It's all about the answers!

Ask a question

How to implement access control on web


yu wang (4886245) | asked Nov 26 '22, 9:31 p.m.

 

user-a   have the following defect:
          defect-d1
          defect-d2

user-b   have the following defect:
          defect-d3
          defect-d4
user-a can't access  defect-d3 and  defect-d4,user-b  can't  access defect-d1 and  defect-d2
How to  implement it?

I want to use elm workflow on public internet .

3 answers



permanent link
Ralph Schoon (63.1k33645) | answered Nov 28 '22, 2:51 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

Comments
yu wang commented Nov 30 '22, 1:42 a.m. | edited Nov 30 '22, 7:15 a.m.

 Thank you very much.


One sub team only have one user.


Ralph Schoon commented Nov 30 '22, 3:12 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

How would that scale? You would have to maintain many teams. You can play with it however. Access groups are also an option, but do not have built in automation.


Ralph Schoon commented Nov 30 '22, 3:14 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

How would that scale? You would have to maintain many teams. You can play with it however. Access groups are also an option, but do not have built in automation. Same scalability concerns apply. 

Also, why would someone use work items if only they can see it? 


yu wang commented Nov 30 '22, 7:07 a.m. | edited Nov 30 '22, 7:18 a.m.

 I want to use ELM workflow on public internet .

Many customers use the same ELM Workflow ,but a customer can't see other customer defects.


Ralph Schoon commented Nov 30 '22, 7:39 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

Please consider using comments on answers, instead of always writing more answers to your own question. 


Davyd Norris commented Nov 30 '22, 7:32 p.m. | edited Nov 30 '22, 7:33 p.m.
Creating a sub team for each client is what I have previously done. While there may be a single user in the sub team on the client side, you will also have internal team members assigned there as well so that they get notified of client changes etc.

There is some maintenance getting this set up initially but then it's pretty simple to keep going. Your top level categories will reflect the client name and that makes it very easy to see and manage work items across many clients or within a single client
showing 5 of 6 show 1 more comments

permanent link
Davyd Norris (2.2k217) | answered Nov 28 '22, 5:18 p.m.
As Ralph mentioned, you can't control visibility on a user basis - it's done on a team basis.

Set up sub teams, create a set of categories, and then map a sub team to the categories. Then on each category you can:
- "Restrict Category Visibility", which hides the Category from all but members of the associated Team
- "Restrict Work Item Access", which hides Work Items assigned to this Category from all but members of the associated Team
- "Use As Default", which makes the Category the one selected by default when a user in that sub team creates a new Work Item

permanent link
Ralph Schoon (63.1k33645) | answered Nov 30 '22, 7:20 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER
edited Nov 30 '22, 7:44 a.m.

 I think we have answered what options you have already at least twice.

  1. You can set up category based restricted access and manage the members of the teams that can see the shared work items in team areas associated with the category.  Teams can have one or more members. See the links above. Note that users not member of such a team can not see the work items filed against that team.
  2. You can manage access groups where each access group has one or more members (including project or team areas). You can set the restricted access of each work item to an access group and only the members of that access group can see the work item. There is no automation for this, but it would be possible to write a follow up action to automate this. See my blog links for how that would work. The amount of access groups might be limited, but I know a customer who is using this for at least SCM access.
I will stay with my comment: access management, where only one person has access is pointless and EWM is not designed for this. EWM is designed to share to be able to work together. There are capabilities to limit access to team areas or access groups for more fine grained control. 

Your answer


Register or to post your answer.


Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.