It's all about the answers!

Ask a question

Restricting who can assign a role


Susan Hanson (1.6k2201194) | asked Mar 29 '11, 5:35 p.m.
I need to create a role to use for permissions around creating or saving work item types and/or attributes. I've created it and understand how to do that.

However, we do NOT want just 'anyone' to be able to give this role to someone, since this is meant to restrict certain things to just a few select people (like, saying that something has Legal approval should ONLY be set by the Legal team). However, it looks like there is no way to set any type of that when I create the role.

One thing I had thought of was to create a team area and put the role at that team area, and if that is the lowest team area level, it wouldn't be visible to anyone above it. Then if I only added the people I wanted to have that role into that specific team area, then that would maybe limit other people from giving the wrong people that role.

Has anybody done this? Am I walking down the wrong hill?

Susan Hanson

7 answers



permanent link
Ralph Schoon (63.1k33646) | answered Apr 04 '11, 2:07 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER
Hi Susan,

The only way I think this is going to work is, removing the permission "Modify the collection of team members" from the project and team areas. Reserve this to the role you just mentioned and just give a selected set of people this role. The role needs to be on project/top level team area level, since that is where the ownership of types and attributes is.
You might want to consider to review the "Process" permission section for project areas and team areas and determine which roles are allowed to save or modify certain things.
One thing to mention, each administrator, regardless which role he has, can effectively assign any available role to himself.

Thanks,

Ralph

I need to create a role to use for permissions around creating or saving work item types and/or attributes. I've created it and understand how to do that.

However, we do NOT want just 'anyone' to be able to give this role to someone, since this is meant to restrict certain things to just a few select people (like, saying that something has Legal approval should ONLY be set by the Legal team). However, it looks like there is no way to set any type of that when I create the role.

One thing I had thought of was to create a team area and put the role at that team area, and if that is the lowest team area level, it wouldn't be visible to anyone above it. Then if I only added the people I wanted to have that role into that specific team area, then that would maybe limit other people from giving the wrong people that role.

Has anybody done this? Am I walking down the wrong hill?

Susan Hanson

permanent link
Susan Hanson (1.6k2201194) | answered Apr 04 '11, 5:50 a.m.
Thanks Ralph,
I'll talk this over with the admin team today in our weekly meeting. I'm not sure they want to restrict setting team members, although since the teams are semi-static now (there were changing all the time earlier) that may be a reasonable thing.

Susan

Hi Susan,

The only way I think this is going to work is, removing the permission "Modify the collection of team members" from the project and team areas. Reserve this to the role you just mentioned and just give a selected set of people this role. The role needs to be on project/top level team area level, since that is where the ownership of types and attributes is.
You might want to consider to review the "Process" permission section for project areas and team areas and determine which roles are allowed to save or modify certain things.
One thing to mention, each administrator, regardless which role he has, can effectively assign any available role to himself.

Thanks,

Ralph

I need to create a role to use for permissions around creating or saving work item types and/or attributes. I've created it and understand how to do that.

However, we do NOT want just 'anyone' to be able to give this role to someone, since this is meant to restrict certain things to just a few select people (like, saying that something has Legal approval should ONLY be set by the Legal team). However, it looks like there is no way to set any type of that when I create the role.

One thing I had thought of was to create a team area and put the role at that team area, and if that is the lowest team area level, it wouldn't be visible to anyone above it. Then if I only added the people I wanted to have that role into that specific team area, then that would maybe limit other people from giving the wrong people that role.

Has anybody done this? Am I walking down the wrong hill?

Susan Hanson

permanent link
Susan Hanson (1.6k2201194) | answered Apr 04 '11, 12:13 p.m.
A couple more questions on this one:
1) is there a way to do a query or report to see what roles each person is assigned? This way we could do an exception audit
2) In the role, when it says "Cardinality Single", does that mean RTC will enforce that at a Team level, that only 1 person can be assigned that role at any one time?

Susan

Thanks Ralph,
I'll talk this over with the admin team today in our weekly meeting. I'm not sure they want to restrict setting team members, although since the teams are semi-static now (there were changing all the time earlier) that may be a reasonable thing.

Susan

Hi Susan,

The only way I think this is going to work is, removing the permission "Modify the collection of team members" from the project and team areas. Reserve this to the role you just mentioned and just give a selected set of people this role. The role needs to be on project/top level team area level, since that is where the ownership of types and attributes is.
You might want to consider to review the "Process" permission section for project areas and team areas and determine which roles are allowed to save or modify certain things.
One thing to mention, each administrator, regardless which role he has, can effectively assign any available role to himself.

Thanks,

Ralph

I need to create a role to use for permissions around creating or saving work item types and/or attributes. I've created it and understand how to do that.

However, we do NOT want just 'anyone' to be able to give this role to someone, since this is meant to restrict certain things to just a few select people (like, saying that something has Legal approval should ONLY be set by the Legal team). However, it looks like there is no way to set any type of that when I create the role.

One thing I had thought of was to create a team area and put the role at that team area, and if that is the lowest team area level, it wouldn't be visible to anyone above it. Then if I only added the people I wanted to have that role into that specific team area, then that would maybe limit other people from giving the wrong people that role.

Has anybody done this? Am I walking down the wrong hill?

Susan Hanson

permanent link
Ralph Schoon (63.1k33646) | answered Apr 04 '11, 1:16 p.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER
Hi Susan,

1. in the eclipse client on a project Area in the Team Artifacts you can "Generate Runtime Report" that gives a good overview.
2. The cardinality is not enforced as of today.

Ralph

A couple more questions on this one:
1) is there a way to do a query or report to see what roles each person is assigned? This way we could do an exception audit
2) In the role, when it says "Cardinality Single", does that mean RTC will enforce that at a Team level, that only 1 person can be assigned that role at any one time?

Susan

Thanks Ralph,
I'll talk this over with the admin team today in our weekly meeting. I'm not sure they want to restrict setting team members, although since the teams are semi-static now (there were changing all the time earlier) that may be a reasonable thing.

Susan

Hi Susan,

The only way I think this is going to work is, removing the permission "Modify the collection of team members" from the project and team areas. Reserve this to the role you just mentioned and just give a selected set of people this role. The role needs to be on project/top level team area level, since that is where the ownership of types and attributes is.
You might want to consider to review the "Process" permission section for project areas and team areas and determine which roles are allowed to save or modify certain things.
One thing to mention, each administrator, regardless which role he has, can effectively assign any available role to himself.

Thanks,

Ralph

I need to create a role to use for permissions around creating or saving work item types and/or attributes. I've created it and understand how to do that.

However, we do NOT want just 'anyone' to be able to give this role to someone, since this is meant to restrict certain things to just a few select people (like, saying that something has Legal approval should ONLY be set by the Legal team). However, it looks like there is no way to set any type of that when I create the role.

One thing I had thought of was to create a team area and put the role at that team area, and if that is the lowest team area level, it wouldn't be visible to anyone above it. Then if I only added the people I wanted to have that role into that specific team area, then that would maybe limit other people from giving the wrong people that role.

Has anybody done this? Am I walking down the wrong hill?

Susan Hanson

permanent link
Susan Hanson (1.6k2201194) | answered Apr 04 '11, 1:23 p.m.
Thanks ... at least that gives me the data, I just have to stick it all together.

For #2 ... when will cardinality be enforced? Why was it put there but is not enforce?

Susan

Hi Susan,

1. in the eclipse client on a project Area in the Team Artifacts you can "Generate Runtime Report" that gives a good overview.
2. The cardinality is not enforced as of today.

Ralph

A couple more questions on this one:
1) is there a way to do a query or report to see what roles each person is assigned? This way we could do an exception audit
2) In the role, when it says "Cardinality Single", does that mean RTC will enforce that at a Team level, that only 1 person can be assigned that role at any one time?

Susan

Thanks Ralph,
I'll talk this over with the admin team today in our weekly meeting. I'm not sure they want to restrict setting team members, although since the teams are semi-static now (there were changing all the time earlier) that may be a reasonable thing.

Susan

Hi Susan,

The only way I think this is going to work is, removing the permission "Modify the collection of team members" from the project and team areas. Reserve this to the role you just mentioned and just give a selected set of people this role. The role needs to be on project/top level team area level, since that is where the ownership of types and attributes is.
You might want to consider to review the "Process" permission section for project areas and team areas and determine which roles are allowed to save or modify certain things.
One thing to mention, each administrator, regardless which role he has, can effectively assign any available role to himself.

Thanks,

Ralph

I need to create a role to use for permissions around creating or saving work item types and/or attributes. I've created it and understand how to do that.

However, we do NOT want just 'anyone' to be able to give this role to someone, since this is meant to restrict certain things to just a few select people (like, saying that something has Legal approval should ONLY be set by the Legal team). However, it looks like there is no way to set any type of that when I create the role.

One thing I had thought of was to create a team area and put the role at that team area, and if that is the lowest team area level, it wouldn't be visible to anyone above it. Then if I only added the people I wanted to have that role into that specific team area, then that would maybe limit other people from giving the wrong people that role.

Has anybody done this? Am I walking down the wrong hill?

Susan Hanson

permanent link
Ralph Schoon (63.1k33646) | answered Apr 04 '11, 1:33 p.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER
Hi Susan,

I don't know. I can think of a lot of other things I'd like to have and would prioritize the cardinality enforcement very low. 8-)

You could probably create an advisor (not sure though). I assume it went in, because the methodcomposer and process metamodel has it.

Ralph

Thanks ... at least that gives me the data, I just have to stick it all together.

For #2 ... when will cardinality be enforced? Why was it put there but is not enforce?

Susan

Hi Susan,

1. in the eclipse client on a project Area in the Team Artifacts you can "Generate Runtime Report" that gives a good overview.
2. The cardinality is not enforced as of today.

Ralph

A couple more questions on this one:
1) is there a way to do a query or report to see what roles each person is assigned? This way we could do an exception audit
2) In the role, when it says "Cardinality Single", does that mean RTC will enforce that at a Team level, that only 1 person can be assigned that role at any one time?

Susan

Thanks Ralph,
I'll talk this over with the admin team today in our weekly meeting. I'm not sure they want to restrict setting team members, although since the teams are semi-static now (there were changing all the time earlier) that may be a reasonable thing.

Susan

Hi Susan,

The only way I think this is going to work is, removing the permission "Modify the collection of team members" from the project and team areas. Reserve this to the role you just mentioned and just give a selected set of people this role. The role needs to be on project/top level team area level, since that is where the ownership of types and attributes is.
You might want to consider to review the "Process" permission section for project areas and team areas and determine which roles are allowed to save or modify certain things.
One thing to mention, each administrator, regardless which role he has, can effectively assign any available role to himself.

Thanks,

Ralph

I need to create a role to use for permissions around creating or saving work item types and/or attributes. I've created it and understand how to do that.

However, we do NOT want just 'anyone' to be able to give this role to someone, since this is meant to restrict certain things to just a few select people (like, saying that something has Legal approval should ONLY be set by the Legal team). However, it looks like there is no way to set any type of that when I create the role.

One thing I had thought of was to create a team area and put the role at that team area, and if that is the lowest team area level, it wouldn't be visible to anyone above it. Then if I only added the people I wanted to have that role into that specific team area, then that would maybe limit other people from giving the wrong people that role.

Has anybody done this? Am I walking down the wrong hill?

Susan Hanson

permanent link
Geoffrey Clemm (30.1k33035) | answered Apr 05 '11, 5:34 p.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER
One of the reasons unitary cardinality is not enforced is that roles are
inherited. So if you gave someone a unitary role in a child team area,
this would prevent you from giving anyone that role in a parent team
area (and vice versa).

Now I personally believe that unitary roles should be enforced, and
should not be inherited. I submitted a while back a work item
requesting that you be able to control whether a role is inherited (89455).

Cheers,
Geoff

On 4/4/2011 1:38 PM, rschoon wrote:
Hi Susan,

I don't know. I can think of a lot of other things I'd like to have
and would prioritize the cardinality enforcement very low. 8-)

You could probably create an advisor (not sure though). I assume it
went in, because the methodcomposer and process metamodel has it.

Ralph

smhansonwrote:
Thanks ... at least that gives me the data, I just have to stick it
all together.

For #2 ... when will cardinality be enforced? Why was it put there
but is not enforce?

Susan

rschoonwrote:
Hi Susan,

1. in the eclipse client on a project Area in the Team Artifacts you
can "Generate Runtime Report" that gives a good overview.
2. The cardinality is not enforced as of today.

Ralph

smhansonwrote:
A couple more questions on this one:
1) is there a way to do a query or report to see what roles each
person is assigned? This way we could do an exception audit
2) In the role, when it says "Cardinality Single", does
that mean RTC will enforce that at a Team level, that only 1 person
can be assigned that role at any one time?

Susan

smhansonwrote:
Thanks Ralph,
I'll talk this over with the admin team today in our weekly meeting.
I'm not sure they want to restrict setting team members, although
since the teams are semi-static now (there were changing all the time
earlier) that may be a reasonable thing.

Susan

rschoonwrote:
Hi Susan,

The only way I think this is going to work is, removing the
permission "Modify the collection of team members" from the
project and team areas. Reserve this to the role you just mentioned
and just give a selected set of people this role. The role needs to
be on project/top level team area level, since that is where the
ownership of types and attributes is.
You might want to consider to review the "Process"
permission section for project areas and team areas and determine
which roles are allowed to save or modify certain things.
One thing to mention, each administrator, regardless which role he
has, can effectively assign any available role to himself.

Thanks,

Ralph

smhansonwrote:
I need to create a role to use for permissions around creating or
saving work item types and/or attributes. I've created it and
understand how to do that.

However, we do NOT want just 'anyone' to be able to give this role
to someone, since this is meant to restrict certain things to just a
few select people (like, saying that something has Legal approval
should ONLY be set by the Legal team). However, it looks like there
is no way to set any type of that when I create the role.

One thing I had thought of was to create a team area and put the
role at that team area, and if that is the lowest team area level, it
wouldn't be visible to anyone above it. Then if I only added the
people I wanted to have that role into that specific team area, then
that would maybe limit other people from giving the wrong people that
role.

Has anybody done this? Am I walking down the wrong hill?

Susan
Hanson

Your answer


Register or to post your answer.


Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.