Restrict Work Item Access by Team Area - inconsistent results?
Hi,
I'm running RTC 4.0.6 and have set up restricted work item access based on category / team area membership. Unfortunately, the results are very inconsistent. While some work items can no longer be viewed by members of unauthorized team areas, others show up just like before, even if they are filed against the same category. I cannot discern a pattern, except that it only seems to affect existing work items, not new ones.
Interestingly, when I make dummy changes to these items (does not have to be a change of the category), they disappear, as if I have to touch them to make RTC re-evaluate. Also, when I undo the change, they are visible again.
Is there possibly some index or cache I can force to re-create?
I'm running RTC 4.0.6 and have set up restricted work item access based on category / team area membership. Unfortunately, the results are very inconsistent. While some work items can no longer be viewed by members of unauthorized team areas, others show up just like before, even if they are filed against the same category. I cannot discern a pattern, except that it only seems to affect existing work items, not new ones.
Interestingly, when I make dummy changes to these items (does not have to be a change of the category), they disappear, as if I have to touch them to make RTC re-evaluate. Also, when I undo the change, they are visible again.
Is there possibly some index or cache I can force to re-create?
Accepted answer
A couple of things to remember when working with category-based restriction:
1. Admin users (members of JazzAdmins role) will always be able to view all workitems, regardless of the restriction
2. Category-based restriction is not meant to work in parallel with any other method of WI access restriction
3. The restriction is intended for flat category structure, in case of a tree-like structure of categories, the access permission is "inherited" in the Team hierarchy towards the root.
See https://jazz.net/library/article/837 for details.
If the observed behavior does not match the description above, I can recommend to file a jazz.net defect or raise a PMR to IBM Support.
1. Admin users (members of JazzAdmins role) will always be able to view all workitems, regardless of the restriction
2. Category-based restriction is not meant to work in parallel with any other method of WI access restriction
3. The restriction is intended for flat category structure, in case of a tree-like structure of categories, the access permission is "inherited" in the Team hierarchy towards the root.
See https://jazz.net/library/article/837 for details.
If the observed behavior does not match the description above, I can recommend to file a jazz.net defect or raise a PMR to IBM Support.
Comments
Thanks a lot for your reply, Piotr! Your 2nd point hit the nail on the head: I experimented with Access Groups and the "Restricted Access" field / presentation, and now I realize that all problematic items (almost all of them) are set to "visibility defined by access context" (did not do this explicitly). When setting them back to "default", category-based restriction kicks in and all is well. Now the only remaining question is: how can I do this for all items at once? Some fields can be batch-updated from query results, but "restricted access" does not seem to be one of them.