).uuid(), projects.get(4).uuid(), projects.get(5).uuid());
   }
 
-  @Test
-  public void returns_correct_total_number_if_default_index_window_exceeded() {
-    userSession.logIn().setRoot();
-
-    index(IntStream.range(0, 12_000)
-      .mapToObj(i -> newDoc(ComponentTesting.newPrivateProjectDto()))
-      .toArray(ComponentDoc[]::new));
-
-    SearchIdResult<String> result = underTest.search(ComponentQuery.builder().build(), new SearchOptions().setPage(2, 3));
-    assertThat(result.getTotal()).isEqualTo(12_000);
-  }
-
   @Test
   public void filter_unauthorized_components() {
     ComponentDto unauthorizedProject = db.components().insertPrivateProject();
@@ -146,17 +132,4 @@ public class ComponentIndexSearchTest {
     indexer.indexAll();
     Arrays.stream(components).forEach(authorizationIndexerTester::allowOnlyAnyone);
   }
-
-  private void index(ComponentDoc... componentDocs) {
-    es.putDocuments(TYPE_COMPONENT.getMainType(), componentDocs);
-  }
-
-  private ComponentDoc newDoc(ComponentDto componentDoc) {
-    return new ComponentDoc()
-      .setId(componentDoc.uuid())
-      .setKey(componentDoc.getKey())
-      .setName(componentDoc.name())
-      .setProjectUuid(componentDoc.projectUuid())
-      .setQualifier(componentDoc.qualifier());
-  }
 }
diff --git a/server/sonar-webserver-es/src/test/java/org/sonar/server/component/index/ComponentIndexSearchWindowExceededTest.java b/server/sonar-webserver-es/src/test/java/org/sonar/server/component/index/ComponentIndexSearchWindowExceededTest.java
new file mode 100644
index 00000000000..a1fac9fd574
--- /dev/null
+++ b/server/sonar-webserver-es/src/test/java/org/sonar/server/component/index/ComponentIndexSearchWindowExceededTest.java
@@ -0,0 +1,71 @@
+/*
+ * SonarQube
+ * Copyright (C) 2009-2022 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+package org.sonar.server.component.index;
+
+import java.util.stream.IntStream;
+import org.elasticsearch.index.query.QueryBuilders;
+import org.junit.Rule;
+import org.junit.Test;
+import org.sonar.api.utils.System2;
+import org.sonar.db.component.ComponentDto;
+import org.sonar.db.component.ComponentTesting;
+import org.sonar.server.es.EsTester;
+import org.sonar.server.es.SearchIdResult;
+import org.sonar.server.es.SearchOptions;
+import org.sonar.server.permission.index.WebAuthorizationTypeSupport;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+import static org.sonar.server.component.index.ComponentIndexDefinition.TYPE_COMPONENT;
+
+public class ComponentIndexSearchWindowExceededTest {
+  @Rule
+  public EsTester es = EsTester.create();
+
+  private final WebAuthorizationTypeSupport authorizationTypeSupport = mock(WebAuthorizationTypeSupport.class);
+  private final ComponentIndex underTest = new ComponentIndex(es.client(), authorizationTypeSupport, System2.INSTANCE);
+
+  @Test
+  public void returns_correct_total_number_if_default_index_window_exceeded() {
+    // bypassing the permission check, to have easily 12_000 elements searcheable without having to inserting them + permission.
+    when(authorizationTypeSupport.createQueryFilter()).thenReturn(QueryBuilders.matchAllQuery());
+
+    index(IntStream.range(0, 12_000)
+      .mapToObj(i -> newDoc(ComponentTesting.newPublicProjectDto()))
+      .toArray(ComponentDoc[]::new));
+
+    SearchIdResult<String> result = underTest.search(ComponentQuery.builder().build(), new SearchOptions().setPage(2, 3));
+    assertThat(result.getTotal()).isEqualTo(12_000);
+  }
+
+  private void index(ComponentDoc... componentDocs) {
+    es.putDocuments(TYPE_COMPONENT.getMainType(), componentDocs);
+  }
+
+  private ComponentDoc newDoc(ComponentDto componentDoc) {
+    return new ComponentDoc()
+      .setId(componentDoc.uuid())
+      .setKey(componentDoc.getKey())
+      .setName(componentDoc.name())
+      .setProjectUuid(componentDoc.projectUuid())
+      .setQualifier(componentDoc.qualifier());
+  }
+}
diff --git a/server/sonar-webserver-es/src/test/java/org/sonar/server/issue/index/IssueIndexTest.java b/server/sonar-webserver-es/src/test/java/org/sonar/server/issue/index/IssueIndexTest.java
index 4a35c325cd8..3b887d76704 100644
--- a/server/sonar-webserver-es/src/test/java/org/sonar/server/issue/index/IssueIndexTest.java
+++ b/server/sonar-webserver-es/src/test/java/org/sonar/server/issue/index/IssueIndexTest.java
@@ -228,9 +228,6 @@ public class IssueIndexTest {
 
     userSessionRule.logIn().setGroups(group1, group2);
     assertThatSearchReturnsEmpty(IssueQuery.builder().projectUuids(singletonList(project3.uuid())));
-
-    userSessionRule.setRoot();
-    assertThatSearchReturnsOnly(IssueQuery.builder(), "I1", "I2", "I3");
   }
 
   @Test
@@ -261,18 +258,6 @@ public class IssueIndexTest {
     // another user
     userSessionRule.logIn(newUserDto());
     assertThatSearchReturnsEmpty(IssueQuery.builder());
-
-    userSessionRule.setRoot();
-    assertThatSearchReturnsOnly(IssueQuery.builder(), "I1", "I2", "I3");
-  }
-
-  @Test
-  public void root_user_is_authorized_to_access_all_issues() {
-    ComponentDto project = newPrivateProjectDto();
-    indexIssue(newDoc("I1", project));
-    userSessionRule.logIn().setRoot();
-
-    assertThatSearchReturnsOnly(IssueQuery.builder(), "I1");
   }
 
   @Test
diff --git a/server/sonar-webserver-es/src/test/java/org/sonar/server/measure/index/ProjectMeasuresIndexTest.java b/server/sonar-webserver-es/src/test/java/org/sonar/server/measure/index/ProjectMeasuresIndexTest.java
index f8344a01f17..7e4b0ec9051 100644
--- a/server/sonar-webserver-es/src/test/java/org/sonar/server/measure/index/ProjectMeasuresIndexTest.java
+++ b/server/sonar-webserver-es/src/test/java/org/sonar/server/measure/index/ProjectMeasuresIndexTest.java
@@ -540,15 +540,6 @@ public class ProjectMeasuresIndexTest {
     assertResults(new ProjectMeasuresQuery(), APP1, PROJECT1);
   }
 
-  @Test
-  public void root_user_can_access_all_projects_and_applications() {
-    indexForUser(USER1, newDoc(PROJECT1), newDoc(APP1));
-    // connecting with a root but not USER1
-    userSession.logIn().setRoot();
-
-    assertResults(new ProjectMeasuresQuery(), APP1, PROJECT1);
-  }
-
   @Test
   public void return_all_projects_and_applications_when_setIgnoreAuthorization_is_true() {
     indexForUser(USER1, newDoc(PROJECT1), newDoc(PROJECT2), newDoc(APP1), newDoc(APP2));
diff --git a/server/sonar-webserver-es/src/test/java/org/sonar/server/permission/index/WebAuthorizationTypeSupportTest.java b/server/sonar-webserver-es/src/test/java/org/sonar/server/permission/index/WebAuthorizationTypeSupportTest.java
index 33f05042292..830a17a3dff 100644
--- a/server/sonar-webserver-es/src/test/java/org/sonar/server/permission/index/WebAuthorizationTypeSupportTest.java
+++ b/server/sonar-webserver-es/src/test/java/org/sonar/server/permission/index/WebAuthorizationTypeSupportTest.java
@@ -40,15 +40,6 @@ public class WebAuthorizationTypeSupportTest {
 
   private WebAuthorizationTypeSupport underTest = new WebAuthorizationTypeSupport(userSession);
 
-  @Test
-  public void createQueryFilter_does_not_include_permission_filters_if_user_is_flagged_as_root() {
-    userSession.logIn().setRoot();
-
-    QueryBuilder filter = underTest.createQueryFilter();
-
-    assertThat(filter).isInstanceOf(MatchAllQueryBuilder.class);
-  }
-
   @Test
   public void createQueryFilter_sets_filter_on_anyone_group_if_user_is_anonymous() {
     userSession.anonymous();
diff --git a/server/sonar-webserver-webapi/src/main/java/org/sonar/server/measure/ws/ComponentTreeAction.java b/server/sonar-webserver-webapi/src/main/java/org/sonar/server/measure/ws/ComponentTreeAction.java
index 449071201a6..50f26aca4bb 100644
--- a/server/sonar-webserver-webapi/src/main/java/org/sonar/server/measure/ws/ComponentTreeAction.java
+++ b/server/sonar-webserver-webapi/src/main/java/org/sonar/server/measure/ws/ComponentTreeAction.java
@@ -106,8 +106,8 @@ import static org.sonar.server.measure.ws.SnapshotDtoToWsPeriod.snapshotToWsPeri
 import static org.sonar.server.ws.KeyExamples.KEY_BRANCH_EXAMPLE_001;
 import static org.sonar.server.ws.KeyExamples.KEY_PROJECT_EXAMPLE_001;
 import static org.sonar.server.ws.KeyExamples.KEY_PULL_REQUEST_EXAMPLE_001;
-import static org.sonar.server.ws.WsParameterBuilder.createQualifiersParameter;
 import static org.sonar.server.ws.WsParameterBuilder.QualifierParameterContext.newQualifierParameterContext;
+import static org.sonar.server.ws.WsParameterBuilder.createQualifiersParameter;
 import static org.sonar.server.ws.WsUtils.writeProtobuf;
 
 /**
diff --git a/server/sonar-webserver-webapi/src/main/java/org/sonar/server/qualitygate/ws/SearchAction.java b/server/sonar-webserver-webapi/src/main/java/org/sonar/server/qualitygate/ws/SearchAction.java
index ee9adeb83d4..4788d560f89 100644
--- a/server/sonar-webserver-webapi/src/main/java/org/sonar/server/qualitygate/ws/SearchAction.java
+++ b/server/sonar-webserver-webapi/src/main/java/org/sonar/server/qualitygate/ws/SearchAction.java
@@ -160,12 +160,6 @@ public class SearchAction implements QualityGatesWsAction {
   }
 
   private List<ProjectQgateAssociationDto> keepAuthorizedProjects(DbSession dbSession, List<ProjectQgateAssociationDto> projects) {
-    if (userSession.isRoot()) {
-      // the method AuthorizationDao#keepAuthorizedProjectIds() should be replaced by
-      // a call to UserSession, which would transparently support roots.
-      // Meanwhile root is explicitly handled.
-      return projects;
-    }
     List<String> projectUuids = projects.stream().map(ProjectQgateAssociationDto::getUuid).collect(MoreCollectors.toList());
     Collection<String> authorizedProjectIds = dbClient.authorizationDao().keepAuthorizedProjectUuids(dbSession, projectUuids, userSession.getUuid(), UserRole.USER);
     return projects.stream().filter(project -> authorizedProjectIds.contains(project.getUuid())).collect(MoreCollectors.toList());
diff --git a/server/sonar-webserver-webapi/src/main/java/org/sonar/server/root/ws/RootsWs.java b/server/sonar-webserver-webapi/src/main/java/org/sonar/server/root/ws/RootsWs.java
deleted file mode 100644
index 5f4fb2deda6..00000000000
--- a/server/sonar-webserver-webapi/src/main/java/org/sonar/server/root/ws/RootsWs.java
+++ /dev/null
@@ -1,43 +0,0 @@
-/*
- * SonarQube
- * Copyright (C) 2009-2022 SonarSource SA
- * mailto:info AT sonarsource DOT com
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 3 of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public License
- * along with this program; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
- */
-package org.sonar.server.root.ws;
-
-import org.sonar.api.server.ws.WebService;
-
-public class RootsWs implements WebService {
-  private final RootsWsAction[] actions;
-
-  public RootsWs(RootsWsAction... actions) {
-    this.actions = actions;
-  }
-
-  @Override
-  public void define(Context context) {
-    NewController controller = context.createController("api/roots")
-        .setSince("6.2")
-        .setDescription("Manage root users");
-
-    for (RootsWsAction action : actions) {
-      action.define(controller);
-    }
-
-    controller.done();
-  }
-}
diff --git a/server/sonar-webserver-webapi/src/main/java/org/sonar/server/root/ws/SearchAction.java b/server/sonar-webserver-webapi/src/main/java/org/sonar/server/root/ws/SearchAction.java
deleted file mode 100644
index b8a26a1360b..00000000000
--- a/server/sonar-webserver-webapi/src/main/java/org/sonar/server/root/ws/SearchAction.java
+++ /dev/null
@@ -1,90 +0,0 @@
-/*
- * SonarQube
- * Copyright (C) 2009-2022 SonarSource SA
- * mailto:info AT sonarsource DOT com
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 3 of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public License
- * along with this program; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
- */
-package org.sonar.server.root.ws;
-
-import java.util.List;
-import org.sonar.api.server.ws.Request;
-import org.sonar.api.server.ws.Response;
-import org.sonar.api.server.ws.WebService;
-import org.sonar.api.user.UserQuery;
-import org.sonar.db.DbClient;
-import org.sonar.db.DbSession;
-import org.sonar.db.user.UserDto;
-import org.sonar.server.user.UserSession;
-import org.sonarqube.ws.Roots;
-
-import static org.sonar.server.ws.WsUtils.writeProtobuf;
-
-public class SearchAction implements RootsWsAction {
-  private final UserSession userSession;
-  private final DbClient dbClient;
-
-  public SearchAction(UserSession userSession, DbClient dbClient) {
-    this.userSession = userSession;
-    this.dbClient = dbClient;
-  }
-
-  @Override
-  public void define(WebService.NewController controller) {
-    controller.createAction("search")
-        .setInternal(true)
-        .setPost(false)
-        .setDescription("Search for root users.<br/>" +
-            "Requires to be root.")
-        .setSince("6.2")
-        .setResponseExample(getClass().getResource("search-example.json"))
-        .setHandler(this);
-  }
-
-  @Override
-  public void handle(Request request, Response response) throws Exception {
-    userSession.checkIsRoot();
-
-    try (DbSession dbSession = dbClient.openSession(false)) {
-      List<UserDto> userDtos = dbClient.userDao().selectUsers(
-          dbSession,
-          UserQuery.builder()
-              .mustBeRoot()
-              .build());
-
-      writeResponse(request, response, userDtos);
-    }
-  }
-
-  private static void writeResponse(Request request, Response response, List<UserDto> dtos) {
-    Roots.SearchResponse.Builder responseBuilder = Roots.SearchResponse.newBuilder();
-    Roots.RootContent.Builder rootBuilder = Roots.RootContent.newBuilder();
-    dtos.forEach(dto -> responseBuilder.addRoots(toRoot(rootBuilder, dto)));
-    writeProtobuf(responseBuilder.build(), request, response);
-  }
-
-  private static Roots.RootContent toRoot(Roots.RootContent.Builder builder, UserDto dto) {
-    builder.clear();
-    builder.setLogin(dto.getLogin());
-    if (dto.getName() != null) {
-      builder.setName(dto.getName());
-    }
-    if (dto.getEmail() != null) {
-      builder.setEmail(dto.getEmail());
-    }
-    return builder.build();
-  }
-
-}
diff --git a/server/sonar-webserver-webapi/src/main/java/org/sonar/server/root/ws/SetRootAction.java b/server/sonar-webserver-webapi/src/main/java/org/sonar/server/root/ws/SetRootAction.java
deleted file mode 100644
index 4008d5ab325..00000000000
--- a/server/sonar-webserver-webapi/src/main/java/org/sonar/server/root/ws/SetRootAction.java
+++ /dev/null
@@ -1,80 +0,0 @@
-/*
- * SonarQube
- * Copyright (C) 2009-2022 SonarSource SA
- * mailto:info AT sonarsource DOT com
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 3 of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public License
- * along with this program; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
- */
-package org.sonar.server.root.ws;
-
-import org.sonar.api.server.ws.Request;
-import org.sonar.api.server.ws.Response;
-import org.sonar.api.server.ws.WebService;
-import org.sonar.db.DbClient;
-import org.sonar.db.DbSession;
-import org.sonar.db.user.UserDto;
-import org.sonar.server.exceptions.NotFoundException;
-import org.sonar.server.user.UserSession;
-
-import static java.lang.String.format;
-
-public class SetRootAction implements RootsWsAction {
-  private static final String PARAM_LOGIN = "login";
-
-  private final UserSession userSession;
-  private final DbClient dbClient;
-
-  public SetRootAction(UserSession userSession, DbClient dbClient) {
-    this.userSession = userSession;
-    this.dbClient = dbClient;
-  }
-
-  @Override
-  public void define(WebService.NewController controller) {
-    WebService.NewAction action = controller.createAction("set_root")
-      .setInternal(true)
-      .setPost(true)
-      .setDescription("Make the specified user root.<br/>" +
-        "Requires to be root.")
-      .setSince("6.2")
-      .setHandler(this);
-
-    action.createParam(PARAM_LOGIN)
-      .setDescription("A user login")
-      .setExampleValue("admin")
-      .setRequired(true)
-      .setSince("6.2");
-  }
-
-  @Override
-  public void handle(Request request, Response response) throws Exception {
-    userSession.checkIsRoot();
-
-    String login = request.mandatoryParam(PARAM_LOGIN);
-    try (DbSession dbSession = dbClient.openSession(false)) {
-      UserDto userDto = dbClient.userDao().selectByLogin(dbSession, login);
-      if (userDto == null || !userDto.isActive()) {
-        throw new NotFoundException(format("User with login '%s' not found", login));
-      }
-
-      if (!userDto.isRoot()) {
-        dbClient.userDao().setRoot(dbSession, login, true);
-        dbSession.commit();
-      }
-    }
-    response.noContent();
-  }
-
-}
diff --git a/server/sonar-webserver-webapi/src/main/java/org/sonar/server/root/ws/UnsetRootAction.java b/server/sonar-webserver-webapi/src/main/java/org/sonar/server/root/ws/UnsetRootAction.java
deleted file mode 100644
index 1e9831eb3f6..00000000000
--- a/server/sonar-webserver-webapi/src/main/java/org/sonar/server/root/ws/UnsetRootAction.java
+++ /dev/null
@@ -1,81 +0,0 @@
-/*
- * SonarQube
- * Copyright (C) 2009-2022 SonarSource SA
- * mailto:info AT sonarsource DOT com
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 3 of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public License
- * along with this program; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
- */
-package org.sonar.server.root.ws;
-
-import org.sonar.api.server.ws.Request;
-import org.sonar.api.server.ws.Response;
-import org.sonar.api.server.ws.WebService;
-import org.sonar.db.DbClient;
-import org.sonar.db.DbSession;
-import org.sonar.db.user.UserDto;
-import org.sonar.server.exceptions.NotFoundException;
-import org.sonar.server.user.UserSession;
-
-import static java.lang.String.format;
-import static org.sonar.server.exceptions.BadRequestException.checkRequest;
-
-public class UnsetRootAction implements RootsWsAction {
-  private static final String PARAM_LOGIN = "login";
-
-  private final UserSession userSession;
-  private final DbClient dbClient;
-
-  public UnsetRootAction(UserSession userSession, DbClient dbClient) {
-    this.userSession = userSession;
-    this.dbClient = dbClient;
-  }
-
-  @Override
-  public void define(WebService.NewController controller) {
-    WebService.NewAction action = controller.createAction("unset_root")
-      .setInternal(true)
-      .setPost(true)
-      .setDescription("Make the specified user not root.<br/>" +
-        "Requires to be root.")
-      .setSince("6.2")
-      .setHandler(this);
-
-    action.createParam(PARAM_LOGIN)
-      .setDescription("A user login")
-      .setExampleValue("admin")
-      .setRequired(true)
-      .setSince("6.2");
-  }
-
-  @Override
-  public void handle(Request request, Response response) throws Exception {
-    userSession.checkIsRoot();
-
-    String login = request.mandatoryParam(PARAM_LOGIN);
-    try (DbSession dbSession = dbClient.openSession(false)) {
-      UserDto userDto = dbClient.userDao().selectByLogin(dbSession, login);
-      if (userDto == null || !userDto.isActive()) {
-        throw new NotFoundException(format("User with login '%s' not found", login));
-      }
-      checkRequest(dbClient.userDao().countRootUsersButLogin(dbSession, login) > 0, "Last root can't be unset");
-      if (userDto.isRoot()) {
-        dbClient.userDao().setRoot(dbSession, login, false);
-        dbSession.commit();
-      }
-    }
-    response.noContent();
-  }
-
-}
diff --git a/server/sonar-webserver-webapi/src/main/java/org/sonar/server/root/ws/package-info.java b/server/sonar-webserver-webapi/src/main/java/org/sonar/server/root/ws/package-info.java
deleted file mode 100644
index f0af49391f0..00000000000
--- a/server/sonar-webserver-webapi/src/main/java/org/sonar/server/root/ws/package-info.java
+++ /dev/null
@@ -1,23 +0,0 @@
-/*
- * SonarQube
- * Copyright (C) 2009-2022 SonarSource SA
- * mailto:info AT sonarsource DOT com
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 3 of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public License
- * along with this program; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
- */
-@ParametersAreNonnullByDefault
-package org.sonar.server.root.ws;
-
-import javax.annotation.ParametersAreNonnullByDefault;
diff --git a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/ce/ws/TaskActionTest.java b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/ce/ws/TaskActionTest.java
index dc69178e1cc..e5dcca0070b 100644
--- a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/ce/ws/TaskActionTest.java
+++ b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/ce/ws/TaskActionTest.java
@@ -53,11 +53,12 @@ import org.sonarqube.ws.Common;
 import static java.util.Collections.singleton;
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatThrownBy;
+import static org.sonar.api.web.UserRole.ADMIN;
+import static org.sonar.api.web.UserRole.SCAN;
 import static org.sonar.core.permission.GlobalPermissions.SCAN_EXECUTION;
 import static org.sonar.db.ce.CeTaskCharacteristicDto.BRANCH_KEY;
 import static org.sonar.db.ce.CeTaskCharacteristicDto.BRANCH_TYPE_KEY;
 import static org.sonar.db.component.BranchType.BRANCH;
-import static org.sonar.db.permission.GlobalPermission.SCAN;
 
 public class TaskActionTest {
 
@@ -79,13 +80,14 @@ public class TaskActionTest {
   @Before
   public void setUp() {
     privateProject = db.components().insertPrivateProject();
+    userSession.logIn().addProjectPermission(ADMIN, privateProject);
     publicProject = db.components().insertPublicProject();
   }
 
   @Test
   public void task_is_in_queue() {
     UserDto user = db.users().insertUser();
-    userSession.logIn(user).setRoot();
+    userSession.addProjectPermission(SCAN, privateProject);
 
     CeQueueDto queueDto = new CeQueueDto();
     queueDto.setTaskType(CeTaskTypes.REPORT);
@@ -112,7 +114,7 @@ public class TaskActionTest {
   @Test
   public void no_warning_detail_on_task_in_queue() {
     UserDto user = db.users().insertUser();
-    userSession.logIn(user).setRoot();
+    userSession.logIn(user).setSystemAdministrator();
     CeQueueDto queueDto = createAndPersistQueueTask(null, user);
     IntStream.range(0, 1 + new Random().nextInt(5))
       .forEach(i -> db.getDbClient().ceTaskMessageDao().insert(db.getSession(),
@@ -135,7 +137,7 @@ public class TaskActionTest {
   @Test
   public void task_is_archived() {
     UserDto user = db.users().insertUser();
-    userSession.logIn(user).setRoot();
+    userSession.logIn(user).addProjectPermission(SCAN, privateProject);
 
     CeActivityDto activityDto = createActivityDto(SOME_TASK_UUID);
     persist(activityDto);
@@ -157,7 +159,7 @@ public class TaskActionTest {
 
   @Test
   public void branch_in_past_activity() {
-    logInAsRoot();
+    logInAsSystemAdministrator();
     ComponentDto project = db.components().insertPrivateProject();
     userSession.addProjectPermission(UserRole.USER, project);
     ComponentDto branch = db.components().insertProjectBranch(project, b -> b.setBranchType(BRANCH));
@@ -178,7 +180,8 @@ public class TaskActionTest {
   @Test
   public void branch_in_queue_analysis() {
     UserDto user = db.users().insertUser();
-    userSession.logIn(user).setRoot();
+    userSession.logIn(user).setSystemAdministrator();
+    ;
     String branch = "my_branch";
     CeQueueDto queueDto = createAndPersistQueueTask(null, user);
     insertCharacteristic(queueDto, BRANCH_KEY, branch);
@@ -195,7 +198,7 @@ public class TaskActionTest {
 
   @Test
   public void return_stacktrace_of_failed_activity_with_stacktrace_when_additionalField_is_set() {
-    logInAsRoot();
+    logInAsSystemAdministrator();
 
     CeActivityDto activityDto = createActivityDto(SOME_TASK_UUID)
       .setErrorMessage("error msg")
@@ -215,7 +218,7 @@ public class TaskActionTest {
 
   @Test
   public void do_not_return_stacktrace_of_failed_activity_with_stacktrace_when_additionalField_is_not_set() {
-    logInAsRoot();
+    logInAsSystemAdministrator();
 
     CeActivityDto activityDto = createActivityDto(SOME_TASK_UUID)
       .setErrorMessage("error msg")
@@ -233,7 +236,7 @@ public class TaskActionTest {
 
   @Test
   public void return_scannerContext_of_activity_with_scannerContext_when_additionalField_is_set() {
-    logInAsRoot();
+    logInAsSystemAdministrator();
 
     String scannerContext = "this is some scanner context, yeah!";
     persist(createActivityDto(SOME_TASK_UUID));
@@ -250,7 +253,7 @@ public class TaskActionTest {
 
   @Test
   public void do_not_return_scannerContext_of_activity_with_scannerContext_when_additionalField_is_not_set() {
-    logInAsRoot();
+    logInAsSystemAdministrator();
 
     String scannerContext = "this is some scanner context, yeah!";
     persist(createActivityDto(SOME_TASK_UUID));
@@ -267,7 +270,7 @@ public class TaskActionTest {
 
   @Test
   public void do_not_return_stacktrace_of_failed_activity_without_stacktrace() {
-    logInAsRoot();
+    logInAsSystemAdministrator();
 
     CeActivityDto activityDto = createActivityDto(SOME_TASK_UUID)
       .setErrorMessage("error msg");
@@ -284,7 +287,7 @@ public class TaskActionTest {
 
   @Test
   public void throw_NotFoundException_if_id_does_not_exist() {
-    logInAsRoot();
+    logInAsSystemAdministrator();
 
     TestRequest request = ws.newRequest()
       .setParam("id", "DOES_NOT_EXIST");
@@ -335,7 +338,7 @@ public class TaskActionTest {
   @Test
   public void get_project_queue_task_with_scan_permission_but_not_on_project() {
     UserDto user = db.users().insertUser();
-    userSession.logIn(user).addPermission(SCAN);
+    userSession.logIn(user).addPermission(GlobalPermission.SCAN);
     CeQueueDto task = createAndPersistQueueTask(privateProject, user);
 
     call(task.getUuid());
@@ -392,7 +395,7 @@ public class TaskActionTest {
 
   @Test
   public void get_project_archived_task_with_scan_permission_but_not_on_project() {
-    userSession.logIn().addPermission(SCAN);
+    userSession.logIn().addPermission(GlobalPermission.SCAN);
     CeActivityDto task = createAndPersistArchivedTask(privateProject);
 
     call(task.getUuid());
@@ -570,10 +573,7 @@ public class TaskActionTest {
 
   private void logInAsSystemAdministrator() {
     userSession.logIn().setSystemAdministrator();
-  }
-
-  private void logInAsRoot() {
-    userSession.logIn().setRoot();
+    userSession.addPermission(GlobalPermission.ADMINISTER);
   }
 
   private void call(String taskUuid) {
diff --git a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/component/ws/ShowActionTest.java b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/component/ws/ShowActionTest.java
index 94f698ef43e..169ceccf252 100644
--- a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/component/ws/ShowActionTest.java
+++ b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/component/ws/ShowActionTest.java
@@ -61,7 +61,7 @@ import static org.sonarqube.ws.client.component.ComponentsWsParameters.PARAM_PUL
 
 public class ShowActionTest {
   @Rule
-  public final UserSessionRule userSession = UserSessionRule.standalone();
+  public final UserSessionRule userSession = UserSessionRule.standalone().logIn();
   @Rule
   public final DbTester db = DbTester.create(System2.INSTANCE);
 
@@ -97,7 +97,6 @@ public class ShowActionTest {
 
   @Test
   public void json_example() {
-    userSession.logIn().setRoot();
     insertJsonExampleComponentsAndSnapshots();
 
     String response = ws.newRequest()
@@ -110,7 +109,6 @@ public class ShowActionTest {
 
   @Test
   public void tags_displayed_only_for_project() {
-    userSession.logIn().setRoot();
     insertJsonExampleComponentsAndSnapshots();
 
     String response = ws.newRequest()
@@ -125,7 +123,7 @@ public class ShowActionTest {
   public void show_with_browse_permission() {
     ComponentDto project = newPrivateProjectDto("project-uuid");
     db.components().insertProjectAndSnapshot(project);
-    userSession.logIn().addProjectPermission(USER, project);
+    userSession.addProjectPermission(USER, project);
 
     ShowWsResponse response = newRequest(project.getDbKey());
 
@@ -205,8 +203,8 @@ public class ShowActionTest {
 
   @Test
   public void should_return_visibility_for_private_project() {
-    userSession.logIn().setRoot();
     ComponentDto privateProject = db.components().insertPrivateProject();
+    userSession.addProjectPermission(USER, privateProject);
 
     ShowWsResponse result = newRequest(privateProject.getDbKey());
     assertThat(result.getComponent().hasVisibility()).isTrue();
@@ -215,8 +213,8 @@ public class ShowActionTest {
 
   @Test
   public void should_return_visibility_for_public_project() {
-    userSession.logIn().setRoot();
     ComponentDto publicProject = db.components().insertPublicProject();
+    userSession.registerComponents(publicProject);
 
     ShowWsResponse result = newRequest(publicProject.getDbKey());
     assertThat(result.getComponent().hasVisibility()).isTrue();
@@ -225,8 +223,8 @@ public class ShowActionTest {
 
   @Test
   public void should_return_visibility_for_portfolio() {
-    userSession.logIn().setRoot();
     ComponentDto view = db.components().insertPrivatePortfolio();
+    userSession.addProjectPermission(USER, view);
 
     ShowWsResponse result = newRequest(view.getDbKey());
     assertThat(result.getComponent().hasVisibility()).isTrue();
@@ -234,8 +232,8 @@ public class ShowActionTest {
 
   @Test
   public void should_not_return_visibility_for_module() {
-    userSession.logIn().setRoot();
     ComponentDto privateProject = db.components().insertPrivateProject();
+    userSession.addProjectPermission(USER, privateProject);
     ComponentDto module = db.components().insertComponent(newModuleDto(privateProject));
 
     ShowWsResponse result = newRequest(module.getDbKey());
@@ -378,8 +376,6 @@ public class ShowActionTest {
 
   @Test
   public void throw_ForbiddenException_if_user_doesnt_have_browse_permission_on_project() {
-    userSession.logIn();
-
     ComponentDto componentDto = newPrivateProjectDto("project-uuid");
     db.components().insertProjectAndSnapshot(componentDto);
 
@@ -397,8 +393,9 @@ public class ShowActionTest {
 
   @Test
   public void fail_if_component_is_removed() {
-    userSession.logIn().setRoot();
-    ComponentDto project = db.components().insertComponent(newPrivateProjectDto());
+    ComponentDto privateProjectDto = newPrivateProjectDto();
+    ComponentDto project = db.components().insertComponent(privateProjectDto);
+    userSession.addProjectPermission(USER, project);
     db.components().insertComponent(newFileDto(project).setDbKey("file-key").setEnabled(false));
 
     assertThatThrownBy(() -> newRequest("file-key"))
@@ -451,6 +448,7 @@ public class ShowActionTest {
       .setDescription("Java Markdown Project")
       .setQualifier(Qualifiers.PROJECT),
       p -> p.setTagsString("language, plugin"));
+    userSession.addProjectPermission(USER, project);
     db.components().insertSnapshot(project, snapshot -> snapshot
       .setProjectVersion("1.1")
       .setCreatedAt(parseDateTime("2017-03-01T11:39:03+0100").getTime())
diff --git a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/developers/ws/SearchEventsActionNewIssuesTest.java b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/developers/ws/SearchEventsActionNewIssuesTest.java
index 59ad707b5d7..0882301f62d 100644
--- a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/developers/ws/SearchEventsActionNewIssuesTest.java
+++ b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/developers/ws/SearchEventsActionNewIssuesTest.java
@@ -55,6 +55,7 @@ import static org.assertj.core.api.Assertions.tuple;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 import static org.sonar.api.utils.DateUtils.formatDateTime;
+import static org.sonar.api.web.UserRole.USER;
 import static org.sonar.db.component.BranchType.BRANCH;
 import static org.sonar.server.developers.ws.SearchEventsAction.PARAM_FROM;
 import static org.sonar.server.developers.ws.SearchEventsAction.PARAM_PROJECTS;
@@ -82,9 +83,10 @@ public class SearchEventsActionNewIssuesTest {
 
   @Test
   public void issue_event() {
-    userSession.logIn().setRoot();
+    userSession.logIn();
     when(server.getPublicRootUrl()).thenReturn("https://sonarcloud.io");
     ComponentDto project = db.components().insertPrivateProject();
+    userSession.addProjectPermission(USER, project);
     SnapshotDto analysis = insertAnalysis(project, 1_500_000_000_000L);
     insertIssue(project, analysis);
     insertIssue(project, analysis);
@@ -109,9 +111,10 @@ public class SearchEventsActionNewIssuesTest {
 
   @Test
   public void many_issues_events() {
-    userSession.logIn().setRoot();
+    userSession.logIn();
     long from = 1_500_000_000_000L;
     ComponentDto project = db.components().insertPrivateProject(p -> p.setName("SonarQube"));
+    userSession.addProjectPermission(USER, project);
     SnapshotDto analysis = insertAnalysis(project, from);
     insertIssue(project, analysis);
     insertIssue(project, analysis);
@@ -130,8 +133,9 @@ public class SearchEventsActionNewIssuesTest {
 
   @Test
   public void does_not_return_old_issue() {
-    userSession.logIn().setRoot();
+    userSession.logIn();
     ComponentDto project = db.components().insertPrivateProject();
+    userSession.addProjectPermission(USER, project);
     SnapshotDto analysis = insertAnalysis(project, 1_500_000_000_000L);
     db.issues().insert(db.rules().insert(), project, project, i -> i.setIssueCreationDate(new Date(analysis.getCreatedAt() - 10_000L)));
     issueIndexer.indexAllIssues();
@@ -146,8 +150,9 @@ public class SearchEventsActionNewIssuesTest {
 
   @Test
   public void return_link_to_issue_search_for_new_issues_event() {
-    userSession.logIn("my_login").setRoot();
+    userSession.logIn("my_login");
     ComponentDto project = db.components().insertPrivateProject(p -> p.setDbKey("my_project"));
+    userSession.addProjectPermission(USER, project);
     SnapshotDto analysis = insertAnalysis(project, 1_400_000_000_000L);
     insertIssue(project, analysis);
     issueIndexer.indexAllIssues();
@@ -164,9 +169,10 @@ public class SearchEventsActionNewIssuesTest {
 
   @Test
   public void branch_issues_events() {
-    userSession.logIn().setRoot();
+    userSession.logIn().setSystemAdministrator();
     when(server.getPublicRootUrl()).thenReturn("https://sonarcloud.io");
     ComponentDto project = db.components().insertPrivateProject();
+    userSession.addProjectPermission(USER, project);
     ComponentDto branch1 = db.components().insertProjectBranch(project, b -> b.setBranchType(BRANCH).setKey("branch1"));
     SnapshotDto branch1Analysis = insertAnalysis(branch1, 1_500_000_000_000L);
     insertIssue(branch1, branch1Analysis);
@@ -197,9 +203,10 @@ public class SearchEventsActionNewIssuesTest {
 
   @Test
   public void pull_request_issues_events() {
-    userSession.logIn().setRoot();
+    userSession.logIn().setSystemAdministrator();
     when(server.getPublicRootUrl()).thenReturn("https://sonarcloud.io");
     ComponentDto project = db.components().insertPrivateProject();
+    userSession.addProjectPermission(USER, project);
     ComponentDto nonMainBranch = db.components().insertProjectBranch(project, b -> b.setBranchType(BRANCH).setKey("nonMain"));
     SnapshotDto nonMainBranchAnalysis = insertAnalysis(nonMainBranch, 1_500_000_000_000L);
     insertIssue(nonMainBranch, nonMainBranchAnalysis);
@@ -231,9 +238,10 @@ public class SearchEventsActionNewIssuesTest {
 
   @Test
   public void encode_link() {
-    userSession.logIn("rågnar").setRoot();
+    userSession.logIn("rågnar").setSystemAdministrator();
     long from = 1_500_000_000_000L;
     ComponentDto project = db.components().insertPrivateProject(p -> p.setDbKey("M&M's"));
+    userSession.addProjectPermission(USER, project);
     SnapshotDto analysis = insertAnalysis(project, from);
     insertIssue(project, analysis);
     issueIndexer.indexAllIssues();
diff --git a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/developers/ws/SearchEventsActionQualityGateTest.java b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/developers/ws/SearchEventsActionQualityGateTest.java
index 421b8f0e382..2247ab7da89 100644
--- a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/developers/ws/SearchEventsActionQualityGateTest.java
+++ b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/developers/ws/SearchEventsActionQualityGateTest.java
@@ -47,6 +47,7 @@ import static org.assertj.core.api.Assertions.tuple;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 import static org.sonar.api.utils.DateUtils.formatDateTime;
+import static org.sonar.api.web.UserRole.USER;
 import static org.sonar.db.component.BranchType.BRANCH;
 import static org.sonar.db.component.BranchType.PULL_REQUEST;
 import static org.sonar.db.event.EventTesting.newEvent;
@@ -60,19 +61,19 @@ public class SearchEventsActionQualityGateTest {
   @Rule
   public EsTester es = EsTester.create();
   @Rule
-  public UserSessionRule userSession = UserSessionRule.standalone();
+  public UserSessionRule userSession = UserSessionRule.standalone().logIn();
 
   private Server server = mock(Server.class);
-  private IssueIndex issueIndex = new IssueIndex(es.client(), null, null, null);
+  private IssueIndex issueIndex = new IssueIndex(es.client(), null, userSession, null);
   private IssueIndexSyncProgressChecker issueIndexSyncProgressChecker = mock(IssueIndexSyncProgressChecker.class);
   private WsActionTester ws = new WsActionTester(new SearchEventsAction(db.getDbClient(), userSession, server, issueIndex,
     issueIndexSyncProgressChecker));
 
   @Test
   public void quality_gate_events() {
-    userSession.logIn().setRoot();
     when(server.getPublicRootUrl()).thenReturn("https://sonarcloud.io");
     ComponentDto project = db.components().insertPrivateProject();
+    userSession.addProjectPermission(USER, project);
     SnapshotDto projectAnalysis = insertSuccessfulActivity(project, 1_500_000_000_000L);
     db.events().insertEvent(newQualityGateEvent(projectAnalysis).setDate(projectAnalysis.getCreatedAt()).setName("Failed"));
 
@@ -94,9 +95,9 @@ public class SearchEventsActionQualityGateTest {
 
   @Test
   public void branch_quality_gate_events() {
-    userSession.logIn().setRoot();
     when(server.getPublicRootUrl()).thenReturn("https://sonarcloud.io");
     ComponentDto project = db.components().insertPrivateProject();
+    userSession.addProjectPermission(USER, project);
     ComponentDto branch = db.components().insertProjectBranch(project, b -> b.setBranchType(BRANCH));
     SnapshotDto projectAnalysis = insertSuccessfulActivity(project, 1_500_000_000_000L);
     SnapshotDto branchAnalysis = insertSuccessfulActivity(branch, 1_500_000_000_000L);
@@ -119,7 +120,7 @@ public class SearchEventsActionQualityGateTest {
 
   @Test
   public void does_not_return_quality_gate_events_on_pull_request() {
-    userSession.logIn().setRoot();
+    userSession.logIn().setSystemAdministrator();
     when(server.getPublicRootUrl()).thenReturn("https://sonarcloud.io");
     ComponentDto project = db.components().insertPrivateProject();
     ComponentDto pr = db.components().insertProjectBranch(project, b -> b.setBranchType(PULL_REQUEST));
@@ -137,8 +138,8 @@ public class SearchEventsActionQualityGateTest {
 
   @Test
   public void return_only_latest_quality_gate_event() {
-    userSession.logIn().setRoot();
     ComponentDto project = db.components().insertPrivateProject(p -> p.setName("My Project"));
+    userSession.addProjectPermission(USER, project);
     SnapshotDto a1 = insertSuccessfulActivity(project, 1_500_000_000_000L);
     EventDto e1 = db.events().insertEvent(newQualityGateEvent(a1).setName("Failed").setDate(a1.getCreatedAt()));
     SnapshotDto a2 = insertSuccessfulActivity(project, 1_500_000_000_001L);
@@ -155,8 +156,8 @@ public class SearchEventsActionQualityGateTest {
 
   @Test
   public void return_link_to_dashboard_for_quality_gate_event() {
-    userSession.logIn().setRoot();
     ComponentDto project = db.components().insertPrivateProject();
+    userSession.addProjectPermission(USER, project);
     SnapshotDto analysis = insertSuccessfulActivity(project, 1_500_000_000_000L);
     EventDto e1 = db.events().insertEvent(newQualityGateEvent(analysis).setName("Failed").setDate(analysis.getCreatedAt()));
     when(server.getPublicRootUrl()).thenReturn("https://sonarcloud.io");
@@ -172,8 +173,8 @@ public class SearchEventsActionQualityGateTest {
 
   @Test
   public void encode_link() {
-    userSession.logIn().setRoot();
     ComponentDto project = db.components().insertPrivateProject(p -> p.setDbKey("M&M's"));
+    userSession.addProjectPermission(USER, project);
     SnapshotDto analysis = insertSuccessfulActivity(project, 1_500_000_000_000L);
     EventDto event = db.events().insertEvent(newQualityGateEvent(analysis).setName("Failed").setDate(analysis.getCreatedAt()));
     when(server.getPublicRootUrl()).thenReturn("http://sonarcloud.io");
@@ -189,8 +190,8 @@ public class SearchEventsActionQualityGateTest {
 
   @Test
   public void filter_quality_gate_event() {
-    userSession.logIn().setRoot();
     ComponentDto project = db.components().insertPrivateProject();
+    userSession.addProjectPermission(USER, project);
     SnapshotDto analysis = insertSuccessfulActivity(project, 1_500_000_000_000L);
     EventDto qualityGateEvent = db.events().insertEvent(newQualityGateEvent(analysis).setDate(analysis.getCreatedAt()));
     EventDto versionEvent = db.events().insertEvent(newEvent(analysis).setCategory(EventCategory.VERSION.getLabel()).setDate(analysis.getCreatedAt()));
@@ -207,10 +208,12 @@ public class SearchEventsActionQualityGateTest {
 
   @Test
   public void filter_by_from_date_inclusive() {
-    userSession.logIn().setRoot();
     ComponentDto project1 = db.components().insertPrivateProject();
+    userSession.addProjectPermission(USER, project1);
     ComponentDto project2 = db.components().insertPrivateProject();
+    userSession.addProjectPermission(USER, project2);
     ComponentDto project3 = db.components().insertPrivateProject();
+    userSession.addProjectPermission(USER, project3);
     long from1 = 1_500_000_000_000L;
     long from2 = 1_400_000_000_000L;
     long from3 = 1_300_000_000_000L;
@@ -233,9 +236,10 @@ public class SearchEventsActionQualityGateTest {
 
   @Test
   public void return_one_quality_gate_change_per_project() {
-    userSession.logIn().setRoot();
     ComponentDto project1 = db.components().insertPrivateProject(p -> p.setName("p1"));
+    userSession.addProjectPermission(USER, project1);
     ComponentDto project2 = db.components().insertPrivateProject(p -> p.setName("p2"));
+    userSession.addProjectPermission(USER, project2);
     long from = 1_500_000_000_000L;
     SnapshotDto a11 = insertSuccessfulActivity(project1, from);
     SnapshotDto a12 = insertSuccessfulActivity(project1, from + 1L);
diff --git a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/developers/ws/SearchEventsActionTest.java b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/developers/ws/SearchEventsActionTest.java
index d152288b336..7a793283dc7 100644
--- a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/developers/ws/SearchEventsActionTest.java
+++ b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/developers/ws/SearchEventsActionTest.java
@@ -62,6 +62,7 @@ import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
 import static org.sonar.api.utils.DateUtils.formatDateTime;
+import static org.sonar.api.web.UserRole.USER;
 import static org.sonar.db.event.EventTesting.newEvent;
 import static org.sonar.server.developers.ws.SearchEventsAction.PARAM_FROM;
 import static org.sonar.server.developers.ws.SearchEventsAction.PARAM_PROJECTS;
@@ -78,7 +79,7 @@ public class SearchEventsActionTest {
   @Rule
   public EsTester es = EsTester.create();
   @Rule
-  public UserSessionRule userSession = UserSessionRule.standalone();
+  public UserSessionRule userSession = UserSessionRule.standalone().logIn();
   private Server server = mock(Server.class);
   private IssueIndex issueIndex = new IssueIndex(es.client(), null, null, null);
   private IssueIndexSyncProgressChecker issueIndexSyncProgressChecker = mock(IssueIndexSyncProgressChecker.class);
@@ -106,8 +107,8 @@ public class SearchEventsActionTest {
 
   @Test
   public void json_example() {
-    userSession.logIn().setRoot();
     ComponentDto project = db.components().insertPrivateProject(p -> p.setName("My Project").setDbKey(KeyExamples.KEY_PROJECT_EXAMPLE_001));
+    userSession.addProjectPermission(USER, project);
     SnapshotDto analysis = insertAnalysis(project, 1_500_000_000_000L);
     EventDto e1 = db.events().insertEvent(newQualityGateEvent(analysis).setName("Failed").setDate(analysis.getCreatedAt()));
     IntStream.range(0, 15).forEach(x -> insertIssue(project, analysis));
@@ -124,9 +125,9 @@ public class SearchEventsActionTest {
 
   @Test
   public void events() {
-    userSession.logIn().setRoot();
     when(server.getPublicRootUrl()).thenReturn("https://sonarcloud.io");
     ComponentDto project = db.components().insertPrivateProject();
+    userSession.addProjectPermission(USER, project);
     ComponentDto branch = db.components().insertProjectBranch(project);
     SnapshotDto projectAnalysis = insertAnalysis(project, 1_500_000_000_000L);
     db.events().insertEvent(newQualityGateEvent(projectAnalysis).setDate(projectAnalysis.getCreatedAt()).setName("Passed"));
@@ -154,8 +155,8 @@ public class SearchEventsActionTest {
 
   @Test
   public void does_not_return_old_events() {
-    userSession.logIn().setRoot();
     ComponentDto project = db.components().insertPrivateProject();
+    userSession.addProjectPermission(USER, project);
     SnapshotDto analysis = insertAnalysis(project, 1_500_000_000_000L);
     insertIssue(project, analysis);
     db.events().insertEvent(newQualityGateEvent(analysis).setDate(analysis.getCreatedAt()).setName("Passed"));
@@ -178,8 +179,6 @@ public class SearchEventsActionTest {
 
   @Test
   public void empty_response_for_empty_list_of_projects() {
-    userSession.logIn().setRoot();
-
     SearchEventsWsResponse result = ws.newRequest()
       .setParam(PARAM_PROJECTS, "")
       .setParam(PARAM_FROM, "")
@@ -190,14 +189,12 @@ public class SearchEventsActionTest {
 
   @Test
   public void does_not_return_events_of_project_for_which_the_current_user_has_no_browse_permission() {
-    userSession.logIn();
-
     ComponentDto project1 = db.components().insertPrivateProject();
     userSession.addProjectPermission(UserRole.CODEVIEWER, project1);
     userSession.addProjectPermission(UserRole.ISSUE_ADMIN, project1);
 
     ComponentDto project2 = db.components().insertPrivateProject();
-    userSession.addProjectPermission(UserRole.USER, project2);
+    userSession.addProjectPermission(USER, project2);
 
     SnapshotDto a1 = insertAnalysis(project1, 1_500_000_000_000L);
     EventDto e1 = db.events().insertEvent(newQualityGateEvent(a1).setDate(a1.getCreatedAt()));
@@ -222,8 +219,6 @@ public class SearchEventsActionTest {
 
   @Test
   public void empty_response_if_project_key_is_unknown() {
-    userSession.logIn().setRoot();
-
     long from = 1_500_000_000_000L;
     SearchEventsWsResponse result = ws.newRequest()
       .setParam(PARAM_PROJECTS, "unknown")
@@ -249,8 +244,6 @@ public class SearchEventsActionTest {
 
   @Test
   public void fail_if_date_format_is_not_valid() {
-    userSession.logIn().setRoot();
-
     assertThatThrownBy(() -> {
       ws.newRequest()
         .setParam(PARAM_PROJECTS, "foo")
diff --git a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/measure/ws/ComponentActionTest.java b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/measure/ws/ComponentActionTest.java
index 6c00b2512ef..c7d69683615 100644
--- a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/measure/ws/ComponentActionTest.java
+++ b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/measure/ws/ComponentActionTest.java
@@ -25,7 +25,6 @@ import org.junit.Test;
 import org.sonar.api.server.ws.WebService;
 import org.sonar.api.server.ws.WebService.Param;
 import org.sonar.api.utils.System2;
-import org.sonar.api.web.UserRole;
 import org.sonar.db.DbTester;
 import org.sonar.db.component.ComponentDto;
 import org.sonar.db.component.SnapshotDto;
@@ -88,7 +87,7 @@ public class ComponentActionTest {
   @Test
   public void provided_project() {
     ComponentDto project = db.components().insertPrivateProject();
-    userSession.addProjectPermission(UserRole.USER, project);
+    userSession.addProjectPermission(USER, project);
     MetricDto metric = db.measures().insertMetric(m -> m.setValueType("INT"));
 
     ComponentWsResponse response = newRequest(project.getKey(), metric.getKey());
@@ -102,7 +101,7 @@ public class ComponentActionTest {
   @Test
   public void without_additional_fields() {
     ComponentDto project = db.components().insertPrivateProject();
-    userSession.addProjectPermission(UserRole.USER, project);
+    userSession.addProjectPermission(USER, project);
     db.components().insertSnapshot(project);
     MetricDto metric = db.measures().insertMetric(m -> m.setValueType("INT"));
 
@@ -119,7 +118,7 @@ public class ComponentActionTest {
   @Test
   public void branch() {
     ComponentDto project = db.components().insertPrivateProject();
-    userSession.addProjectPermission(UserRole.USER, project);
+    userSession.addProjectPermission(USER, project);
     ComponentDto branch = db.components().insertProjectBranch(project, b -> b.setKey("my_branch"));
     SnapshotDto analysis = db.components().insertSnapshot(branch);
     ComponentDto file = db.components().insertComponent(newFileDto(branch));
@@ -142,7 +141,7 @@ public class ComponentActionTest {
   @Test
   public void pull_request() {
     ComponentDto project = db.components().insertPrivateProject();
-    userSession.addProjectPermission(UserRole.USER, project);
+    userSession.addProjectPermission(USER, project);
     ComponentDto branch = db.components().insertProjectBranch(project, b -> b.setKey("pr-123").setBranchType(PULL_REQUEST));
     SnapshotDto analysis = db.components().insertSnapshot(branch);
     ComponentDto file = db.components().insertComponent(newFileDto(branch));
@@ -165,7 +164,7 @@ public class ComponentActionTest {
   @Test
   public void new_issue_count_measures_are_transformed_in_pr() {
     ComponentDto project = db.components().insertPrivateProject();
-    userSession.addProjectPermission(UserRole.USER, project);
+    userSession.addProjectPermission(USER, project);
     ComponentDto branch = db.components().insertProjectBranch(project, b -> b.setKey("pr-123").setBranchType(PULL_REQUEST));
     SnapshotDto analysis = db.components().insertSnapshot(branch);
     ComponentDto file = db.components().insertComponent(newFileDto(branch));
@@ -203,7 +202,7 @@ public class ComponentActionTest {
   @Test
   public void new_issue_count_measures_are_not_transformed_if_they_dont_exist_in_pr() {
     ComponentDto project = db.components().insertPrivateProject();
-    userSession.addProjectPermission(UserRole.USER, project);
+    userSession.addProjectPermission(USER, project);
     ComponentDto branch = db.components().insertProjectBranch(project, b -> b.setKey("pr-123").setBranchType(PULL_REQUEST));
     SnapshotDto analysis = db.components().insertSnapshot(branch);
     ComponentDto file = db.components().insertComponent(newFileDto(branch));
@@ -224,9 +223,9 @@ public class ComponentActionTest {
 
   @Test
   public void reference_key_in_the_response() {
-    userSession.logIn().setRoot();
     ComponentDto project = db.components().insertPrivateProject();
     ComponentDto view = db.components().insertPrivatePortfolio();
+    userSession.addProjectPermission(USER, view);
     db.components().insertSnapshot(view);
     ComponentDto projectCopy = db.components().insertComponent(newProjectCopy("project-uuid-copy", project, view));
     MetricDto metric = db.measures().insertMetric(m -> m.setValueType("INT"));
@@ -239,7 +238,7 @@ public class ComponentActionTest {
   @Test
   public void use_deprecated_component_id_parameter() {
     ComponentDto project = db.components().insertPrivateProject();
-    userSession.addProjectPermission(UserRole.USER, project);
+    userSession.addProjectPermission(USER, project);
     userSession.addProjectPermission(USER, project);
     MetricDto metric = db.measures().insertMetric(m -> m.setValueType("INT"));
 
@@ -254,7 +253,7 @@ public class ComponentActionTest {
   @Test
   public void metric_without_a_domain() {
     ComponentDto project = db.components().insertPrivateProject();
-    userSession.addProjectPermission(UserRole.USER, project);
+    userSession.addProjectPermission(USER, project);
     MetricDto metricWithoutDomain = db.measures().insertMetric(m -> m
       .setValueType("INT")
       .setDomain(null));
@@ -276,7 +275,7 @@ public class ComponentActionTest {
   public void use_best_values() {
     ComponentDto project = db.components().insertPrivateProject();
     ComponentDto file = db.components().insertComponent(newFileDto(project));
-    userSession.addProjectPermission(UserRole.USER, project);
+    userSession.addProjectPermission(USER, project);
     MetricDto metric = db.measures().insertMetric(m -> m
       .setValueType("INT")
       .setBestValue(7.0d)
@@ -297,7 +296,7 @@ public class ComponentActionTest {
   @Test
   public void fail_when_a_metric_is_not_found() {
     ComponentDto project = db.components().insertPrivateProject();
-    userSession.addProjectPermission(UserRole.USER, project);
+    userSession.addProjectPermission(USER, project);
     db.components().insertSnapshot(project);
     db.measures().insertMetric(m -> m.setKey("ncloc").setValueType("INT"));
     db.measures().insertMetric(m -> m.setKey("complexity").setValueType("INT"));
@@ -310,7 +309,7 @@ public class ComponentActionTest {
   @Test
   public void fail_when_empty_metric_keys_parameter() {
     ComponentDto project = db.components().insertPrivateProject();
-    userSession.addProjectPermission(UserRole.USER, project);
+    userSession.addProjectPermission(USER, project);
     db.components().insertSnapshot(project);
 
     assertThatThrownBy(() -> newRequest(project.getKey(), ""))
@@ -346,7 +345,7 @@ public class ComponentActionTest {
   @Test
   public void fail_when_component_is_removed() {
     ComponentDto project = db.components().insertPrivateProject(p -> p.setEnabled(false));
-    userSession.addProjectPermission(UserRole.USER, project);
+    userSession.addProjectPermission(USER, project);
     userSession.addProjectPermission(USER, project);
     MetricDto metric = db.measures().insertMetric(m -> m.setValueType("INT"));
 
@@ -364,7 +363,7 @@ public class ComponentActionTest {
   public void fail_if_branch_does_not_exist() {
     ComponentDto project = db.components().insertPrivateProject();
     ComponentDto file = db.components().insertComponent(newFileDto(project));
-    userSession.addProjectPermission(UserRole.USER, project);
+    userSession.addProjectPermission(USER, project);
     db.components().insertProjectBranch(project, b -> b.setKey("my_branch"));
 
     assertThatThrownBy(() -> {
@@ -381,7 +380,7 @@ public class ComponentActionTest {
   @Test
   public void fail_when_using_branch_db_key() {
     ComponentDto project = db.components().insertPrivateProject();
-    userSession.logIn().addProjectPermission(UserRole.USER, project);
+    userSession.logIn().addProjectPermission(USER, project);
     ComponentDto branch = db.components().insertProjectBranch(project);
     MetricDto metric = db.measures().insertMetric(m -> m.setValueType("INT"));
 
@@ -398,7 +397,7 @@ public class ComponentActionTest {
   @Test
   public void json_example() {
     ComponentDto project = db.components().insertPrivateProject();
-    userSession.addProjectPermission(UserRole.USER, project);
+    userSession.addProjectPermission(USER, project);
     SnapshotDto analysis = db.components().insertSnapshot(project,
       s -> s.setPeriodDate(parseDateTime("2016-01-11T10:49:50+0100").getTime())
         .setPeriodMode("previous_version")
diff --git a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/measure/ws/ComponentTreeActionTest.java b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/measure/ws/ComponentTreeActionTest.java
index c2b5a071aaa..70aa1394b4e 100644
--- a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/measure/ws/ComponentTreeActionTest.java
+++ b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/measure/ws/ComponentTreeActionTest.java
@@ -28,7 +28,6 @@ import org.sonar.api.measures.CoreMetrics;
 import org.sonar.api.measures.Metric;
 import org.sonar.api.server.ws.WebService.Param;
 import org.sonar.api.utils.System2;
-import org.sonar.api.web.UserRole;
 import org.sonar.core.util.stream.MoreCollectors;
 import org.sonar.db.DbClient;
 import org.sonar.db.DbSession;
@@ -69,6 +68,7 @@ import static org.sonar.api.resources.Qualifiers.PROJECT;
 import static org.sonar.api.resources.Qualifiers.UNIT_TEST_FILE;
 import static org.sonar.api.server.ws.WebService.Param.SORT;
 import static org.sonar.api.utils.DateUtils.parseDateTime;
+import static org.sonar.api.web.UserRole.USER;
 import static org.sonar.db.component.BranchType.PULL_REQUEST;
 import static org.sonar.db.component.ComponentDbTester.toProjectDto;
 import static org.sonar.db.component.ComponentTesting.newDirectory;
@@ -98,7 +98,7 @@ import static org.sonarqube.ws.Measures.Measure;
 
 public class ComponentTreeActionTest {
   @Rule
-  public UserSessionRule userSession = UserSessionRule.standalone().logIn().setRoot();
+  public UserSessionRule userSession = UserSessionRule.standalone().logIn();
   @Rule
   public DbTester db = DbTester.create(System2.INSTANCE);
 
@@ -118,6 +118,7 @@ public class ComponentTreeActionTest {
   public void json_example() {
     ComponentDto project = db.components().insertPrivateProject(p -> p.setDbKey("MY_PROJECT")
       .setName("My Project"));
+    userSession.addProjectPermission(USER, project);
     SnapshotDto analysis = db.components().insertSnapshot(project, s -> s.setPeriodDate(parseDateTime("2016-01-11T10:49:50+0100").getTime())
       .setPeriodMode("previous_version")
       .setPeriodParam("1.0-SNAPSHOT"));
@@ -170,6 +171,7 @@ public class ComponentTreeActionTest {
   @Test
   public void empty_response() {
     ComponentDto project = db.components().insertPrivateProject();
+    userSession.addProjectPermission(USER, project);
 
     ComponentTreeWsResponse response = ws.newRequest()
       .setParam(PARAM_COMPONENT, project.getKey())
@@ -191,7 +193,7 @@ public class ComponentTreeActionTest {
         .setPeriodDate(System.currentTimeMillis())
         .setPeriodMode("last_version")
         .setPeriodDate(System.currentTimeMillis()));
-    userSession.anonymous().addProjectPermission(UserRole.USER, project);
+    userSession.anonymous().addProjectPermission(USER, project);
     ComponentDto directory = newDirectory(project, "directory-uuid", "path/to/directory").setName("directory-1");
     db.components().insertComponent(directory);
     ComponentDto file = newFileDto(directory, null, "file-uuid").setName("file-1");
@@ -222,7 +224,7 @@ public class ComponentTreeActionTest {
   public void load_measures_with_best_value() {
     ComponentDto project = db.components().insertPrivateProject();
     SnapshotDto projectSnapshot = db.components().insertSnapshot(project);
-    userSession.anonymous().addProjectPermission(UserRole.USER, project);
+    userSession.anonymous().addProjectPermission(USER, project);
     ComponentDto directory = newDirectory(project, "directory-uuid", "path/to/directory").setName("directory-1");
     db.components().insertComponent(directory);
     ComponentDto file = newFileDto(directory, null, "file-uuid").setName("file-1");
@@ -268,7 +270,7 @@ public class ComponentTreeActionTest {
   public void return_is_best_value_on_leak_measures() {
     ComponentDto project = db.components().insertPrivateProject();
     db.components().insertSnapshot(project);
-    userSession.anonymous().addProjectPermission(UserRole.USER, project);
+    userSession.anonymous().addProjectPermission(USER, project);
     ComponentDto file = newFileDto(project, null);
     db.components().insertComponent(file);
 
@@ -315,7 +317,7 @@ public class ComponentTreeActionTest {
   @Test
   public void use_best_value_for_rating() {
     ComponentDto project = db.components().insertPrivateProject();
-    userSession.anonymous().addProjectPermission(UserRole.USER, project);
+    userSession.anonymous().addProjectPermission(USER, project);
     SnapshotDto projectSnapshot = dbClient.snapshotDao().insert(dbSession, newAnalysis(project)
       .setPeriodDate(parseDateTime("2016-01-11T10:49:50+0100").getTime())
       .setPeriodMode("previous_version")
@@ -349,6 +351,7 @@ public class ComponentTreeActionTest {
   @Test
   public void load_measures_multi_sort_with_metric_key_and_paginated() {
     ComponentDto project = db.components().insertPrivateProject();
+    userSession.addProjectPermission(USER, project);
     SnapshotDto projectSnapshot = db.components().insertSnapshot(project);
     ComponentDto file9 = db.components().insertComponent(newFileDto(project, null, "file-uuid-9").setName("file-1").setDbKey("file-9-key"));
     ComponentDto file8 = db.components().insertComponent(newFileDto(project, null, "file-uuid-8").setName("file-1").setDbKey("file-8-key"));
@@ -391,6 +394,7 @@ public class ComponentTreeActionTest {
   @Test
   public void sort_by_metric_value() {
     ComponentDto project = db.components().insertPrivateProject();
+    userSession.addProjectPermission(USER, project);
     SnapshotDto projectSnapshot = db.components().insertSnapshot(project);
     ComponentDto file4 = db.components().insertComponent(newFileDto(project, null, "file-uuid-4").setDbKey("file-4-key"));
     ComponentDto file3 = db.components().insertComponent(newFileDto(project, null, "file-uuid-3").setDbKey("file-3-key"));
@@ -417,6 +421,7 @@ public class ComponentTreeActionTest {
   @Test
   public void remove_components_without_measure_on_the_metric_sort() {
     ComponentDto project = db.components().insertPrivateProject();
+    userSession.addProjectPermission(USER, project);
     SnapshotDto projectSnapshot = db.components().insertSnapshot(project);
     ComponentDto file1 = newFileDto(project, null, "file-uuid-1").setDbKey("file-1-key");
     ComponentDto file2 = newFileDto(project, null, "file-uuid-2").setDbKey("file-2-key");
@@ -452,6 +457,7 @@ public class ComponentTreeActionTest {
   @Test
   public void sort_by_metric_period() {
     ComponentDto project = db.components().insertPrivateProject();
+    userSession.addProjectPermission(USER, project);
     SnapshotDto projectSnapshot = db.components().insertSnapshot(project);
     ComponentDto file3 = db.components().insertComponent(newFileDto(project, null, "file-uuid-3").setDbKey("file-3-key"));
     ComponentDto file1 = db.components().insertComponent(newFileDto(project, null, "file-uuid-1").setDbKey("file-1-key"));
@@ -477,6 +483,7 @@ public class ComponentTreeActionTest {
   @Test
   public void remove_components_without_measure_on_the_metric_period_sort() {
     ComponentDto project = db.components().insertPrivateProject();
+    userSession.addProjectPermission(USER, project);
     SnapshotDto projectSnapshot = db.components().insertSnapshot(project);
     ComponentDto file4 = db.components().insertComponent(newFileDto(project, null, "file-uuid-4").setDbKey("file-4-key"));
     ComponentDto file3 = db.components().insertComponent(newFileDto(project, null, "file-uuid-3").setDbKey("file-3-key"));
@@ -509,6 +516,7 @@ public class ComponentTreeActionTest {
   public void load_measures_when_no_leave_qualifier() {
     resourceTypes.setLeavesQualifiers();
     ComponentDto project = db.components().insertPrivateProject();
+    userSession.addProjectPermission(USER, project);
     db.components().insertSnapshot(project);
     db.components().insertComponent(newFileDto(project, null));
     insertNclocMetric();
@@ -526,6 +534,7 @@ public class ComponentTreeActionTest {
   @Test
   public void branch() {
     ComponentDto project = db.components().insertPrivateProject();
+    userSession.addProjectPermission(USER, project);
     ComponentDto branch = db.components().insertProjectBranch(project, b -> b.setKey("my_branch"));
     SnapshotDto analysis = db.components().insertSnapshot(branch);
     ComponentDto file = db.components().insertComponent(newFileDto(branch));
@@ -548,6 +557,7 @@ public class ComponentTreeActionTest {
   @Test
   public void pull_request() {
     ComponentDto project = db.components().insertPrivateProject();
+    userSession.addProjectPermission(USER, project);
     ComponentDto branch = db.components().insertProjectBranch(project, b -> b.setKey("pr-123").setBranchType(PULL_REQUEST));
     SnapshotDto analysis = db.components().insertSnapshot(branch);
     ComponentDto file = db.components().insertComponent(newFileDto(branch));
@@ -570,6 +580,7 @@ public class ComponentTreeActionTest {
   @Test
   public void fix_pull_request_new_issue_count_metrics() {
     ComponentDto project = db.components().insertPrivateProject();
+    userSession.addProjectPermission(USER, project);
     ComponentDto branch = db.components().insertProjectBranch(project, b -> b.setKey("pr-123").setBranchType(PULL_REQUEST));
     SnapshotDto analysis = db.components().insertSnapshot(branch);
     ComponentDto file = db.components().insertComponent(newFileDto(branch));
@@ -598,6 +609,7 @@ public class ComponentTreeActionTest {
   @Test
   public void new_issue_count_measures_are_not_transformed_if_they_dont_exist_in_pr() {
     ComponentDto project = db.components().insertPrivateProject();
+    userSession.addProjectPermission(USER, project);
     ComponentDto pr = db.components().insertProjectBranch(project, b -> b.setKey("pr").setBranchType(PULL_REQUEST));
     SnapshotDto analysis = db.components().insertSnapshot(pr);
     ComponentDto file = db.components().insertComponent(newFileDto(pr));
@@ -619,6 +631,7 @@ public class ComponentTreeActionTest {
   @Test
   public void metric_without_a_domain() {
     ComponentDto project = db.components().insertPrivateProject();
+    userSession.addProjectPermission(USER, project);
     SnapshotDto analysis = db.getDbClient().snapshotDao().insert(dbSession, newAnalysis(project));
     MetricDto metricWithoutDomain = db.measures().insertMetric(m -> m
       .setValueType(Metric.ValueType.INT.name())
@@ -640,7 +653,9 @@ public class ComponentTreeActionTest {
   @Test
   public void project_reference_from_portfolio() {
     ComponentDto project = db.components().insertPrivateProject();
+    userSession.addProjectPermission(USER, project);
     ComponentDto view = db.components().insertPrivatePortfolio();
+    userSession.addProjectPermission(USER, view);
     SnapshotDto viewAnalysis = db.components().insertSnapshot(view);
     ComponentDto projectCopy = db.components().insertComponent(newProjectCopy(project, view));
     MetricDto ncloc = insertNclocMetric();
@@ -658,8 +673,11 @@ public class ComponentTreeActionTest {
 
   @Test
   public void portfolio_local_reference_in_portfolio() {
-    ComponentDto view = db.components().insertComponent(ComponentTesting.newPortfolio("VIEW1-UUID").setDbKey("Apache-Projects").setName("Apache Projects"));
+    ComponentDto view = db.components().insertComponent(ComponentTesting.newPortfolio("VIEW1-UUID")
+      .setDbKey("Apache-Projects").setName("Apache Projects"));
+    userSession.registerComponents(view);
     ComponentDto view2 = db.components().insertPrivatePortfolio();
+    userSession.addProjectPermission(USER, view2);
     ComponentDto localView = db.components().insertComponent(
       ComponentTesting.newSubPortfolio(view, "SUB-VIEW-UUID", "All-Projects").setName("All projects").setCopyComponentUuid(view2.uuid()));
     db.components().insertSnapshot(view);
@@ -678,8 +696,12 @@ public class ComponentTreeActionTest {
 
   @Test
   public void application_local_reference_in_portfolio() {
-    ComponentDto view = db.components().insertComponent(ComponentTesting.newPortfolio("VIEW1-UUID").setDbKey("Apache-Projects").setName("Apache Projects"));
+    ComponentDto apache_projects = ComponentTesting.newPortfolio("VIEW1-UUID")
+      .setDbKey("Apache-Projects").setName("Apache Projects").setPrivate(true);
+    userSession.addProjectPermission(USER, apache_projects);
+    ComponentDto view = db.components().insertComponent(apache_projects);
     ComponentDto application = db.components().insertPrivateApplication();
+    userSession.addProjectPermission(USER, application);
     ComponentDto localView = db.components().insertComponent(
       ComponentTesting.newSubPortfolio(view, "SUB-VIEW-UUID", "All-Projects").setName("All projects").setCopyComponentUuid(application.uuid()));
     db.components().insertSnapshot(view);
@@ -700,7 +722,8 @@ public class ComponentTreeActionTest {
   public void project_branch_reference_from_application_branch() {
     MetricDto ncloc = insertNclocMetric();
     ComponentDto application = db.components().insertPublicProject(c -> c.setQualifier(APP).setDbKey("app-key"));
-    ComponentDto applicationBranch = db.components().insertProjectBranch(application, a -> a.setKey("app-branch"));
+    userSession.registerApplication(application);
+    ComponentDto applicationBranch = db.components().insertProjectBranch(application, a -> a.setKey("app-branch"), a -> a.setUuid("custom-uuid"));
     ComponentDto project = db.components().insertPrivateProject(p -> p.setDbKey("project-key"));
     ComponentDto projectBranch = db.components().insertProjectBranch(project, b -> b.setKey("project-branch"));
     ComponentDto techProjectBranch = db.components().insertComponent(newProjectCopy(projectBranch, applicationBranch)
@@ -741,6 +764,7 @@ public class ComponentTreeActionTest {
   @Test
   public void fail_when_a_metric_is_not_found() {
     ComponentDto project = db.components().insertPrivateProject();
+    userSession.addProjectPermission(USER, project);
     db.components().insertSnapshot(project);
     insertNclocMetric();
     insertNewViolationsMetric();
@@ -757,6 +781,7 @@ public class ComponentTreeActionTest {
   @Test
   public void fail_when_using_DISTRIB_metrics() {
     ComponentDto project = db.components().insertPrivateProject();
+    userSession.addProjectPermission(USER, project);
     db.components().insertSnapshot(project);
     dbClient.metricDao().insert(dbSession, newMetricDto().setKey("distrib1").setValueType(DISTRIB.name()));
     dbClient.metricDao().insert(dbSession, newMetricDto().setKey("distrib2").setValueType(DISTRIB.name()));
@@ -775,6 +800,7 @@ public class ComponentTreeActionTest {
   @Test
   public void fail_when_using_DATA_metrics() {
     ComponentDto project = db.components().insertPrivateProject();
+    userSession.addProjectPermission(USER, project);
     db.components().insertSnapshot(project);
 
     dbClient.metricDao().insert(dbSession, newMetricDto().setKey("data1").setValueType(DISTRIB.name()));
@@ -854,7 +880,7 @@ public class ComponentTreeActionTest {
       toProjectDto(project1, 1L),
       toProjectDto(project2, 1L));
 
-    userSession.addProjectPermission(UserRole.USER, app, project1);
+    userSession.addProjectPermission(USER, app, project1);
 
     var request = ws.newRequest()
       .setParam(PARAM_COMPONENT, app.getKey())
@@ -968,7 +994,7 @@ public class ComponentTreeActionTest {
     ComponentDto project = db.components().insertPrivateProject();
     db.components().insertSnapshot(project);
     ComponentDto file = db.components().insertComponent(newFileDto(project).setDbKey("file-key").setEnabled(false));
-    userSession.anonymous().addProjectPermission(UserRole.USER, project);
+    userSession.anonymous().addProjectPermission(USER, project);
     insertNclocMetric();
 
     assertThatThrownBy(() -> {
@@ -985,7 +1011,7 @@ public class ComponentTreeActionTest {
   public void fail_if_branch_does_not_exist() {
     ComponentDto project = db.components().insertPrivateProject();
     ComponentDto file = db.components().insertComponent(newFileDto(project));
-    userSession.addProjectPermission(UserRole.USER, project);
+    userSession.addProjectPermission(USER, project);
     db.components().insertProjectBranch(project, b -> b.setKey("my_branch"));
 
     assertThatThrownBy(() -> {
@@ -1002,7 +1028,7 @@ public class ComponentTreeActionTest {
   @Test
   public void fail_when_using_branch_db_key() {
     ComponentDto project = db.components().insertPrivateProject();
-    userSession.logIn().addProjectPermission(UserRole.USER, project);
+    userSession.logIn().addProjectPermission(USER, project);
     ComponentDto branch = db.components().insertProjectBranch(project);
     insertNclocMetric();
 
diff --git a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/measure/ws/SearchActionTest.java b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/measure/ws/SearchActionTest.java
index 1eb1e1d9e9b..9ed94cbaeba 100644
--- a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/measure/ws/SearchActionTest.java
+++ b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/measure/ws/SearchActionTest.java
@@ -250,21 +250,6 @@ public class SearchActionTest {
     assertThat(result.getMeasuresList()).extracting(Measure::getComponent).containsOnly(project1.getDbKey());
   }
 
-  @Test
-  public void do_not_verify_permissions_if_user_is_root() {
-    MetricDto metric = db.measures().insertMetric(m -> m.setValueType(FLOAT.name()));
-    ComponentDto project1 = db.components().insertPrivateProject();
-    db.measures().insertLiveMeasure(project1, metric, m -> m.setValue(15.5d));
-
-    userSession.setNonRoot();
-    SearchWsResponse result = call(singletonList(project1.getDbKey()), singletonList(metric.getKey()));
-    assertThat(result.getMeasuresCount()).isZero();
-
-    userSession.setRoot();
-    result = call(singletonList(project1.getDbKey()), singletonList(metric.getKey()));
-    assertThat(result.getMeasuresCount()).isOne();
-  }
-
   @Test
   public void does_not_return_branch_when_using_db_key() {
     MetricDto coverage = db.measures().insertMetric(m -> m.setValueType(FLOAT.name()));
diff --git a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/notification/ws/AddActionTest.java b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/notification/ws/AddActionTest.java
index c1684b53257..6008edc1024 100644
--- a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/notification/ws/AddActionTest.java
+++ b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/notification/ws/AddActionTest.java
@@ -329,7 +329,7 @@ public class AddActionTest {
   @Test
   public void fail_when_user_does_not_have_USER_permission_on_private_project() {
     ComponentDto project = db.components().insertPrivateProject();
-    userSession.logIn().setNonRoot().setNonSystemAdministrator();
+    userSession.logIn().setNonSystemAdministrator();
     when(dispatchers.getGlobalDispatchers()).thenReturn(singletonList(NOTIF_MY_NEW_ISSUES));
     when(dispatchers.getProjectDispatchers()).thenReturn(singletonList(NOTIF_MY_NEW_ISSUES));
 
diff --git a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/project/ws/BulkDeleteActionTest.java b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/project/ws/BulkDeleteActionTest.java
index a8c52706391..a4cbce31c8a 100644
--- a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/project/ws/BulkDeleteActionTest.java
+++ b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/project/ws/BulkDeleteActionTest.java
@@ -70,7 +70,7 @@ public class BulkDeleteActionTest {
   @Rule
   public final DbTester db = DbTester.create(System2.INSTANCE);
   @Rule
-  public final UserSessionRule userSession = UserSessionRule.standalone();
+  public final UserSessionRule userSession = UserSessionRule.standalone().logIn();
 
   private final ComponentCleanerService componentCleanerService = mock(ComponentCleanerService.class);
   private final DbClient dbClient = db.getDbClient();
@@ -81,7 +81,7 @@ public class BulkDeleteActionTest {
 
   @Test
   public void delete_projects() {
-    userSession.logIn().setRoot();
+    userSession.addPermission(ADMINISTER);
     ComponentDto project1ToDelete = db.components().insertPrivateProject();
     ComponentDto project2ToDelete = db.components().insertPrivateProject();
     ComponentDto toKeep = db.components().insertPrivateProject();
@@ -98,7 +98,7 @@ public class BulkDeleteActionTest {
 
   @Test
   public void delete_projects_by_keys() {
-    userSession.logIn().setRoot();
+    userSession.addPermission(ADMINISTER);
     ComponentDto toDeleteInOrg1 = db.components().insertPrivateProject();
     ComponentDto toDeleteInOrg2 = db.components().insertPrivateProject();
     ComponentDto toKeep = db.components().insertPrivateProject();
@@ -113,8 +113,8 @@ public class BulkDeleteActionTest {
 
   @Test
   public void throw_IllegalArgumentException_if_request_without_any_parameters() {
-    userSession.logIn().setRoot();
-    db.components().insertPrivateProject();
+    userSession.addPermission(ADMINISTER);
+    ComponentDto project = db.components().insertPrivateProject();
 
     try {
       TestRequest request = ws.newRequest();
@@ -129,7 +129,7 @@ public class BulkDeleteActionTest {
 
   @Test
   public void projects_that_dont_exist_are_ignored_and_dont_break_bulk_deletion() {
-    userSession.logIn().setRoot();
+    userSession.addPermission(ADMINISTER);
     ComponentDto toDelete1 = db.components().insertPrivateProject();
     ComponentDto toDelete2 = db.components().insertPrivateProject();
 
@@ -273,6 +273,7 @@ public class BulkDeleteActionTest {
 
   @Test
   public void throw_UnauthorizedException_if_not_logged_in() {
+    userSession.anonymous();
     TestRequest request = ws.newRequest().setParam("ids", "whatever-the-uuid");
     assertThatThrownBy(request::execute)
       .isInstanceOf(UnauthorizedException.class)
diff --git a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/projectanalysis/ws/DeleteActionTest.java b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/projectanalysis/ws/DeleteActionTest.java
index da3bac1d594..3d6e5992183 100644
--- a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/projectanalysis/ws/DeleteActionTest.java
+++ b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/projectanalysis/ws/DeleteActionTest.java
@@ -110,7 +110,7 @@ public class DeleteActionTest {
 
   @Test
   public void fail_when_analysis_not_found() {
-    userSession.logIn().setRoot();
+    userSession.logIn().setSystemAdministrator();
 
     assertThatThrownBy(() -> call("A42"))
       .isInstanceOf(NotFoundException.class)
diff --git a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/projectlink/ws/SearchActionTest.java b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/projectlink/ws/SearchActionTest.java
index 1e6f341fcde..efdb8b69068 100644
--- a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/projectlink/ws/SearchActionTest.java
+++ b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/projectlink/ws/SearchActionTest.java
@@ -23,7 +23,6 @@ import org.junit.Rule;
 import org.junit.Test;
 import org.sonar.api.server.ws.WebService;
 import org.sonar.api.utils.System2;
-import org.sonar.api.web.UserRole;
 import org.sonar.db.DbClient;
 import org.sonar.db.DbTester;
 import org.sonar.db.component.ComponentDto;
@@ -41,6 +40,8 @@ import static java.lang.String.format;
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatThrownBy;
 import static org.assertj.core.api.Assertions.tuple;
+import static org.sonar.api.web.UserRole.ADMIN;
+import static org.sonar.api.web.UserRole.USER;
 import static org.sonar.server.projectlink.ws.ProjectLinksWsParameters.PARAM_PROJECT_ID;
 import static org.sonar.server.projectlink.ws.ProjectLinksWsParameters.PARAM_PROJECT_KEY;
 import static org.sonar.test.JsonAssert.assertJson;
@@ -117,7 +118,8 @@ public class SearchActionTest {
     ComponentDto project2 = db.components().insertPrivateProject();
     ProjectLinkDto link1 = db.componentLinks().insertCustomLink(project1);
     ProjectLinkDto link2 = db.componentLinks().insertCustomLink(project2);
-    userSession.logIn().setRoot();
+    userSession.addProjectPermission(USER, project1);
+    userSession.addProjectPermission(USER, project2);
 
     SearchWsResponse response = callByKey(project1.getKey());
 
@@ -143,7 +145,7 @@ public class SearchActionTest {
   public void project_administrator_can_search_for_links() {
     ComponentDto project = db.components().insertPrivateProject();
     ProjectLinkDto link = db.componentLinks().insertCustomLink(project);
-    userSession.logIn().addProjectPermission(UserRole.ADMIN, project);
+    logInAsProjectAdministrator(project);
 
     SearchWsResponse response = callByKey(project.getKey());
 
@@ -156,7 +158,7 @@ public class SearchActionTest {
   public void project_user_can_search_for_links() {
     ComponentDto project = db.components().insertPrivateProject();
     ProjectLinkDto link = db.componentLinks().insertCustomLink(project);
-    userSession.logIn().addProjectPermission(UserRole.USER, project);
+    userSession.logIn().addProjectPermission(USER, project);
 
     SearchWsResponse response = callByKey(project.getKey());
 
@@ -237,7 +239,7 @@ public class SearchActionTest {
   @Test
   public void fail_when_using_branch_db_key() {
     ComponentDto project = db.components().insertPrivateProject();
-    userSession.logIn().addProjectPermission(UserRole.USER, project);
+    userSession.logIn().addProjectPermission(USER, project);
     ComponentDto branch = db.components().insertProjectBranch(project);
 
     assertThatThrownBy(() -> ws.newRequest()
@@ -250,7 +252,7 @@ public class SearchActionTest {
   @Test
   public void fail_when_using_branch_db_uuid() {
     ComponentDto project = db.components().insertPrivateProject();
-    userSession.logIn().addProjectPermission(UserRole.USER, project);
+    userSession.logIn().addProjectPermission(USER, project);
     ComponentDto branch = db.components().insertProjectBranch(project);
 
     assertThatThrownBy(() -> ws.newRequest()
@@ -283,11 +285,11 @@ public class SearchActionTest {
   }
 
   private void logInAsProjectAdministrator(ComponentDto project) {
-    userSession.logIn().addProjectPermission(UserRole.ADMIN, project);
+    userSession.logIn().addProjectPermission(ADMIN, project);
   }
 
   private void failIfNotAProjectWithKey(ComponentDto root, ComponentDto component) {
-    userSession.logIn().addProjectPermission(UserRole.ADMIN, root);
+    userSession.logIn().addProjectPermission(USER, root);
 
     assertThatThrownBy(() -> ws.newRequest()
       .setParam(PARAM_PROJECT_KEY, component.getDbKey())
@@ -297,7 +299,7 @@ public class SearchActionTest {
   }
 
   private void failIfNotAProjectWithUuid(ComponentDto root, ComponentDto component) {
-    userSession.logIn().addProjectPermission(UserRole.ADMIN, root);
+    userSession.logIn().addProjectPermission(USER, root);
 
     assertThatThrownBy(() -> ws.newRequest()
       .setParam(PARAM_PROJECT_ID, component.uuid())
diff --git a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/projecttag/ws/SetActionTest.java b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/projecttag/ws/SetActionTest.java
index 04025e29c4d..902cebb7c18 100644
--- a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/projecttag/ws/SetActionTest.java
+++ b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/projecttag/ws/SetActionTest.java
@@ -25,7 +25,6 @@ import org.junit.Rule;
 import org.junit.Test;
 import org.sonar.api.server.ws.WebService;
 import org.sonar.api.utils.System2;
-import org.sonar.api.web.UserRole;
 import org.sonar.db.DbClient;
 import org.sonar.db.DbSession;
 import org.sonar.db.DbTester;
@@ -47,12 +46,14 @@ import static java.net.HttpURLConnection.HTTP_NO_CONTENT;
 import static java.util.Optional.ofNullable;
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatThrownBy;
+import static org.sonar.api.web.UserRole.ADMIN;
+import static org.sonar.api.web.UserRole.USER;
 import static org.sonar.db.component.ComponentTesting.newFileDto;
 import static org.sonar.db.component.ComponentTesting.newModuleDto;
 
 public class SetActionTest {
   @Rule
-  public UserSessionRule userSession = UserSessionRule.standalone().logIn().setRoot();
+  public UserSessionRule userSession = UserSessionRule.standalone().logIn();
   @Rule
   public DbTester db = DbTester.create();
 
@@ -69,6 +70,7 @@ public class SetActionTest {
   @Before
   public void setUp() {
     project = db.components().insertPrivateProjectDto();
+    userSession.addProjectPermission(ADMIN, project);
   }
 
   @Test
@@ -85,6 +87,7 @@ public class SetActionTest {
   public void reset_tags() {
     project = db.components().insertPrivateProjectDto(c -> {
     }, p -> p.setTagsString("platform,scanner"));
+    userSession.addProjectPermission(ADMIN, project);
 
     call(project.getKey(), "");
 
@@ -95,6 +98,7 @@ public class SetActionTest {
   public void override_existing_tags() {
     project = db.components().insertPrivateProjectDto(c -> {
     }, p -> p.setTagsString("marketing,languages"));
+    userSession.addProjectPermission(ADMIN, project);
 
     call(project.getKey(), "finance,offshore,platform");
 
@@ -103,7 +107,7 @@ public class SetActionTest {
 
   @Test
   public void set_tags_as_project_admin() {
-    userSession.logIn().addProjectPermission(UserRole.ADMIN, project);
+    userSession.logIn().addProjectPermission(ADMIN, project);
 
     call(project.getKey(), "platform, lambda");
 
@@ -127,7 +131,7 @@ public class SetActionTest {
 
   @Test
   public void fail_if_not_project_admin() {
-    userSession.logIn().addProjectPermission(UserRole.USER, project);
+    userSession.logIn().addProjectPermission(USER, project);
 
     String projectKey = project.getKey();
     assertThatThrownBy(() -> call(projectKey, "platform"))
@@ -182,7 +186,7 @@ public class SetActionTest {
   @Test
   public void fail_when_using_branch_db_key() {
     ComponentDto project = db.components().insertPrivateProject();
-    userSession.logIn().addProjectPermission(UserRole.USER, project);
+    userSession.logIn().addProjectPermission(USER, project);
     ComponentDto branch = db.components().insertProjectBranch(project);
 
     String branchDbKey = branch.getDbKey();
diff --git a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/qualitygate/ws/SearchActionTest.java b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/qualitygate/ws/SearchActionTest.java
index a00eec31bfd..ba8c78aedf3 100644
--- a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/qualitygate/ws/SearchActionTest.java
+++ b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/qualitygate/ws/SearchActionTest.java
@@ -165,22 +165,6 @@ public class SearchActionTest {
       .doesNotContain(project2.name());
   }
 
-  @Test
-  public void root_user() {
-    QualityGateDto qualityGate = db.qualityGates().insertQualityGate();
-    ComponentDto project = db.components().insertPrivateProject();
-    userSession.logIn().setRoot();
-
-    SearchResponse response = ws.newRequest()
-      .setParam(PARAM_GATE_ID, valueOf(qualityGate.getUuid()))
-      .setParam(PARAM_SELECTED, ALL.value())
-      .executeProtobuf(SearchResponse.class);
-
-    assertThat(response.getResultsList())
-      .extracting(Result::getName)
-      .containsExactlyInAnyOrder(project.name());
-  }
-
   @Test
   public void test_paging() {
     QualityGateDto qualityGate = db.qualityGates().insertQualityGate();
diff --git a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/qualityprofile/ws/QProfilesWsMediumTest.java b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/qualityprofile/ws/QProfilesWsMediumTest.java
index 8895000e638..8661d5b81ed 100644
--- a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/qualityprofile/ws/QProfilesWsMediumTest.java
+++ b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/qualityprofile/ws/QProfilesWsMediumTest.java
@@ -22,6 +22,7 @@ package org.sonar.server.qualityprofile.ws;
 import com.google.common.collect.ImmutableSet;
 import java.util.Collections;
 import java.util.Optional;
+import org.junit.Before;
 import org.junit.Rule;
 import org.junit.Test;
 import org.sonar.api.rule.RuleKey;
@@ -32,6 +33,7 @@ import org.sonar.api.utils.System2;
 import org.sonar.db.DbClient;
 import org.sonar.db.DbSession;
 import org.sonar.db.DbTester;
+import org.sonar.db.permission.GlobalPermission;
 import org.sonar.db.qualityprofile.ActiveRuleDto;
 import org.sonar.db.qualityprofile.ActiveRuleKey;
 import org.sonar.db.qualityprofile.QProfileDto;
@@ -70,8 +72,7 @@ import static org.sonarqube.ws.client.qualityprofile.QualityProfileWsParameters.
 public class QProfilesWsMediumTest {
 
   @Rule
-  public UserSessionRule userSessionRule = UserSessionRule.standalone()
-    .logIn().setRoot();
+  public UserSessionRule userSessionRule = UserSessionRule.standalone().logIn();
   @Rule
   public EsTester es = EsTester.create();
   @Rule
@@ -94,6 +95,13 @@ public class QProfilesWsMediumTest {
   private final WsActionTester wsActivateRule = new WsActionTester(new ActivateRuleAction(dbClient, qProfileRules, userSessionRule, qProfileWsSupport));
   private final WsActionTester wsActivateRules = new WsActionTester(new ActivateRulesAction(ruleQueryFactory, userSessionRule, qProfileRules, qProfileWsSupport, dbClient));
 
+  @Before
+  public void before(){
+    userSessionRule.logIn().setSystemAdministrator();
+    userSessionRule.addPermission(GlobalPermission.ADMINISTER);
+    userSessionRule.addPermission(GlobalPermission.ADMINISTER_QUALITY_PROFILES);
+  }
+
   @Test
   public void deactivate_rule() {
     QProfileDto profile = createProfile("java");
diff --git a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/root/ws/RootsWsTest.java b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/root/ws/RootsWsTest.java
deleted file mode 100644
index 3e0b44f8a40..00000000000
--- a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/root/ws/RootsWsTest.java
+++ /dev/null
@@ -1,55 +0,0 @@
-/*
- * SonarQube
- * Copyright (C) 2009-2022 SonarSource SA
- * mailto:info AT sonarsource DOT com
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 3 of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public License
- * along with this program; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
- */
-package org.sonar.server.root.ws;
-
-import org.junit.Test;
-import org.sonar.api.server.ws.Request;
-import org.sonar.api.server.ws.Response;
-import org.sonar.api.server.ws.WebService;
-
-import static org.assertj.core.api.Assertions.assertThat;
-
-public class RootsWsTest {
-  private RootsWs underTest = new RootsWs(new DummyRootsWsAction());
-
-  @Test
-  public void verify_definition() {
-    WebService.Context context = new WebService.Context();
-
-    underTest.define(context);
-
-    assertThat(context.controllers()).hasSize(1);
-    WebService.Controller controller = context.controller("api/roots");
-    assertThat(controller.description()).isEqualTo("Manage root users");
-    assertThat(controller.since()).isEqualTo("6.2");
-  }
-
-  private static class DummyRootsWsAction implements RootsWsAction {
-    @Override
-    public void define(WebService.NewController context) {
-      context.createAction("ooo").setHandler(this);
-    }
-
-    @Override
-    public void handle(Request request, Response response) {
-
-    }
-  }
-}
diff --git a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/root/ws/SearchActionTest.java b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/root/ws/SearchActionTest.java
deleted file mode 100644
index 98ef666acf4..00000000000
--- a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/root/ws/SearchActionTest.java
+++ /dev/null
@@ -1,150 +0,0 @@
-/*
- * SonarQube
- * Copyright (C) 2009-2022 SonarSource SA
- * mailto:info AT sonarsource DOT com
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 3 of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public License
- * along with this program; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
- */
-package org.sonar.server.root.ws;
-
-import java.util.List;
-import org.assertj.core.api.ThrowableAssert.ThrowingCallable;
-import org.junit.Rule;
-import org.junit.Test;
-import org.sonar.api.server.ws.WebService;
-import org.sonar.api.utils.System2;
-import org.sonar.db.DbSession;
-import org.sonar.db.DbTester;
-import org.sonar.db.user.UserDao;
-import org.sonar.db.user.UserDto;
-import org.sonar.db.user.UserTesting;
-import org.sonar.server.exceptions.ForbiddenException;
-import org.sonar.server.tester.UserSessionRule;
-import org.sonar.server.ws.TestResponse;
-import org.sonar.server.ws.WsActionTester;
-import org.sonarqube.ws.MediaTypes;
-import org.sonarqube.ws.Roots;
-
-import static org.assertj.core.api.Assertions.assertThat;
-import static org.assertj.core.api.Assertions.assertThatThrownBy;
-import static org.sonar.test.JsonAssert.assertJson;
-
-public class SearchActionTest {
-
-  @Rule
-  public DbTester dbTester = DbTester.create(System2.INSTANCE);
-  @Rule
-  public UserSessionRule userSessionRule = UserSessionRule.standalone();
-
-  private UserDao userDao = dbTester.getDbClient().userDao();
-  private DbSession dbSession = dbTester.getSession();
-  private SearchAction underTest = new SearchAction(userSessionRule, dbTester.getDbClient());
-  private WsActionTester wsTester = new WsActionTester(underTest);
-
-  @Test
-  public void verify_definition() {
-    WebService.Action action = wsTester.getDef();
-    assertThat(action.key()).isEqualTo("search");
-    assertThat(action.isInternal()).isTrue();
-    assertThat(action.isPost()).isFalse();
-    assertThat(action.since()).isEqualTo("6.2");
-    assertThat(action.description()).isEqualTo("Search for root users.<br/>" +
-      "Requires to be root.");
-    assertThat(action.responseExample()).isNotNull();
-    assertThat(action.deprecatedKey()).isNull();
-    assertThat(action.deprecatedSince()).isNull();
-    assertThat(action.handler()).isSameAs(underTest);
-    assertThat(action.params()).isEmpty();
-  }
-
-  @Test
-  public void execute_fails_with_ForbiddenException_when_user_is_not_logged_in() {
-    expectInsufficientPrivilegesForbiddenException(() -> executeRequest());
-  }
-
-  @Test
-  public void execute_fails_with_ForbiddenException_when_user_is_not_root() {
-    userSessionRule.logIn().setNonRoot();
-
-    expectInsufficientPrivilegesForbiddenException(() -> executeRequest());
-  }
-
-  @Test
-  public void execute_returns_empty_list_of_root_when_DB_is_empty() {
-    logInAsRoot();
-
-    assertThat(executeRequest()).isEmpty();
-  }
-
-  @Test
-  public void test_response_example() {
-    logInAsRoot();
-    UserDto user = UserTesting.newUserDto().setLogin("daniel").setName("Daniel").setEmail("daniel@corp.com");
-    UserDto rootDto = userDao.insert(dbSession, user);
-    userDao.setRoot(dbSession, rootDto.getLogin(), true);
-    dbSession.commit();
-
-    TestResponse response = wsTester.newRequest().setMediaType(MediaTypes.JSON).execute();
-    assertJson(response.getInput()).isSimilarTo(wsTester.getDef().responseExampleAsString());
-  }
-
-  @Test
-  public void execute_succeeds_when_root_user_has_neither_email_nor_name() {
-    logInAsRoot();
-    UserDto rootDto = userDao.insert(dbSession, UserTesting.newUserDto().setName(null).setEmail(null));
-    userDao.setRoot(dbSession, rootDto.getLogin(), true);
-    dbSession.commit();
-
-    List<Roots.RootContent> roots = executeRequest();
-    assertThat(roots).hasSize(1);
-    Roots.RootContent root = roots.iterator().next();
-    assertThat(root.getLogin()).isEqualTo(rootDto.getLogin());
-    assertThat(root.hasName()).isFalse();
-    assertThat(root.hasEmail()).isFalse();
-  }
-
-  @Test
-  public void execute_returns_root_users_sorted_by_name() {
-    logInAsRoot();
-    userDao.insert(dbSession, UserTesting.newUserDto().setName("ddd"));
-    UserDto root1 = userDao.insert(dbSession, UserTesting.newUserDto().setName("ccc"));
-    userDao.setRoot(dbSession, root1.getLogin(), true);
-    UserDto root2 = userDao.insert(dbSession, UserTesting.newUserDto().setName("bbb"));
-    userDao.setRoot(dbSession, root2.getLogin(), true);
-    userDao.insert(dbSession, UserTesting.newUserDto().setName("aaa"));
-    dbSession.commit();
-
-    assertThat(executeRequest())
-      .extracting(Roots.RootContent::getName)
-      .containsExactly("bbb", "ccc");
-  }
-
-  private UserSessionRule logInAsRoot() {
-    return userSessionRule.logIn().setRoot();
-  }
-
-  private List<Roots.RootContent> executeRequest() {
-    return wsTester.newRequest()
-      .executeProtobuf(Roots.SearchResponse.class)
-      .getRootsList();
-  }
-
-  private void expectInsufficientPrivilegesForbiddenException(ThrowingCallable callback) {
-    assertThatThrownBy(callback)
-      .isInstanceOf(ForbiddenException.class)
-      .hasMessage("Insufficient privileges");
-  }
-
-}
diff --git a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/root/ws/SetRootActionTest.java b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/root/ws/SetRootActionTest.java
deleted file mode 100644
index 2347ff526a9..00000000000
--- a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/root/ws/SetRootActionTest.java
+++ /dev/null
@@ -1,169 +0,0 @@
-/*
- * SonarQube
- * Copyright (C) 2009-2022 SonarSource SA
- * mailto:info AT sonarsource DOT com
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 3 of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public License
- * along with this program; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
- */
-package org.sonar.server.root.ws;
-
-import javax.annotation.Nullable;
-import org.assertj.core.api.ThrowableAssert.ThrowingCallable;
-import org.junit.Rule;
-import org.junit.Test;
-import org.sonar.api.server.ws.WebService;
-import org.sonar.api.utils.System2;
-import org.sonar.db.DbSession;
-import org.sonar.db.DbTester;
-import org.sonar.db.user.UserDao;
-import org.sonar.db.user.UserDto;
-import org.sonar.db.user.UserTesting;
-import org.sonar.server.exceptions.ForbiddenException;
-import org.sonar.server.exceptions.NotFoundException;
-import org.sonar.server.tester.UserSessionRule;
-import org.sonar.server.ws.TestRequest;
-import org.sonar.server.ws.WsActionTester;
-
-import static org.assertj.core.api.Assertions.assertThat;
-import static org.assertj.core.api.Assertions.assertThatThrownBy;
-
-public class SetRootActionTest {
-  private static final String SOME_LOGIN = "johndoe";
-
-  @Rule
-  public DbTester dbTester = DbTester.create(System2.INSTANCE);
-  @Rule
-  public UserSessionRule userSessionRule = UserSessionRule.standalone();
-
-  private UserDao userDao = dbTester.getDbClient().userDao();
-  private DbSession dbSession = dbTester.getSession();
-  private SetRootAction underTest = new SetRootAction(userSessionRule, dbTester.getDbClient());
-  private WsActionTester wsTester = new WsActionTester(underTest);
-
-  @Test
-  public void verify_definition() {
-    WebService.Action action = wsTester.getDef();
-    assertThat(action.key()).isEqualTo("set_root");
-    assertThat(action.isInternal()).isTrue();
-    assertThat(action.isPost()).isTrue();
-    assertThat(action.since()).isEqualTo("6.2");
-    assertThat(action.description()).isEqualTo("Make the specified user root.<br/>" +
-      "Requires to be root.");
-    assertThat(action.responseExample()).isNull();
-    assertThat(action.deprecatedKey()).isNull();
-    assertThat(action.deprecatedSince()).isNull();
-    assertThat(action.handler()).isSameAs(underTest);
-    assertThat(action.params()).hasSize(1);
-
-    WebService.Param param = action.param("login");
-    assertThat(param.isRequired()).isTrue();
-    assertThat(param.description()).isEqualTo("A user login");
-    assertThat(param.defaultValue()).isNull();
-    assertThat(param.deprecatedSince()).isNull();
-    assertThat(param.deprecatedKey()).isNull();
-    assertThat(param.exampleValue()).isEqualTo("admin");
-  }
-
-  @Test
-  public void execute_fails_with_ForbiddenException_when_user_is_not_logged_in() {
-    expectInsufficientPrivilegesForbiddenException(() -> executeRequest(SOME_LOGIN));
-  }
-
-  @Test
-  public void execute_fails_with_ForbiddenException_when_user_is_not_root() {
-    userSessionRule.logIn().setNonRoot();
-
-    expectInsufficientPrivilegesForbiddenException(() -> executeRequest(SOME_LOGIN));
-  }
-
-  @Test
-  public void execute_fails_with_IAE_when_login_param_is_not_provided() {
-    logInAsRoot();
-
-    assertThatThrownBy(() -> executeRequest(null))
-      .isInstanceOf(IllegalArgumentException.class)
-      .hasMessage("The 'login' parameter is missing");
-  }
-
-  @Test
-  public void execute_makes_user_with_specified_login_root_when_it_is_not() {
-    UserDto otherUser = UserTesting.newUserDto();
-    userDao.insert(dbSession, otherUser);
-    userDao.insert(dbSession, UserTesting.newUserDto(SOME_LOGIN, "name", "email"));
-    dbSession.commit();
-    logInAsRoot();
-
-    executeRequest(SOME_LOGIN);
-
-    assertThat(userDao.selectByLogin(dbSession, SOME_LOGIN).isRoot()).isTrue();
-    assertThat(userDao.selectByLogin(dbSession, otherUser.getLogin()).isRoot()).isFalse();
-  }
-
-  @Test
-  public void execute_has_no_effect_when_user_is_already_root() {
-    UserDto otherUser = UserTesting.newUserDto();
-    userDao.insert(dbSession, otherUser);
-    userDao.insert(dbSession, UserTesting.newUserDto(SOME_LOGIN, "name", "email"));
-    userDao.setRoot(dbSession, SOME_LOGIN, true);
-    dbSession.commit();
-    logInAsRoot();
-
-    executeRequest(SOME_LOGIN);
-
-    assertThat(userDao.selectByLogin(dbSession, SOME_LOGIN).isRoot()).isTrue();
-    assertThat(userDao.selectByLogin(dbSession, otherUser.getLogin()).isRoot()).isFalse();
-  }
-
-  @Test
-  public void execute_fails_with_NotFoundException_when_user_for_specified_login_does_not_exist() {
-    logInAsRoot();
-
-    assertThatThrownBy(() -> executeRequest("foo_bar"))
-      .isInstanceOf(NotFoundException.class)
-      .hasMessage("User with login 'foo_bar' not found");
-  }
-
-  @Test
-  public void execute_fails_with_NotFoundException_when_user_for_specified_login_is_not_active() {
-    UserDto userDto = UserTesting.newUserDto().setActive(false);
-    userDao.insert(dbSession, userDto);
-    dbSession.commit();
-    logInAsRoot();
-
-    assertThatThrownBy(() -> executeRequest(userDto.getLogin()))
-      .isInstanceOf(NotFoundException.class)
-      .hasMessage("User with login '" + userDto.getLogin() + "' not found");
-  }
-
-  private void logInAsRoot() {
-    userSessionRule.logIn().setRoot();
-  }
-
-  private void expectInsufficientPrivilegesForbiddenException(ThrowingCallable callback) {
-    assertThatThrownBy(callback)
-      .isInstanceOf(ForbiddenException.class)
-      .hasMessage("Insufficient privileges");
-  }
-
-  private int executeRequest(@Nullable String login) {
-    TestRequest request = wsTester.newRequest();
-    if (login != null) {
-      request.setParam("login", login);
-    }
-    return request
-      .execute()
-      .getStatus();
-  }
-}
diff --git a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/root/ws/UnsetRootActionTest.java b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/root/ws/UnsetRootActionTest.java
deleted file mode 100644
index 3996bf0184b..00000000000
--- a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/root/ws/UnsetRootActionTest.java
+++ /dev/null
@@ -1,200 +0,0 @@
-/*
- * SonarQube
- * Copyright (C) 2009-2022 SonarSource SA
- * mailto:info AT sonarsource DOT com
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 3 of the License, or (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public License
- * along with this program; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
- */
-package org.sonar.server.root.ws;
-
-import javax.annotation.Nullable;
-import org.assertj.core.api.ThrowableAssert.ThrowingCallable;
-import org.junit.Rule;
-import org.junit.Test;
-import org.sonar.api.server.ws.WebService;
-import org.sonar.api.utils.System2;
-import org.sonar.db.DbSession;
-import org.sonar.db.DbTester;
-import org.sonar.db.user.UserDao;
-import org.sonar.db.user.UserDto;
-import org.sonar.server.exceptions.BadRequestException;
-import org.sonar.server.exceptions.ForbiddenException;
-import org.sonar.server.exceptions.NotFoundException;
-import org.sonar.server.tester.UserSessionRule;
-import org.sonar.server.ws.TestRequest;
-import org.sonar.server.ws.WsActionTester;
-
-import static org.assertj.core.api.Assertions.assertThat;
-import static org.assertj.core.api.Assertions.assertThatThrownBy;
-import static org.sonar.db.user.UserTesting.newUserDto;
-
-public class UnsetRootActionTest {
-  private static final String SOME_LOGIN = "johndoe";
-
-  @Rule
-  public DbTester dbTester = DbTester.create(System2.INSTANCE);
-  @Rule
-  public UserSessionRule userSessionRule = UserSessionRule.standalone();
-
-  private UserDao userDao = dbTester.getDbClient().userDao();
-  private DbSession dbSession = dbTester.getSession();
-  private UnsetRootAction underTest = new UnsetRootAction(userSessionRule, dbTester.getDbClient());
-  private WsActionTester wsTester = new WsActionTester(underTest);
-
-  @Test
-  public void verify_definition() {
-    WebService.Action action = wsTester.getDef();
-    assertThat(action.key()).isEqualTo("unset_root");
-    assertThat(action.isInternal()).isTrue();
-    assertThat(action.isPost()).isTrue();
-    assertThat(action.since()).isEqualTo("6.2");
-    assertThat(action.description()).isEqualTo("Make the specified user not root.<br/>" +
-      "Requires to be root.");
-    assertThat(action.responseExample()).isNull();
-    assertThat(action.deprecatedKey()).isNull();
-    assertThat(action.deprecatedSince()).isNull();
-    assertThat(action.handler()).isSameAs(underTest);
-    assertThat(action.params()).hasSize(1);
-
-    WebService.Param param = action.param("login");
-    assertThat(param.isRequired()).isTrue();
-    assertThat(param.description()).isEqualTo("A user login");
-    assertThat(param.defaultValue()).isNull();
-    assertThat(param.deprecatedSince()).isNull();
-    assertThat(param.deprecatedKey()).isNull();
-    assertThat(param.exampleValue()).isEqualTo("admin");
-  }
-
-  @Test
-  public void execute_fails_with_ForbiddenException_when_user_is_not_logged_in() {
-    expectInsufficientPrivilegesForbiddenException(() -> executeRequest(SOME_LOGIN));
-  }
-
-  @Test
-  public void execute_fails_with_ForbiddenException_when_user_is_not_root() {
-    userSessionRule.logIn().setNonRoot();
-
-    expectInsufficientPrivilegesForbiddenException(() -> executeRequest(SOME_LOGIN));
-  }
-
-  @Test
-  public void execute_fails_with_IAE_when_login_param_is_not_provided() {
-    logInAsRoot();
-
-    assertThatThrownBy(() -> executeRequest(null))
-      .isInstanceOf(IllegalArgumentException.class)
-      .hasMessage("The 'login' parameter is missing");
-  }
-
-  @Test
-  public void execute_makes_user_with_specified_login_not_root_when_it_is() {
-    UserDto otherUser = insertRootUser(newUserDto());
-    insertRootUser(newUserDto(SOME_LOGIN, "name", "email"));
-    logInAsRoot();
-
-    executeRequest(SOME_LOGIN);
-
-    assertThat(userDao.selectByLogin(dbSession, SOME_LOGIN).isRoot()).isFalse();
-    assertThat(userDao.selectByLogin(dbSession, otherUser.getLogin()).isRoot()).isTrue();
-  }
-
-  @Test
-  public void execute_has_no_effect_when_user_is_already_not_root() {
-    UserDto otherUser = insertRootUser(newUserDto());
-    insertNonRootUser(newUserDto(SOME_LOGIN, "name", "email"));
-    logInAsRoot();
-
-    executeRequest(SOME_LOGIN);
-
-    assertThat(userDao.selectByLogin(dbSession, SOME_LOGIN).isRoot()).isFalse();
-    assertThat(userDao.selectByLogin(dbSession, otherUser.getLogin()).isRoot()).isTrue();
-  }
-
-  @Test
-  public void execute_fails_with_BadRequestException_when_attempting_to_unset_root_on_last_root_user() {
-    insertRootUser(newUserDto(SOME_LOGIN, "name", "email"));
-    insertNonRootUser(newUserDto());
-    logInAsRoot();
-
-    assertThatThrownBy(() -> executeRequest(SOME_LOGIN))
-      .isInstanceOf(BadRequestException.class)
-      .hasMessage("Last root can't be unset");
-  }
-
-  @Test
-  public void execute_fails_with_BadRequestException_when_attempting_to_unset_non_root_and_there_is_no_root_at_all() {
-    UserDto userDto1 = newUserDto(SOME_LOGIN, "name", "email");
-    insertNonRootUser(userDto1);
-    logInAsRoot();
-
-    assertThatThrownBy(() -> executeRequest(userDto1.getLogin()))
-      .isInstanceOf(BadRequestException.class)
-      .hasMessage("Last root can't be unset");
-  }
-
-  @Test
-  public void execute_fails_with_NotFoundException_when_user_for_specified_login_does_not_exist() {
-    logInAsRoot();
-
-    assertThatThrownBy(() -> executeRequest("bar_foo"))
-      .isInstanceOf(NotFoundException.class)
-      .hasMessage("User with login 'bar_foo' not found");
-  }
-
-  @Test
-  public void execute_fails_with_NotFoundException_when_user_for_specified_login_is_inactive() {
-    UserDto userDto = insertRootUser(newUserDto().setActive(false));
-    logInAsRoot();
-
-    assertThatThrownBy(() -> executeRequest(userDto.getLogin()))
-      .isInstanceOf(NotFoundException.class)
-      .hasMessage("User with login '" + userDto.getLogin() + "' not found");
-  }
-
-  private UserDto insertNonRootUser(UserDto dto) {
-    userDao.insert(dbSession, dto);
-    dbSession.commit();
-    return dto;
-  }
-
-  private UserDto insertRootUser(UserDto dto) {
-    insertNonRootUser(dto);
-    userDao.setRoot(dbSession, dto.getLogin(), true);
-    dbSession.commit();
-    return dto;
-  }
-
-  private void logInAsRoot() {
-    userSessionRule.logIn().setRoot();
-  }
-
-  private void expectInsufficientPrivilegesForbiddenException(ThrowingCallable callback) {
-    assertThatThrownBy(callback)
-      .isInstanceOf(ForbiddenException.class)
-      .hasMessage("Insufficient privileges");
-
-  }
-
-  private int executeRequest(@Nullable String login) {
-    TestRequest request = wsTester.newRequest();
-    if (login != null) {
-      request.setParam("login", login);
-    }
-    return request
-      .execute()
-      .getStatus();
-  }
-
-}
diff --git a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/setting/ws/ResetActionTest.java b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/setting/ws/ResetActionTest.java
index 076bede0ff5..954f7ea4468 100644
--- a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/setting/ws/ResetActionTest.java
+++ b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/setting/ws/ResetActionTest.java
@@ -291,7 +291,7 @@ public class ResetActionTest {
 
   @Test
   public void fail_when_qualifier_not_included() {
-    userSession.logIn().setRoot();
+    userSession.logIn().addProjectPermission(ADMIN, project);
     definitions.addComponent(PropertyDefinition.builder("foo")
       .onQualifiers(VIEW)
       .build());
@@ -306,7 +306,7 @@ public class ResetActionTest {
 
   @Test
   public void fail_to_reset_setting_component_when_setting_is_global() {
-    userSession.logIn().setRoot();
+    userSession.logIn().addProjectPermission(ADMIN, project);
 
     definitions.addComponent(PropertyDefinition.builder("foo").build());
     i18n.put("qualifier." + PROJECT, "project");
diff --git a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/ui/ws/GlobalActionTest.java b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/ui/ws/GlobalActionTest.java
index bb0ecfb6b71..1d8d40662f0 100644
--- a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/ui/ws/GlobalActionTest.java
+++ b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/ui/ws/GlobalActionTest.java
@@ -272,14 +272,6 @@ public class GlobalActionTest {
     assertJson(call()).isSimilarTo("{\"needIssueSync\": false}");
   }
 
-  @Test
-  public void can_admin_on_global_level() {
-    init();
-    userSession.logIn().setRoot();
-
-    assertJson(call()).isSimilarTo("{\"canAdmin\":true}");
-  }
-
   @Test
   public void regulatory_report_feature_enabled_ee_dce() {
     init();
@@ -322,7 +314,7 @@ public class GlobalActionTest {
   @Test
   public void standalone_flag() {
     init();
-    userSession.logIn().setRoot();
+    userSession.logIn().setSystemAdministrator();
     when(webServer.isStandalone()).thenReturn(true);
 
     assertJson(call()).isSimilarTo("{\"standalone\":true}");
@@ -331,7 +323,7 @@ public class GlobalActionTest {
   @Test
   public void not_standalone_flag() {
     init();
-    userSession.logIn().setRoot();
+    userSession.logIn().setSystemAdministrator();
     when(webServer.isStandalone()).thenReturn(false);
 
     assertJson(call()).isSimilarTo("{\"standalone\":false}");
diff --git a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/user/ws/CreateActionTest.java b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/user/ws/CreateActionTest.java
index c6d7d852d06..ca4b5d5edee 100644
--- a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/user/ws/CreateActionTest.java
+++ b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/user/ws/CreateActionTest.java
@@ -114,7 +114,6 @@ public class CreateActionTest {
     // exists in db
     Optional<UserDto> dbUser = db.users().selectUserByLogin("john");
     assertThat(dbUser).isPresent();
-    assertThat(dbUser.get().isRoot()).isFalse();
 
     // member of default group
     assertThat(db.users().selectGroupUuidsOfUser(dbUser.get())).containsOnly(defaultGroup.getUuid());
@@ -132,8 +131,8 @@ public class CreateActionTest {
       .build());
 
     assertThat(db.users().selectUserByLogin("john").get())
-      .extracting(UserDto::isLocal, UserDto::getExternalIdentityProvider, UserDto::getExternalLogin, UserDto::isRoot)
-      .containsOnly(true, "sonarqube", "john", false);
+      .extracting(UserDto::isLocal, UserDto::getExternalIdentityProvider, UserDto::getExternalLogin)
+      .containsOnly(true, "sonarqube", "john");
   }
 
   @Test
@@ -147,8 +146,8 @@ public class CreateActionTest {
       .build());
 
     assertThat(db.users().selectUserByLogin("john").get())
-      .extracting(UserDto::isLocal, UserDto::getExternalIdentityProvider, UserDto::getExternalLogin, UserDto::isRoot)
-      .containsOnly(false, "sonarqube", "john", false);
+      .extracting(UserDto::isLocal, UserDto::getExternalIdentityProvider, UserDto::getExternalLogin)
+      .containsOnly(false, "sonarqube", "john");
   }
 
   @Test
diff --git a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/user/ws/GroupsActionTest.java b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/user/ws/GroupsActionTest.java
index fa04ebd4946..9adaeafcd5a 100644
--- a/server/sonar-webserver-webapi/src/test/java/org/sonar/server/user/ws/GroupsActionTest.java
+++ b/server/sonar-webserver-webapi/src/test/java/org/sonar/server/user/ws/GroupsActionTest.java
@@ -24,6 +24,7 @@ import org.junit.Test;
 import org.sonar.api.server.ws.WebService;
 import org.sonar.api.server.ws.WebService.Param;
 import org.sonar.db.DbTester;
+import org.sonar.db.permission.GlobalPermission;
 import org.sonar.db.user.GroupDto;
 import org.sonar.db.user.UserDto;
 import org.sonar.server.exceptions.ForbiddenException;
@@ -51,12 +52,11 @@ public class GroupsActionTest {
 
   private static final String USER_LOGIN = "john";
 
-
   @Rule
   public DbTester db = DbTester.create();
 
   @Rule
-  public UserSessionRule userSession = UserSessionRule.standalone().logIn().setRoot();
+  public UserSessionRule userSession = UserSessionRule.standalone().logIn().addPermission(GlobalPermission.ADMINISTER);
 
   private WsActionTester ws = new WsActionTester(new GroupsAction(db.getDbClient(), userSession,
     new DefaultGroupFinder(db.getDbClient())));
diff --git a/server/sonar-webserver/src/main/java/org/sonar/server/platform/platformlevel/PlatformLevel4.java b/server/sonar-webserver/src/main/java/org/sonar/server/platform/platformlevel/PlatformLevel4.java
index aef8a7d416c..3c79441837f 100644
--- a/server/sonar-webserver/src/main/java/org/sonar/server/platform/platformlevel/PlatformLevel4.java
+++ b/server/sonar-webserver/src/main/java/org/sonar/server/platform/platformlevel/PlatformLevel4.java
@@ -209,7 +209,6 @@ import org.sonar.server.qualityprofile.builtin.BuiltInQProfileRepositoryImpl;
 import org.sonar.server.qualityprofile.builtin.RuleActivator;
 import org.sonar.server.qualityprofile.index.ActiveRuleIndexer;
 import org.sonar.server.qualityprofile.ws.QProfilesWsModule;
-import org.sonar.server.root.ws.RootWsModule;
 import org.sonar.server.rule.CommonRuleDefinitionsImpl;
 import org.sonar.server.rule.RuleCreator;
 import org.sonar.server.rule.RuleDefinitionsLoader;
@@ -595,9 +594,6 @@ public class PlatformLevel4 extends PlatformLevel {
       // UI
       new NavigationWsModule(),
 
-      // root
-      new RootWsModule(),
-
       // webhooks
       WebhookQGChangeEventListener.class,
       new WebhookModule(),
-- 
2.39.5