Jazz Forum Welcome to the Jazz Community Forum Connect and collaborate with IBM Engineering experts and users

Relation between AccessGroup and AccessControl settings

Questions
Tags
Users
Badges
Marko Tomljenovic
(31650109) Jun 06 '17, 4:07 a.m.

Hi
I have a question wrt to Access Groups and the Access Control settings of a project area:
Can an Access group be used to provide read access to user X to certain artefacts of a project area even if the user X would not see the project according to the Access Control settings?

Or do Access Groups always even further restrict the read access to project area artefacts compared to the Access Control settings of the project area.

0 votes

1 answer
3,780 views
0 votes

One answer

Permanent link
Ralph Schoon
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER (64.6k33649) Jun 06 '17, 5:26 a.m.

 Marko,


as per our discussion, if Access Control is set to a value (e.g. members of the Project and Team Areas) then only users that satisfy the Access control criteria can access items owned by this project area. Only if the user can access items due to access control, access groups can further limit/control access to items.

I tested this with work items (If I can't access a project area, I can't access a work item owned by it, even if I am in the access group).
I tested this with SCM objects as well. If I have no access to the project area I can't see objects owned by it e.g. a component, even if I am in an access group that would allow me to.

0 votes

Comments
Geoffrey Clemm
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER Jun 11 '17, 1:09 a.m.

This is not how this is documented to work. I have filed defect: https://jazz.net/jazz/resource/itemName/com.ibm.team.workitem.WorkItem/425645 

to either get this bug fixed, or to fix the user documentation.

Marko Tomljenovic
Jun 12 '17, 2:09 a.m.

Hi Geoff,

can you point me to the "documentation" that you are refering to?

Geoffrey Clemm
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER Jun 12 '17, 10:20 p.m.

 https://www.ibm.com/support/knowledgecenter/SSYMRC_6.0.3/com.ibm.team.scm.doc/topics/c_read_access.html

Ralph Schoon
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER Jun 13 '17, 1:00 a.m.

Please note, that the current behavior is actually helping. If it was not for the current behavior we observed, it would be impossible to be able to check who has access to what, without iterating everything.


E customer has a requirement to be able to show that for each user. 

Geoffrey Clemm
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER Jun 13 '17, 3:30 p.m.

How is the current behavior necessary to determine who has access to what?   

The documented behavior would be processed the same as you would process the current behavior when the Access Control of a project area is Everyone.

Ralph Schoon
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER Jun 13 '17, 3:51 p.m.

So everyone has access and you have to iterate the whole database of items owned by the  project area (including each and every of the million SCM objects) and look at the access context to determine who actually has access?


Maybe I am missing something. Marko and I talked and the concern was how to practically be able to do tell who has access to what for the ten thousands of users of this particular customer. They have to be able to evaluate the users access permissions to all these objects.

If the project area access control limits the general access and then the specific access context limits it further, it is easy to calculate. Otherwise it is almost impossible.

showing 5 of 6 show 1 more comments

Your answer

Register or log in to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.

Ask a question
Guidelines
FAQ
Search context
Follow this question

By Email: 

Once you sign in you will be able to subscribe for any updates here.

By RSS:

Answers
Answers and Comments
Question details
× 12,095
× 6,159

Question asked: Jun 06 '17, 4:07 a.m.

Question was seen: 3,780 times

Last updated: Jun 13 '17, 3:51 p.m.

Confirmation Cancel Confirm