Limiting a role so it cannot create users of the same role or a more elevated role
I set up an RTC 4.0.7 Project Area. Under that project area we are setting up Teams to represent different product areas. Within those teams we created a role called product admin, and this user can create subteams, add users to that team or any subteam, and assign roles in that team or any subteam. However, I don't want Product Admins to create other Product Admin. We have a business role stating that each Product can only have 3 Product Admins.
In addtion to the product admin role, we have create a tool admin role which gives the user everything. This is limited to myself and 2 of my coworkers. I would like to keep the product admin from being able to assign that role as well.
I can't find a way to limit the level of role that can be assigned.
Thanks
In addtion to the product admin role, we have create a tool admin role which gives the user everything. This is limited to myself and 2 of my coworkers. I would like to keep the product admin from being able to assign that role as well.
I can't find a way to limit the level of role that can be assigned.
Thanks
Accepted answer
I ended up opening a PMR for this issue. IBM Support indicated that there was no way to stop users from granting additional access beyond their role, once they have the ability to add roles. In my opinion it is rather poor design, and doesn't protect the data well. I am digging through the API to see if I can write a customization to compensate.
4 other answers
Hello Vanessa, I have the same problem. The roles are a bit different but the principle is the same.
It seems that the permission to assign a role allows assignment of any role, and there are no preconditions or followup actions for Save Team Area (server).
Like you I'm looking for a way to restrict awarding of roles to prevent people giving themselves or others privileges they're not entitled to. Can anybody offer a method?
It seems that the permission to assign a role allows assignment of any role, and there are no preconditions or followup actions for Save Team Area (server).
Like you I'm looking for a way to restrict awarding of roles to prevent people giving themselves or others privileges they're not entitled to. Can anybody offer a method?
I believe the answer is very simple really (at least this is immediately what springs to mind). When you create the role, you have the option to say whether it multi user or single user .. at your team level, I believe that would apply .... and would prevent your admin from re-using that role for another team member.
Worth a shot
Worth a shot
Comments
Unfortunately role cardinality is just informational and not enforced by RTC. So this is no option. Also what is really requested here is some kind of role hierarchy with respect to permissions, I guess. And that is also not supported in RTC. RTC treats all roles equal. The role order - important for operational behavior is set by the admin adding the role.
Role order see:
Process permissions lookup in Rational Team Concert
Process behavior lookup in Rational Team Concert
I agree with Ralph on the cardinality not enforced (I opened a PMR and was told that non-enforcement of cardinality was by design).
Even if it was enforced, I still don't think that meets the requirements. Say there is a role called "master admin" who can do alot of things that we don't want normal team members to do, like delete work items. There is nobody on the low-level team which has that role but only at the project area. Even as single cardinality, if there current isn't a 'master admin' on the team, anybody who can change roles can add 'master admin' to themselves and be able to do stuff that they shouldn't.
Either we need to be able to say that you can't give someone a role you don't actually have, or we need to be able to define what roles can give what roles (for example, a "team lead" can give someone "team lead and team member" roles, but not manager role, while a manager can give manager, team member, and team lead roles.
1 vote