JazzProjectAdmin permissions
Hi
CLM 3.0.1.2.
We have a customer who need's to setup permissions at the JazzProjectAdmin level.
For example Lets say there is a user (USERA) who is a part of the JazzprojectAdmin group and is authorized to administer PROJECTA.
If there is another project area PROJECTB the user (USERA) is able to view the data of this project even though this user is not a part of this project. This is something which the customer does not want and considers it a breach.
The customer understands that there are permissions which can be setup at the project level.
Is there a way to setup that a user who is a part of the JAzzPRojectAdmin repository group is not able to view the data of some other project which he is not a part of it?
Regards
V.Niranjan
CLM 3.0.1.2.
We have a customer who need's to setup permissions at the JazzProjectAdmin level.
For example Lets say there is a user (USERA) who is a part of the JazzprojectAdmin group and is authorized to administer PROJECTA.
If there is another project area PROJECTB the user (USERA) is able to view the data of this project even though this user is not a part of this project. This is something which the customer does not want and considers it a breach.
The customer understands that there are permissions which can be setup at the project level.
Is there a way to setup that a user who is a part of the JAzzPRojectAdmin repository group is not able to view the data of some other project which he is not a part of it?
Regards
V.Niranjan
Accepted answer
The assertion that JazzProjectAdmins can read all project areas is mistaken. Only users in the JazzAdmins repository group have elevated read permissions.
You should work with your customer to understand why their USERA is able to access PROJECTB.
The answer will be one of the following. Either:
- PROJECTB's visibility is set to "Everyone"
- PROJECTB's visibility is set to "Members of the project area hierarchy" and USERA is a member
- PROJECTB's visibility is set to "Users in the access list" and USERA is in the access list
- USERA is a project administrator on PROJECTB
Otherwise, USERA will not be able to access PROJECTB.
You should work with your customer to understand why their USERA is able to access PROJECTB.
The answer will be one of the following. Either:
- PROJECTB's visibility is set to "Everyone"
- PROJECTB's visibility is set to "Members of the project area hierarchy" and USERA is a member
- PROJECTB's visibility is set to "Users in the access list" and USERA is in the access list
- USERA is a project administrator on PROJECTB
Otherwise, USERA will not be able to access PROJECTB.
2 other answers
JazzProjectAdmin gives very broad permissions.
We've been able to get a lot done by assigning a regular JazzUser as a project administrator at the Project Area level.
e.g. make USERA a project administrator on the Overview tab in Project Area Administration of PROJECTA.
Then you can lock down PROJECTB to restrict USERA's access to whatever level you need.
We've been able to get a lot done by assigning a regular JazzUser as a project administrator at the Project Area level.
e.g. make USERA a project administrator on the Overview tab in Project Area Administration of PROJECTA.
Then you can lock down PROJECTB to restrict USERA's access to whatever level you need.
Comments
I agree with this answer - JazzProjectAdmin should be assigned only to users who need to be able to create project areas or perform other administrative functions.
Just to be clear, JazzProjectAdmins have the following additional permissions over a JazzUser: 1. They can create project areas. 2. They can edit process templates. 3. They can modify any project area they have access to, regardless of what the role-based permissions say.
1 vote