It's all about the answers!

Ask a question

JazzAdmin repository privilages justification


GURVINDER SOKHI (611113) | asked Mar 07, 5:47 a.m.
retagged Mar 21, 4:25 p.m. by Ken Tessier (84117)

As with typical large enterprise clients where IBM CLM products are deployed they are likely to be supported by IM/IT and the Tools/Capability team that work closely with business. This brings challenges define where the border lies for IM/IT team and Tools/Capability team as far Jazz privileges are concerned.

In our organisation the IM/IT believe only they should have JazzAdmin privileges which brings support challenges for Tools team supporting business without having JazzAdmin privileges.

I have attempted to compile list below to justify why Tools team would also require JazzAdmin privileges. I would appreciate any feedback from user community on their view on this topic and if they have similar challenges dealing with IM/IT team in regards obtaining appropriate Jazz privileges. thanks in advance.

  1. Ability to see private objects -https://jazz.net/forum/questions/179234/component-with-visibility-as-private-could-not-be-searched

  2. Ability to see and support all Projects on the server irrespective you are declared a proj admin on it

  3. Ability to enable Global Configuration Management

  4. Introduction of product lines means that we will have separate projects linked via the use of product lines and the ability to coordinate and manage inter project relationships, gather metrics, build reports etc

  5. For other ALM components like RQM, DNG, JRS there are further restrictions imposed (various menu options removed) that Software Capability team would require.

  6. Ability to manage Reports, Data Warehouse/JRS

  7. Ability to debug certain type of issues

  8. Ability to see application status & diagnostic information

  9. Ability to see “Manage Application” to aid debugging 

  10. Ability to see “Manage User” to aid debugging

  11. Ability to change certain server settings like increase query display limit

3 answers



permanent link
Karthik Krishnan (859390132) | answered Mar 07, 10:16 a.m.
I would like to provide some answers based on my experience.

Tools team can live mostly with JazzProjectAdmin rights. Most of the points you have mentioned are most likely one time activity or only on need basis and doesn't justify the need for tools team.

JazzAdmin has more rights and misuse of this could lead to catastrophe.

Ex: Ability to change certain server settings like increase query display limit--> I would only do this if IBM support requests you to do so.

I would be happy to offlload the JazzAdminRights :-)


Comments
GURVINDER SOKHI commented Mar 12, 6:53 p.m.

another issue we found was that without JazzAdmin the tools team is not able to see too all work items in a project as some maybe hidden with restricted access control. 

access to all work items is necesary for support and update work items in bulk if example as part of new process template version one may introduced new attribute that need to be reflected on all exisiting work items


Karthik Krishnan commented Mar 15, 6:42 a.m.

I believe with JazzProject admin access, one can add / remove the tools team members to the access group or team area.


GURVINDER SOKHI commented Mar 15, 6:50 a.m.

yes with JazzProject admin access, one can add / remove the tools team members to the access group or team area but this would be heavy process for enterprise customers which can have hundreds of project area and thousands of team areas. this increase maintainance overhead and time consuming action to add tool teams member to all team areas in CLM instance.

the other observation we made was that with JazzProjectAdmin you are not able to see all work items and streams/component unless you are named user on specific team areas that owns them.

to cut the long story short JazzAdmin access provide CLM instance wide visibility of all artefact required by tools team to support and respond to end user querries.


Karthik Krishnan commented Mar 15, 9:04 a.m.
If you are doing the template updates, then you would need to think about a system account for doing these activities. You could of course need some script to automate adding this user account to the pa's, team areas.

We can argue both ways but for me this doesn't justify the need for JazzAdmin considering the power of this account and more then 1 tooling team member handling this.

permanent link
Georg Kellner (80937092) | answered Mar 15, 6:57 a.m.
From my point of view, the roles are strange in your company.

IT: Server and OS, maybe database
Tool Team: Application with full admin rights in the applications
Project teams: Users, some have admin rights within their projects

Comments
GURVINDER SOKHI commented Mar 15, 7:05 a.m.

Hi Greg

The issues arises when there is an overlap with JazzAdmin rights with IT and Tools teams.

IT/IM team: JazzAdmin rights. Server and OS, maybe database

Tools Team:  JazzAdmin rights. Application with full admin rights in the applications

Project teams: JazzUser rights. Users, some have admin rights within their projects    


Karthik Krishnan commented Mar 15, 9:05 a.m.
Would remap to the below :

IT/IM team: JazzAdmin
Tools Team:  JazzProjectAdmin
Project teams: JazzUsers

GURVINDER SOKHI commented Mar 18, 4:53 a.m.

Yes that seems logically on the face it.

However the limitations with JazzProjectAdmin for Tools Team doesn't help the matter.

it appears some organisations grant some member of tools team with JazzAdmin to get around the issues discussed above.


permanent link
Ken Tessier (84117) | answered Mar 21, 4:25 p.m.

For additional information about permissions and access, see these two topics:



Ken 

Your answer


Register or to post your answer.