It's all about the answers!

Ask a question

Relation between AccessGroup and AccessControl settings


Marko Tomljenovic (3163789) | asked Jun 06 '17, 4:07 a.m.

Hi
I have a question wrt to Access Groups and the Access Control settings of a project area:
Can an Access group be used to provide read access to user X to certain artefacts of a project area even if the user X would not see the project according to the Access Control settings?

Or do Access Groups always even further restrict the read access to project area artefacts compared to the Access Control settings of the project area.

One answer



permanent link
Ralph Schoon (61.1k33643) | answered Jun 06 '17, 5:26 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

 Marko,


as per our discussion, if Access Control is set to a value (e.g. members of the Project and Team Areas) then only users that satisfy the Access control criteria can access items owned by this project area. Only if the user can access items due to access control, access groups can further limit/control access to items.

I tested this with work items (If I can't access a project area, I can't access a work item owned by it, even if I am in the access group).
I tested this with SCM objects as well. If I have no access to the project area I can't see objects owned by it e.g. a component, even if I am in an access group that would allow me to.


Comments
Geoffrey Clemm commented Jun 11 '17, 1:09 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

This is not how this is documented to work. I have filed defect: https://jazz.net/jazz/resource/itemName/com.ibm.team.workitem.WorkItem/425645 

to either get this bug fixed, or to fix the user documentation.


Marko Tomljenovic commented Jun 12 '17, 2:09 a.m.

Hi Geoff,

can you point me to the "documentation" that you are refering to?


Geoffrey Clemm commented Jun 12 '17, 10:20 p.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

Ralph Schoon commented Jun 13 '17, 1:00 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

Please note, that the current behavior is actually helping. If it was not for the current behavior we observed, it would be impossible to be able to check who has access to what, without iterating everything.


E customer has a requirement to be able to show that for each user. 


Geoffrey Clemm commented Jun 13 '17, 3:30 p.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

How is the current behavior necessary to determine who has access to what?   

The documented behavior would be processed the same as you would process the current behavior when the Access Control of a project area is Everyone.


Ralph Schoon commented Jun 13 '17, 3:42 p.m. | edited Jun 13 '17, 3:51 p.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

So everyone has access and you have to iterate the whole database of items owned by the  project area (including each and every of the million SCM objects) and look at the access context to determine who actually has access?


Maybe I am missing something. Marko and I talked and the concern was how to practically be able to do tell who has access to what for the ten thousands of users of this particular customer. They have to be able to evaluate the users access permissions to all these objects.

If the project area access control limits the general access and then the specific access context limits it further, it is easy to calculate. Otherwise it is almost impossible.

showing 5 of 6 show 1 more comments

Your answer


Register or to post your answer.