Jazz Forum Welcome to the Jazz Community Forum Connect and collaborate with IBM Engineering experts and users

Limiting a role so it cannot create users of the same role or a more elevated role

I set up an RTC 4.0.7 Project Area.   Under that project area we are setting up Teams to represent different product areas.   Within those teams we created a role called product admin, and this user can create subteams, add users to that team or any subteam, and assign roles in that team or any subteam.    However, I don't want Product Admins to create other Product Admin.  We have a business role stating that each Product can only have 3 Product Admins.

In addtion to the product admin role, we have create a tool admin role which gives the user everything.   This is limited to myself and 2 of my coworkers.   I would like to keep the product admin from being able to assign that role as well.

I can't find a way to limit the level of role that can be assigned.

Thanks

0 votes


Accepted answer

Permanent link
I ended up opening a PMR for this issue.   IBM Support indicated that there was no way to stop users from granting additional access beyond their role, once they have the ability to add roles.   In my opinion it is rather poor design, and doesn't protect the data well.   I am digging through the API to see if I can write a customization to compensate.
Ralph Schoon selected this answer as the correct answer

1 vote

Comments

I will close this then, as we can't do anything until the PMR has been resolved.


4 other answers

Permanent link
Hello Vanessa, I have the same problem.  The roles are a bit different but the principle is the same. 
It seems that the permission to assign a role allows assignment of any role, and there are no preconditions or followup actions for Save Team Area (server).

Like you I'm looking for a way to restrict awarding of roles to prevent people giving themselves or others privileges they're not entitled to.  Can anybody offer a method?

0 votes


Permanent link
Hi Vanessa, I also raised a product enhancement request as I think this is something of a glaring hole in functionality.  The work item ID is 343616.

Also, can you please let us know the outcome of your PMR as and when it gets resolved?
Good luck ...

0 votes


Permanent link
I believe the answer is very simple really (at least this is immediately what springs to mind). When you create the role, you have the option to say whether it multi user or single user .. at your team level, I believe that would apply .... and would prevent your admin from re-using that role for another team member. 

Worth a shot

0 votes

Comments

Unfortunately role cardinality is just informational and not enforced by RTC. So this is no option. Also what  is really requested here is some kind of role hierarchy with respect to permissions, I guess. And that is also not supported in RTC. RTC treats all roles equal. The role order - important for operational behavior is set by the admin adding the role.

Role order see:
Process permissions lookup in Rational Team Concert
Process behavior lookup in Rational Team Concert

 I agree with Ralph on the cardinality not enforced (I opened a PMR and was told that non-enforcement of cardinality was by design).


Even if it was enforced, I still don't think that meets the requirements.  Say there is a role called "master admin" who can do alot of things that we don't want normal team members to do, like delete work items.  There is nobody on the low-level team which has that role but only at the project area.  Even as single cardinality, if there current isn't a 'master admin' on the team, anybody who can change roles can add 'master admin' to themselves and be able to do stuff that they shouldn't.  

Either we need to be able to say that you can't give someone a role you don't actually have, or we need to be able to define what roles can give what roles (for example, a "team lead" can give someone "team lead and team member" roles, but not manager role, while a manager can give manager, team member, and team lead roles.

1 vote


Permanent link
Thanks everyone for your responses.  My PMR is closed.   RTC does not respect role hierarchy.   My options are to open an enhancement request or write a code customization to call during validation.   Cliff opened an enhancement already, work item 343616. (thanks!)  I will leave comments on that.

0 votes

Your answer

Register or log in to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.

Search context
Follow this question

By Email: 

Once you sign in you will be able to subscribe for any updates here.

By RSS:

Answers
Answers and Comments
Question details

Question asked: Jan 20 '15, 10:01 a.m.

Question was seen: 3,946 times

Last updated: Jan 30 '15, 12:06 p.m.

Confirmation Cancel Confirm