Using the Work Item Access Restriction feature in Rational Team Concert
Philippe Krief, Benjamin Pasero
Last updated: June 8, 2011
Build basis: Rational Team Concert 3.0, 3.0.1
Since I started working with customers on RTC four years ago, I have been confronted with a particular request: restrict access to some data based on the user profile. Actually, early drops of RTC were very permissive, giving read access to all data once you were connected to the Jazz Team Server.
Even if the concept of transparency is a key point in the Jazz vision, in practice transparency doesn’t mean permissibility for our customers. They need to be able to restrict the access on some data, mainly for contractual reasons: they work on different projects with different contractors so they are not allowed to share data between projects or contractors, even if the data are stored on the same Jazz Team Server.
Release 2.0 of RTC provided a first level of access control: read access can be configured separately for each project area. Users without read access to a project area are unable to see the project area, or any of the artifacts it contains (team areas, work items, streams, source code, change sets, build results, etc.).
Release 3.0 improves the granularity at the level of the work items: inside the same project area, you are able to control the read access of your Work Items. This enhancement request pops up frequently, for example, in organizations having to deal with subcontractors. Many customers would like work items in the same project area, to be visible by all the project members and restrict the access of some other work items to a subset of members or subcontractors.
Release 3.0.1 improves the granularity even further. You can now control read access to work items based on the team that the work item is associated with. This association is determined based on the Filed Against attribute. If enabled, only members of the associated team get access to the work item.
In this article, we describe how to enable this new feature: the Work Item Access Restriction feature.
Note: Depending on your project setup, setting work item access control can be different. We distinguish between a setup where you are not using teams and a setup where you are using teams. Only when you are using teams, the Filed Against attribute can be used to determine access control.
Setup (Project without Teams)
The current implementation of the Work Item Access Restriction feature is based on Project-level membership: you restrict the access of a project area work item to the users listed in another project area.
Let assume the following use case: we have two subcontractors working for two different companies and we would like to be able to restrict the access of some work items to the corresponding subcontractor.
To achieve that, in addition to the main project area, we must create one project area per subcontractor. Each of these project areas will:
Declare the subset of users you want to be able to restrict work items access for:
Set the Project Area access control to, at least, the Members of the project area hierarchy:
At this point we should obtain this kind of Team Organization per project area:
Setup (Project with Teams)
Please follow the same advise as in Setup (Project without Teams) before reading on. It is mandatory to first enable project area read access control before working with the team area read access control.
From the Web UI
Using read access control for work items with teams requires at least one team to be created for your project area. In the example below, we have created a team Business Recovery Matters as part of the JKE Banking project area and added some team members. Only members of the team will get access to a specific set of work items based on the Filed Against association.
From the Eclipse RTC Client
The Eclipse RTC Client offers the same configuration as the Web UI from the project area editor.
Set the Work Item Access Restriction (Project without Teams)
It is time to create a work item and set the associated access restriction. As suggested in the use case, we want to restrict the access of a work item to the members of the “Subcontractor A membership” project area.
From the Eclipse RTC client
From the Work Item to restrict, we access to the context menu and select the new menu item labeled Restricted Access…:
It opens the Restricted Access dialog where we will be able to select the project area membership we want to restrict to:
Later on, if somebody who has no access to the project area named “Subcontractor A membership” tries to reach this work item, the access will be denied.
Furthermore, this work item will never appear in any query result of this user:
On the other hand, any user declared in the project area named “Subcontractor A membership” will be able to run the same query and see and access the restricted work item:
From the Web UI
“Out-Of-The-Box” it is not possible to restrict the access of Work Item from the Web UI. Actually, the Web UI doesn’t provide a context menu attached to the Work Item editor to set it like we do in the Eclipse client.
The fact that we cannot set, doesn’t mean that we can access. Actually, we will not have access to a work item restricted in the Eclipse client if we are not allowed to reach it, but we will not be able to set or change this restriction by ourselves from the Web UI.
Now, if you want to be able to restrict the access to a Work Item from the web UI, it can be easily implemented by customizing the Work Item presentation by adding a new field on the attribute named “Restricted Access”:
Once the presentation has been changed and saved, you can edit a Work Item from the Web UI and set the “Restricted Access”:
Set the Work Item Access Restriction (Project with Teams)
There is not much explanation necessary here. Simply set the work items Filed Against value to a category that is enabled for restricted access and RTC will do the rest.
This document described how to set up and use the Work Item Access Restriction feature. It explained how to set your environment to be able to use this feature. It described how to provide this capability at the Web UI level. We hope that it helped you understand this new interesting and useful feature.
© Copyright 2010, 2012 IBM Corporation