Jazz Forum Welcome to the Jazz Community Forum Connect and collaborate with IBM Engineering experts and users

Which permissions are provided as a JazzPrjAdmin

Questions
Tags
Users
Badges
Marko Tomljenovic
(31650109) retagged
Apr 30 '18, 2:25 p.m.

Hello,

according to some official CLM documentation (forgot the URL) a JazzPrjAdmin is allowed to "save a project area" if it is visible to the JazzPrjAdmin even if that person has not a concrete role or is not a "Administrator" that would normally allow it.

My question is whether a JazzPrjAdmin has in the end the same permissions like a configured "Administrator" in a project area?

PS. What permissions an "Administrator" has was already asked by me: https://jazz.net/forum/questions/247178/which-actionsoperations-reflect-the-permissions-of-an-administrator

0 votes

2 answers
3,288 views
0 votes

Accepted answer

Permanent link
Ralph Schoon
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER (63.9k33648) edited
Apr 30 '18, 1:11 p.m.

See: https://jazz.net/help-dev/clm/index.jsp?topic=%2Fcom.ibm.jazz.platform.doc%2Ftopics%2Fc_permissions.html 

From the help: 

JazzProjectAdmins Administrators who have the same access as JazzUsers plus permission to perform the following operations:
  • Create and modify all process templates.
  • Create project areas and team areas.
  • Modify the access control settings for project areas.
  • Save project areas regardless of the role permission settings in the project areas, which include the ability to generate team member invitations. This override ability does not extend to project areas to which the user does not have read-access.
So JazzProjectAdmins users can save project areas regardless of the role permission settings in the project areas. This override ability does not extend to project areas to which the user does not have read access. 

So the repository role JazzProjectAdmins also has abilities to do project-area independent operations, e.g. to modify process templates, have access to the lifecycle project area administration and that for all the products and not just RTC. If you look into the help and search for JazzProjectAdmin you will see several activities you require this or the JazzAdmin Role.  

Each project area, through its access control settings, can restrict read access to specific users. Users who have at least JazzUsers repository group permissions and have read access to a project area can perform the actions granted to the role or roles assigned to them within that project area. See Table 2 for the list of role-based permissions. The project administrator of a project area does not need JazzProjectAdmins permission to manage that project area. Within a project area, a user who is designated as Administrator has read-write access for that project area. 




Geoffrey Clemm selected this answer as the correct answer

1 vote

Comments
Marko Tomljenovic
Apr 30 '18, 1:12 p.m.

Hello Ralph,

I have to apologize, my question was too unspecific. Thanks for your extensive answer.

A JazzPrjAdmin can do more/different things than a regular Admin but regarding the things that can be done in a project area (what you have listed as "Save project area regardless of the role permissions...") is this reflecting internally in the same permissions like being an "Administrator" in the project area or is e.g. a JazzPrjAdmin not allowed to create new Timelines, ...?

Geoffrey Clemm
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER Apr 30 '18, 1:13 p.m.

No, the abilities of a JazzProjectAdmin is not based on roles ... it is an override to the normal role-based permissions.

Ralph Schoon
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER May 22 '18, 5:27 a.m.

This is also reflected by the fact that aj JazzAdmin or JazzProjectAdmin or a member of the administratiors still required to assign yourself roles and permissions (which you can do due to the override) before you can do things like deleting work items etc.

RTC also indicates when the Admin Override kicks in.

Marko Tomljenovic
May 28 '18, 4:06 a.m.

Hi Ralph,

how does RTC indicate this override? 

Ralph Schoon
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER May 28 '18, 5:24 a.m.

In the team advisor in Eclipse for example:


One other answer

Permanent link
Ralph Schoon
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER (63.9k33648) edited
Apr 26 '18, 9:40 a.m.

As an answer so I have more space.

You are comparing two totally different concepts and there is an issue with understanding the various "Admins". It is important to understand the distinctions and I thought I had already provided that.

1. JazzProjectAdmin is a Repository Role. Such a role allows the user having it to do things on a repository level that other users are not allowed to. The JazzProjectAdmin role allows to create project areas and it allows to add themselves (and other users) to the list of project area administrators. As far as I can tell these activities are not permissions on a project area level. Even if no permissions are given to any role, the JazzProjectAdmin can do this. Users with only JazzUsers or JazzGuests can not do that. JazzProjectAdmin is more limited as JazzAmin.

2. Being in the list of  Administrators of a project area provides these users an override for some actions. Even if no role was any permissions in the project area, these users can make themselves a member of the project area, give themselves roles and configure permissions for roles. It does only override a very specific set of operations. E.g. if you don't have a role that has permissions to create work items, you can be member of the Administrators and you still can't create a work item.

There are NO permissions or invisible roles or something like that involved being in the list of  Administrators of a project area. If the member of the administrators does something they have no permission to do (from a role perspective) but are allowed as members of the Administrators, when saving the process (in Eclipse) the team advisor states that the user does NOT have the permission but an administrator override allows the operation nevertheless.
 

0 votes

Comments
Marko Tomljenovic
Apr 26 '18, 9:46 a.m.

Hi Ralph,

I know what you are describing and the difference on a technical level is known to me. But if an end user comes to me and asks "What am I allowed to do in a project area in ALM if I am a JazzProjectAdmin?".
And if the reply should describe the answer in a way that the end user understands then it is only logical to use the actions protected by permissions to use as the basis for the explanation.

And now I am asking you Ralph ;) If I am a JazzPrjAdmin what exactly am I allowed to do in ALM in a project area? What would you then answer? And please don't come up with a cloudy answer.

Sorry to be cocky about this but I did not get any clear answer to this question so far.

Ralph Schoon
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER Apr 26 '18, 10:03 a.m.

I think I have written it 15 times already, but here goes (as far as I know), otherwise feel free to write a PMR against Documentation.

As a JazzPrjAdmin on that level you can
1. Add yourself to the Project Area Administrators
2. Add yourself to the members of the project area
3. Create New Roles
4. Change permissions on roles
5. Give yourself any role
6. Save the process

So you can basically give yourself all permissions you want and THEN you can wreak havoc in the PA.

I would support a section in the product documentation that says so.

Your answer

Register or log in to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.

Ask a question
Guidelines
FAQ
Search context
Follow this question

By Email: 

Once you sign in you will be able to subscribe for any updates here.

By RSS:

Answers
Answers and Comments
Question details
× 12,019
× 1,381

Question asked: Jan 15 '18, 4:55 a.m.

Question was seen: 3,288 times

Last updated: May 28 '18, 5:24 a.m.

Confirmation Cancel Confirm