It's all about the answers!

Ask a question

How do I manage hierarchical access control?


Franca Zober (153) | asked Aug 27 '19, 2:24 a.m.
edited Aug 27 '19, 4:15 a.m.

 Hi,


having read many of the articles on access, I still fail to understand what I believe should be a basic concept...

I have a "Team 1", a "Team A" and a "Team B". I have items created that are either flagged "1", "A" or "B", "2".

I would now like:
* "Team 1" to see items flagged "1", "A" and "B", "2"
* "Team A" only to see items flagged "A", "2"
* "Team B" only to see items flagged "B", "2"

Hence, items "1" should only be available to highest rank team (team lead). Items "2" should be available to everyone where as items "A" and "B" should not be seen by the respective other normal team but for the team lead.

How can this best be accomplished? 

Do I do this with Team Areas and Categories to file the item against? If so, do I have to create Team 1 in the root of the project and will that make them see everything? Filing against e.g. Team A I understand would hinder Team B to see, but how to I then make items flagged "2" available to all?

Thanks for any hints into the right direction.

Regards
Franca

One answer



permanent link
Ralph Schoon (60.5k33643) | answered Sep 18 '19, 3:45 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

There is a capability to limit read access to work items based on the category. 


Please note that the category based access control does not necessarily work in the way you would expect. A member of a team can see the work items filed against his team and the theam area hierarchy in direction up to the project area.
Lets say 

Team1
TeamA
TeamB, TeamBSubTeam

Category Team
pa =>        Project Area
t1   =>       Team1
ta   =>       TeamA
tb   =>       TeamB
tbs   =>      TeamBSubTeam

If all above categories restrict read access
A member of the Project area can only see items filed against pa
A member of Team1 can only see items filed against t1 and pa
A member of TeamA can only see items filed against ta and pa
A member of TeamB can only see items filed against tb and pa
A member of TeamBSubTeam can only see items filed against tb, tbs and pa

This is not necessarily what people expect.

It is possible to use access groups to limit read access to members of the access group, but that requires custom automation to set the read access restriction automatically. See the series https://rsjazz.wordpress.com/2016/01/27/manage-access-control-permissions-for-work-items-and-versionables/




Comments
Ralph Schoon commented Sep 18 '19, 3:47 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

Note that people can be members of multiple teams. In which case the user can see every work item visible to every team area they are member of. 


Ralph Schoon commented Sep 18 '19, 3:59 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

So to do that with categories your 2 would be on project area level - filed against the project area and then you would have filed against for your 3 teams. 

You could use another level between the PA and the three teams, but I would not do that.

Your answer


Register or to post your answer.