Question regarding roles and permissions
We began our project area using the Eclipse Way Process and have done some customization, including the addition of new roles. Now, we'd like to assign permissions to those roles and take away permissions from the "Everyone" role. When we do this, we don't get the desired results.
Here is the scenario:
1. My teammate created the project area.
2. His id appears in the "Members" list on the project area page.
3. He created the teams.
4. He assigned me the "TechPM" role (one of our new roles) and added me to a couple of the team areas. My ID is not in the "Members" list on the project area page.
5. He changed the Project Configuration Permissions to allow only the TechPM role to "Save Project Area".
6. I updated the description on the Project Area page and tried to save it.
7. I get a "Permission Denied" error.
We have played around and see that if he puts me in the "Members" section on the Project Area page with the TechPM role, then I can save the Project Area.
I don't understand why that is necessary. The text on the Project Configuration Permissions page says that "A user can perform all actions granted to any of their assigned roles." To me, this implies that if I am assigned a role in any team, then I have the ability to do the actions that role can do.
What am I missing?
Here is the scenario:
1. My teammate created the project area.
2. His id appears in the "Members" list on the project area page.
3. He created the teams.
4. He assigned me the "TechPM" role (one of our new roles) and added me to a couple of the team areas. My ID is not in the "Members" list on the project area page.
5. He changed the Project Configuration Permissions to allow only the TechPM role to "Save Project Area".
6. I updated the description on the Project Area page and tried to save it.
7. I get a "Permission Denied" error.
We have played around and see that if he puts me in the "Members" section on the Project Area page with the TechPM role, then I can save the Project Area.
I don't understand why that is necessary. The text on the Project Configuration Permissions page says that "A user can perform all actions granted to any of their assigned roles." To me, this implies that if I am assigned a role in any team, then I have the ability to do the actions that role can do.
What am I missing?
One answer
Hi, Karen.
Role assignments in Jazz are inherited down the team area hierarchy, but
not up it.
So if you are assigned a role like "project manager" in the project
area, you will be considered a project manager in all team areas. But if
some leaf team area declares that you are a "project manager", you don't
suddenly gain escalated privileges through the entire project: you would
only be considered a project manager for that team and any sub-teams.
If you're interested, you can read all about the gory details of
permission lookup on these wiki pages:
https://jazz.net/wiki/bin/view/Main/ProcessPermissionsLookup
https://jazz.net/wiki/bin/view/Main/ProcessBehaviorLookup
Jared Burns
Jazz Process Team
wittlander wrote:
Role assignments in Jazz are inherited down the team area hierarchy, but
not up it.
So if you are assigned a role like "project manager" in the project
area, you will be considered a project manager in all team areas. But if
some leaf team area declares that you are a "project manager", you don't
suddenly gain escalated privileges through the entire project: you would
only be considered a project manager for that team and any sub-teams.
If you're interested, you can read all about the gory details of
permission lookup on these wiki pages:
https://jazz.net/wiki/bin/view/Main/ProcessPermissionsLookup
https://jazz.net/wiki/bin/view/Main/ProcessBehaviorLookup
Jared Burns
Jazz Process Team
wittlander wrote:
We began our project area using the Eclipse Way Process and have done
some customization, including the addition of new roles. Now, we'd
like to assign permissions to those roles and take away permissions
from the "Everyone" role. When we do this, we don't get
the desired results.
Here is the scenario:
1. My teammate created the project area.
2. His id appears in the "Members" list on the project area
page.
3. He created the teams.
4. He assigned me the "TechPM" role (one of our new roles)
and added me to a couple of the team areas. My ID is not in the
"Members" list on the project area page.
5. He changed the Project Configuration Permissions to allow only the
TechPM role to "Save Project Area".
6. I updated the description on the Project Area page and tried to
save it.
7. I get a "Permission Denied" error.
We have played around and see that if he puts me in the
"Members" section on the Project Area page with the TechPM
role, then I can save the Project Area.
I don't understand why that is necessary. The text on the Project
Configuration Permissions page says that "A user can perform all
actions granted to any of their assigned roles." To me, this
implies that if I am assigned a role in any team, then I have the
ability to do the actions that role can do.
What am I missing?