V Niranjan (93●3●19●51) | asked Aug 07 '12, 1:35 a.m.
We have a customer who need's to setup permissions at the JazzProjectAdmin level.
For example Lets say there is a user (USERA) who is a part of the JazzprojectAdmin group and is authorized to administer PROJECTA.
If there is another project area PROJECTB the user (USERA) is able to view the data of this project even though this user is not a part of this project. This is something which the customer does not want and considers it a breach.
The customer understands that there are permissions which can be setup at the project level.
Is there a way to setup that a user who is a part of the JAzzPRojectAdmin repository group is not able to view the data of some other project which he is not a part of it?
Jared Burns (4.4k●2●9) | answered Aug 07 '12, 7:43 p.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER
The assertion that JazzProjectAdmins can read all project areas is mistaken. Only users in the JazzAdmins repository group have elevated read permissions.
You should work with your customer to understand why their USERA is able to access PROJECTB.
The answer will be one of the following. Either:
- PROJECTB's visibility is set to "Everyone"
- PROJECTB's visibility is set to "Members of the project area hierarchy" and USERA is a member
- PROJECTB's visibility is set to "Users in the access list" and USERA is in the access list
- USERA is a project administrator on PROJECTB
Otherwise, USERA will not be able to access PROJECTB.
Jared Burns selected this answer as the correct answer
2 other answers
Andrew Codrington (179●3●23●35) | answered Aug 07 '12, 10:35 a.m.
JazzProjectAdmin gives very broad permissions.
We've been able to get a lot done by assigning a regular JazzUser as a project administrator at the Project Area level.
e.g. make USERA a project administrator on the Overview tab in Project Area Administration of PROJECTA.
Then you can lock down PROJECTB to restrict USERA's access to whatever level you need.
V Niranjan (93●3●19●51) | answered Aug 09 '12, 3:30 a.m.
I agree with you. Here actually the customer is having one central server for CLM for the entire organization and hence does not want to give JazzProjectAdmin access to multiple people as they may view at other project's data.