It's all about the answers!

Ask a question

Restrict Access to teams not working


Brandy Guillory (5311925) | asked Nov 04 '14, 1:57 p.m.
edited Nov 04 '14, 1:58 p.m.
I am testing out implementation of a partner(vendor) backend bridge into our RTC project. I have created a role called "vendor". The only access i gave to this role is the ability to generate queries so save/delete query is the only thing green. We have team areas set up for each product on our team that we test/develop for. I used two team members as guinea pigs and stripped their access roles and added the new role i created called "vendor" only.. I added this team member to two seperate product team areas in which i created two defects for as a test to see if they could 1) see ONLY those defects in which they were team members of 2) could not modify them

I had team members create queries in order to see defect data, they not only can see defect data for tools in which they are not assigned to that team area but they can also modify the defects which is NOT what we want.

Under administrator in categories for every product/team area restrict category item visibillity and restrict work item team access is checked

I also tried access control, members in the team hierarchy and access in the users list and listed the two members.
Any of you have an idea of what could be wrong?

Accepted answer


permanent link
Ralph Schoon (58.0k23642) | answered Nov 05 '14, 4:00 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER
Brandy, I have played with restricted access recently and it works. If you check the restrict access in the UI and have a team area associated with the category, only members of that team area (and nested team areas) can see the work items that are filed against this category. Work items that are filed against the project area will be visible to all users.

See: https://jazz.net/library/article/554 and https://jazz.net/library/article/837 for more details.

Please note, if the user has JazzAdmin Role, all work items will be visible.

Please note, that every single user also has the everyone role and permissions accumulate across roles. The permission to change work items would have to be removed from everyone as well. See
https://jazz.net/library/article/291 for how that works.

The visibility of a category has a different purpose, which is for example explained in the Eclipse client. If the check mark is removed, only members of the team associated to the category can see the category, so only these should be able to select it in filed against.
Brandy Guillory selected this answer as the correct answer

Comments
Brandy Guillory commented Nov 05 '14, 1:12 p.m.

HI Ralph,

Thanks for your response. I read the articles above but still am a little confused. The two users do not have JazzAdmin but one of them is seeing defects of a team area she does not belong to. I will investigate that.I also understand and was able to see the everyone(default) and that is set for others to be able to edit defects. I am beginning to lean towards a new project altogether to seperate from our main project solely for the vendors.


Brandy Guillory commented Nov 05 '14, 1:34 p.m. | edited Nov 06 '14, 2:00 a.m.

I think we figured it out further, we stripped access from the everyone role and it seems to be working now! Thanks.


Ralph Schoon commented Nov 06 '14, 2:00 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

Separate project areas, with access control, are the easiest and most secure way of separating projects and manage access.

For category based read access, it is important to note, that categories that are not checked will be visible to everyone.


Ralph Schoon commented Nov 06 '14, 2:00 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

Nice to hear. Please accept the answer as correct.

Your answer


Register or to post your answer.