It's all about the answers!

Ask a question

Limiting a role so it cannot create users of the same role or a more elevated role

Vanessa Hill (2635) | asked Jan 20 '15, 10:01 a.m.
I set up an RTC 4.0.7 Project Area.   Under that project area we are setting up Teams to represent different product areas.   Within those teams we created a role called product admin, and this user can create subteams, add users to that team or any subteam, and assign roles in that team or any subteam.    However, I don't want Product Admins to create other Product Admin.  We have a business role stating that each Product can only have 3 Product Admins.

In addtion to the product admin role, we have create a tool admin role which gives the user everything.   This is limited to myself and 2 of my coworkers.   I would like to keep the product admin from being able to assign that role as well.

I can't find a way to limit the level of role that can be assigned.


Accepted answer

permanent link
Vanessa Hill (2635) | answered Jan 26 '15, 7:32 a.m.
edited Jan 26 '15, 7:33 a.m.
I ended up opening a PMR for this issue.   IBM Support indicated that there was no way to stop users from granting additional access beyond their role, once they have the ability to add roles.   In my opinion it is rather poor design, and doesn't protect the data well.   I am digging through the API to see if I can write a customization to compensate.
Ralph Schoon selected this answer as the correct answer

Ralph Schoon commented Jan 26 '15, 7:53 a.m.

I will close this then, as we can't do anything until the PMR has been resolved.

4 other answers

permanent link
Cliff Gardiner (921034) | answered Jan 26 '15, 5:08 a.m.
Hello Vanessa, I have the same problem.  The roles are a bit different but the principle is the same. 
It seems that the permission to assign a role allows assignment of any role, and there are no preconditions or followup actions for Save Team Area (server).

Like you I'm looking for a way to restrict awarding of roles to prevent people giving themselves or others privileges they're not entitled to.  Can anybody offer a method?

permanent link
Cliff Gardiner (921034) | answered Jan 28 '15, 8:08 a.m.
Hi Vanessa, I also raised a product enhancement request as I think this is something of a glaring hole in functionality.  The work item ID is 343616.

Also, can you please let us know the outcome of your PMR as and when it gets resolved?
Good luck ...

permanent link
Karen Steele (1.2k2136141) | answered Jan 29 '15, 7:29 a.m.
I believe the answer is very simple really (at least this is immediately what springs to mind). When you create the role, you have the option to say whether it multi user or single user .. at your team level, I believe that would apply .... and would prevent your admin from re-using that role for another team member. 

Worth a shot

Ralph Schoon commented Jan 29 '15, 7:36 a.m.

Unfortunately role cardinality is just informational and not enforced by RTC. So this is no option. Also what  is really requested here is some kind of role hierarchy with respect to permissions, I guess. And that is also not supported in RTC. RTC treats all roles equal. The role order - important for operational behavior is set by the admin adding the role.

Role order see:
Process permissions lookup in Rational Team Concert
Process behavior lookup in Rational Team Concert

Susan Hanson commented Jan 29 '15, 7:47 a.m.

 I agree with Ralph on the cardinality not enforced (I opened a PMR and was told that non-enforcement of cardinality was by design).

Even if it was enforced, I still don't think that meets the requirements.  Say there is a role called "master admin" who can do alot of things that we don't want normal team members to do, like delete work items.  There is nobody on the low-level team which has that role but only at the project area.  Even as single cardinality, if there current isn't a 'master admin' on the team, anybody who can change roles can add 'master admin' to themselves and be able to do stuff that they shouldn't.  

Either we need to be able to say that you can't give someone a role you don't actually have, or we need to be able to define what roles can give what roles (for example, a "team lead" can give someone "team lead and team member" roles, but not manager role, while a manager can give manager, team member, and team lead roles.

permanent link
Vanessa Hill (2635) | answered Jan 30 '15, 12:06 p.m.
Thanks everyone for your responses.  My PMR is closed.   RTC does not respect role hierarchy.   My options are to open an enhancement request or write a code customization to call during validation.   Cliff opened an enhancement already, work item 343616. (thanks!)  I will leave comments on that.

Your answer

Register or to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.