Jazz Forum Welcome to the Jazz Community Forum Connect and collaborate with IBM Engineering experts and users

Separate RTC permission inheritance trees for admin/role property?

Questions
Tags
Users
Badges
Marko Tomljenovic
(31650109) Oct 20 '17, 8:34 a.m.

Hi,

I have a question regarding the "Administrators" in a RTC project/team area.
There is a team area hierarchy like this:

PS (Prj Area Level) / TA1 / TA11

User "A" is having some roles and is admin on "PA" level. I know that these roles/its permissions are then inherited by all child team areas as long as A is not listed there. I believe the same applies to the "Admin" capability.

What if A has some roles on PA and is admin on TA1. Does this mean A is only admin on TA1 and no more has the roles from PA? Or is the inheritance of permissions separated, that means are there two inheritance trees, one for the admin flag and one for the regular roles?

0 votes

2 answers
2,900 views
0 votes

Accepted answer

Permanent link
Ralph Schoon
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER (63.9k33648) Oct 23 '17, 3:20 a.m.

Marko,

this is how this works: https://jazz.net/library/article/291 for all I know.
As far as I can tell, being Administrator on a project area (vs having the JazzAdmin repository role) only allows you to give yourself (and others) roles and permissions in that PA.


Marko Tomljenovic selected this answer as the correct answer

0 votes

Comments
Marko Tomljenovic
Oct 23 '17, 3:37 a.m.

 Hi Ralph,

I know the mentioned article. But It does not talk about "Administrators" only about roles that a user can have. Or is the "Administrator" flag internally simply treated as a pre-defined role?

Ralph Schoon
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER Oct 23 '17, 3:47 a.m.

Administrator is not a role for all I know.

As I said, the users listed as administrator in the process area only have the ability to give themselves roles and permissions and save the project areas process, even if they don't have roles and permissions that would allow this initially. This can be seen in the process advisor and is called "Administrator Override" as far as I remember.

Marko Tomljenovic
Oct 23 '17, 3:57 a.m.

 After reading this article https://jazz.net//library/article/292 I think I got it now. Thanks for pointing me to the right article and forcing me to understand it by myself :)

Ralph Schoon
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER Oct 23 '17, 4:06 a.m.

It is quite complex. I struggle as well.

One other answer

Permanent link
Geoffrey Clemm
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER (30.1k33035) edited
Oct 24 '17, 4:10 a.m.

 To summarize, "Administrators" is not a role, but is inherited by child team areas.

0 votes

Comments
Marko Tomljenovic
Oct 23 '17, 4:33 p.m.

But what about this statement on the web ui: Team administrators can modify and save this team area and its child team areas. 


This sounds like the permissions of an Administrator are inherited by all child team areas. That means an Administrator on root PA level can also administrate in the child team areas.
Or does the statement in the web ui have a different meaning?

I just tested it. The "Administrator" permissions are inherited by lower level team areas. So my understanding (what I will remember) is that the "Administrator" flag is logically like a role that only provides the permissions for administrating the users and their roles on this specific process area and its child process areas..

Geoffrey Clemm
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER Oct 24 '17, 4:17 a.m.

Oops.  I put an extra "not" in my answer (now corrected :-).

I personally do not think of Administrator as a role, because it doesn't show up in any of the role lists, but I agree it acts logically like a role in that it affects permissions and is inherited.

Ralph Schoon
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER Oct 24 '17, 4:31 a.m.

Even if you are member of the administrators group you have to provide yourself with a role and the role with permissions in order to do anything other than

  • Creating, assigning roles and permissions to role
  • Saving the process area process

So it is more that it allows to take the role and permission needed.

Geoffrey Clemm
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER Oct 29 '17, 5:58 p.m.

Or another way to express the difference is that what an Administrator can do is hard-wired and cannot be modified, while the permissions assigned to actual roles can be specified (if you have the appropriate permissions :-).

Your answer

Register or log in to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.

Ask a question
Guidelines
FAQ
Search context
Follow this question

By Email: 

Once you sign in you will be able to subscribe for any updates here.

By RSS:

Answers
Answers and Comments
Question details
× 12,019

Question asked: Oct 20 '17, 8:34 a.m.

Question was seen: 2,900 times

Last updated: Oct 29 '17, 5:58 p.m.

Confirmation Cancel Confirm