It's all about the answers!

Ask a question

Separate RTC permission inheritance trees for admin/role property?


Marko Tomljenovic (3163687) | asked Oct 20 '17, 8:34 a.m.

Hi,

I have a question regarding the "Administrators" in a RTC project/team area.
There is a team area hierarchy like this:

PS (Prj Area Level) / TA1 / TA11

User "A" is having some roles and is admin on "PA" level. I know that these roles/its permissions are then inherited by all child team areas as long as A is not listed there. I believe the same applies to the "Admin" capability.

What if A has some roles on PA and is admin on TA1. Does this mean A is only admin on TA1 and no more has the roles from PA? Or is the inheritance of permissions separated, that means are there two inheritance trees, one for the admin flag and one for the regular roles?

Accepted answer


permanent link
Ralph Schoon (60.9k33643) | answered Oct 23 '17, 3:20 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

Marko,

this is how this works: https://jazz.net/library/article/291 for all I know.
As far as I can tell, being Administrator on a project area (vs having the JazzAdmin repository role) only allows you to give yourself (and others) roles and permissions in that PA.


Marko Tomljenovic selected this answer as the correct answer

Comments
Marko Tomljenovic commented Oct 23 '17, 3:37 a.m.

 Hi Ralph,

I know the mentioned article. But It does not talk about "Administrators" only about roles that a user can have. Or is the "Administrator" flag internally simply treated as a pre-defined role?


Ralph Schoon commented Oct 23 '17, 3:46 a.m. | edited Oct 23 '17, 3:47 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

Administrator is not a role for all I know.

As I said, the users listed as administrator in the process area only have the ability to give themselves roles and permissions and save the project areas process, even if they don't have roles and permissions that would allow this initially. This can be seen in the process advisor and is called "Administrator Override" as far as I remember.


Marko Tomljenovic commented Oct 23 '17, 3:57 a.m.

 After reading this article https://jazz.net//library/article/292 I think I got it now. Thanks for pointing me to the right article and forcing me to understand it by myself :)


Ralph Schoon commented Oct 23 '17, 4:06 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

It is quite complex. I struggle as well.

One other answer



permanent link
Geoffrey Clemm (30.1k23035) | answered Oct 23 '17, 4:02 p.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER
edited Oct 24 '17, 4:10 a.m.

 To summarize, "Administrators" is not a role, but is inherited by child team areas.


Comments
Marko Tomljenovic commented Oct 23 '17, 4:33 p.m.

But what about this statement on the web ui: Team administrators can modify and save this team area and its child team areas. 


This sounds like the permissions of an Administrator are inherited by all child team areas. That means an Administrator on root PA level can also administrate in the child team areas.
Or does the statement in the web ui have a different meaning?

I just tested it. The "Administrator" permissions are inherited by lower level team areas. So my understanding (what I will remember) is that the "Administrator" flag is logically like a role that only provides the permissions for administrating the users and their roles on this specific process area and its child process areas..


Geoffrey Clemm commented Oct 24 '17, 4:17 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

Oops.  I put an extra "not" in my answer (now corrected :-).

I personally do not think of Administrator as a role, because it doesn't show up in any of the role lists, but I agree it acts logically like a role in that it affects permissions and is inherited.


Ralph Schoon commented Oct 24 '17, 4:31 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

Even if you are member of the administrators group you have to provide yourself with a role and the role with permissions in order to do anything other than

  • Creating, assigning roles and permissions to role
  • Saving the process area process

So it is more that it allows to take the role and permission needed.


Geoffrey Clemm commented Oct 29 '17, 5:58 p.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

Or another way to express the difference is that what an Administrator can do is hard-wired and cannot be modified, while the permissions assigned to actual roles can be specified (if you have the appropriate permissions :-).

Your answer


Register or to post your answer.