It's all about the answers!

Ask a question

Which permissions are provided as a JazzPrjAdmin


Marko Tomljenovic (3162960) | asked Jan 15 '18, 4:55 a.m.
retagged Apr 30 '18, 2:25 p.m. by Michael Afshar (7014)

Hello,

according to some official CLM documentation (forgot the URL) a JazzPrjAdmin is allowed to "save a project area" if it is visible to the JazzPrjAdmin even if that person has not a concrete role or is not a "Administrator" that would normally allow it.

My question is whether a JazzPrjAdmin has in the end the same permissions like a configured "Administrator" in a project area?

PS. What permissions an "Administrator" has was already asked by me: https://jazz.net/forum/questions/247178/which-actionsoperations-reflect-the-permissions-of-an-administrator

Accepted answer


permanent link
Ralph Schoon (55.5k23642) | answered Jan 15 '18, 9:01 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER
edited Apr 30 '18, 1:11 p.m. by Geoffrey Clemm (29.2k23035)

See: https://jazz.net/help-dev/clm/index.jsp?topic=%2Fcom.ibm.jazz.platform.doc%2Ftopics%2Fc_permissions.html 

From the help: 

JazzProjectAdmins Administrators who have the same access as JazzUsers plus permission to perform the following operations:
  • Create and modify all process templates.
  • Create project areas and team areas.
  • Modify the access control settings for project areas.
  • Save project areas regardless of the role permission settings in the project areas, which include the ability to generate team member invitations. This override ability does not extend to project areas to which the user does not have read-access.
So JazzProjectAdmins users can save project areas regardless of the role permission settings in the project areas. This override ability does not extend to project areas to which the user does not have read access. 

So the repository role JazzProjectAdmins also has abilities to do project-area independent operations, e.g. to modify process templates, have access to the lifecycle project area administration and that for all the products and not just RTC. If you look into the help and search for JazzProjectAdmin you will see several activities you require this or the JazzAdmin Role.  

Each project area, through its access control settings, can restrict read access to specific users. Users who have at least JazzUsers repository group permissions and have read access to a project area can perform the actions granted to the role or roles assigned to them within that project area. See Table 2 for the list of role-based permissions. The project administrator of a project area does not need JazzProjectAdmins permission to manage that project area. Within a project area, a user who is designated as Administrator has read-write access for that project area. 




Geoffrey Clemm selected this answer as the correct answer

Comments
Marko Tomljenovic commented Jan 15 '18, 9:30 a.m. | edited Apr 30 '18, 1:12 p.m.

Hello Ralph,

I have to apologize, my question was too unspecific. Thanks for your extensive answer.

A JazzPrjAdmin can do more/different things than a regular Admin but regarding the things that can be done in a project area (what you have listed as "Save project area regardless of the role permissions...") is this reflecting internally in the same permissions like being an "Administrator" in the project area or is e.g. a JazzPrjAdmin not allowed to create new Timelines, ...?


Geoffrey Clemm commented Apr 30 '18, 1:13 p.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

No, the abilities of a JazzProjectAdmin is not based on roles ... it is an override to the normal role-based permissions.


Ralph Schoon commented May 22 '18, 5:27 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

This is also reflected by the fact that aj JazzAdmin or JazzProjectAdmin or a member of the administratiors still required to assign yourself roles and permissions (which you can do due to the override) before you can do things like deleting work items etc.

RTC also indicates when the Admin Override kicks in.


Marko Tomljenovic commented May 28 '18, 4:06 a.m.

Hi Ralph,

how does RTC indicate this override? 


Ralph Schoon commented May 28 '18, 5:24 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

In the team advisor in Eclipse for example:


One other answer



permanent link
Ralph Schoon (55.5k23642) | answered Apr 26 '18, 9:36 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER
edited Apr 26 '18, 9:40 a.m.

As an answer so I have more space.

You are comparing two totally different concepts and there is an issue with understanding the various "Admins". It is important to understand the distinctions and I thought I had already provided that.

1. JazzProjectAdmin is a Repository Role. Such a role allows the user having it to do things on a repository level that other users are not allowed to. The JazzProjectAdmin role allows to create project areas and it allows to add themselves (and other users) to the list of project area administrators. As far as I can tell these activities are not permissions on a project area level. Even if no permissions are given to any role, the JazzProjectAdmin can do this. Users with only JazzUsers or JazzGuests can not do that. JazzProjectAdmin is more limited as JazzAmin.

2. Being in the list of  Administrators of a project area provides these users an override for some actions. Even if no role was any permissions in the project area, these users can make themselves a member of the project area, give themselves roles and configure permissions for roles. It does only override a very specific set of operations. E.g. if you don't have a role that has permissions to create work items, you can be member of the Administrators and you still can't create a work item.

There are NO permissions or invisible roles or something like that involved being in the list of  Administrators of a project area. If the member of the administrators does something they have no permission to do (from a role perspective) but are allowed as members of the Administrators, when saving the process (in Eclipse) the team advisor states that the user does NOT have the permission but an administrator override allows the operation nevertheless.
 


Comments
Marko Tomljenovic commented Apr 26 '18, 9:46 a.m.

Hi Ralph,

I know what you are describing and the difference on a technical level is known to me. But if an end user comes to me and asks "What am I allowed to do in a project area in ALM if I am a JazzProjectAdmin?".
And if the reply should describe the answer in a way that the end user understands then it is only logical to use the actions protected by permissions to use as the basis for the explanation.

And now I am asking you Ralph ;) If I am a JazzPrjAdmin what exactly am I allowed to do in ALM in a project area? What would you then answer? And please don't come up with a cloudy answer.

Sorry to be cocky about this but I did not get any clear answer to this question so far.


Ralph Schoon commented Apr 26 '18, 10:03 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

I think I have written it 15 times already, but here goes (as far as I know), otherwise feel free to write a PMR against Documentation.

As a JazzPrjAdmin on that level you can
1. Add yourself to the Project Area Administrators
2. Add yourself to the members of the project area
3. Create New Roles
4. Change permissions on roles
5. Give yourself any role
6. Save the process

So you can basically give yourself all permissions you want and THEN you can wreak havoc in the PA.

I would support a section in the product documentation that says so.

Your answer


Register or to post your answer.