Administering roles and permissions

Understanding roles and permissions

Users must have permissions assigned to allow them to do anything on the site. Permissions are a combination of the actions that can be performed and the resources upon which they can be used. Actions include activities like reading, writing, editing, deleting, creating and suggesting. Resources can be anything from projects to users; any item that is added to the project is a resource.

When choosing what permission to grant to users it is important to keep in mind the minimum rights the user needs. For instance, if you want a user to be able to suggest a project document to the administrator for approval, you should grant the user ProjectDocument - Suggest permission but not the ProjectDocument - Approve permission. Likewise, if you would like a user to be able to view their own profile without being able to change it, you should grant them the User - View - Self permission but not the User - Edit - Self permission. For a full list of permissions with descriptions see Actions and Permissions.

Every user on this site is able to access features and conduct activities based upon roles the user has been granted. There are two kinds of roles:

Roles are either assigned to users through membership in a project, or through association with project groups or user groups. All roles have a default set of permissions associated with them. These permissions govern the users' ability to conduct certain actions on this site.

As Domain Administrator, you can:

You can also tailor roles and permissions for sets of users by creating user groups, and for sets of projects by making project groups. For more information about this, see Creating and editing project groups and Creating and editing user groups.

Editing user role assignments

The fields and options on the Edit User page enable you to view and change the individual user's role assignments.

Group Memberships
The user's affiliation with any user group or project categories in this domain are listed here. User groups and project groups are created and configured by you as the Domain Administrator. See Creating and editing project groups and Creating and editing user groups for more information.
Domain-wide Roles
Domain roles assigned or conferred to the user are listed here. These are generalized roles that permit the user to view site pages and conduct site actions not associated with specific projects. See previous Understanding roles and permissions section.
Roles in domain's public projects
Every public project hosted on this domain is automatically part of the default project group labeled (not surprisingly) "All public projects." Any roles the user holds in such projects are flagged here. See Creating and editing project groups for more information.
Submit Changes
This button submits any modifications to the individual user account made in the fields above. Modifications to the user's roles are separate actions.
Project Roles
Roles the user holds that are associated with specific projects are listed here, grouped by project name. Project names link to project home pages. This list includes both open source and private, proprietary projects. See Understanding roles and permission section for a more comprehensive discussion of roles.
Detailed Role Info
These links lead to secondary screens with more detailed role information associated with the current user:
  • Direct and derived roles displays two different sets roles held by the user. Direct roles are those roles expressly assigned to the user. For example, the user requested and was approved for a certain role in a project. Derived roles are roles conferred to this user because she/he is a member of a project specifically associated with a project group's set of roles, or belongs to a user group assigned a unique set of roles.
  • Details of permissions displays a screen rather unceremoniously entitled Permission Dump because it tabulates literally every single permission the user holds in your domain.

Note that when individual users are part of particular project groups or user groups, you can assign attributes and modify multiple user accounts associated with those groups by using the Project Group Edit or User Group Edit screens. See Creating and editing project groups and Creating and editing user groups for more information.

Other operations: Delete User
This link removes the current user account. A confirmation message prompts you for verification before this action is completed.

Editing roles

This site features a set of default roles that you may view using the Administer Roles link in the "Admin Options" of your Start Page. This displays the Role List page with all site roles listed as either domain or project-level. A brief description of each role is included.

To view a list of individual permissions associated with this role, click on the role name link in the Role List page. Each permission listed on the Editing Role page is characterized by both the site resource and site action that it enables, i.e. "Project - Suggest" or "Version Control - Update." The far right "Resource(s)" column defines in which site resources each permission is effective. The default is for each permission to apply to all available resources.

As domain administrator, you have the option to modify the default roles for the site by changing the permissions associated with them as needed. Placing a check mark in the boxes next to a permission removes this permission from the role.

If you wish to add permissions to a role, click the Add New Permission link at the top of the Editing Role page. This screen gives you a list of all available permissions. To add permissions, place check marks in the appropriate boxes.

In addition to editing roles by adding and removing permissions, you can modify or limit which resources the permissions associated with that role will apply to. The resource section on the Add Permission to Role page lets you determine to which site resources to allocate the role's new permissions.

After you have selected the permissions to add and determined the site resources to apply these to, click the Add Permissions button.

See the section on Viewing and adding resources for more information about site resources.

Adding roles

You have the option to create custom roles and assign the appropriate permissions to them to meet the needs of your site and/or projects within your domain. You should take some time to plan the scope of any new role you create before beginning the creation process. You can create roles for the Host, Domain, or Projects. Host roles enable ssociated user actions across all domains. Domain roles enable associated user actions across the site. Project roles enable associated user actions within the projects only. You can create roles that are specific to one or more particular projects or associate the roles across all projects.

  1. To add new roles, select Roles from the Admin Options menu to access the Role List page.
  2. Click the "Add New Role" link in either the host, domain or project section. Depending upon which link you click, this displays either the Add Host Role, Add Domain Role or Add Project Role page. You can switch between these pages using the links at the top of this page.
  3. Applies only to Project Role Select he visibility of the role. This determines at what level the project role can be seen. Selecting the Host level will make the role visible at all levels of the site. Selecting the Domain level restricts the visibility to the domain and project level, while the Project level will make the role only viewable at the project level.
  4. Enter a name and a description of the role. The role name can be up to 99 charactersin length and connot include a period (.).
  5. Select the level of functionality required for this role. Each functional item controls the level of access for the role.
    • The first item when checked prevents a user with this role in a project to have the same role in subprojects. For example, when selected a user with the Project Owner role in the "Games" project cannot have the Project Owner role in the "Dominos" subproject.
    • The second item, when selected, grants users with this role "ownership" of functions within the project. Owners receive administrative email pertaining to the function of which they have ownership.
    • The third item, when selected, grants the role to users who create new projects.
    • The fourth item, when selected, makes the role requestable by users on the site. If this item is not selected, the role must be assigned by an administrator or a project owner.
  6. To assign permissions to the role you can either clone an existing role by selecting a role from the drop down menu or you can assign specific permissions to the role. To assign specific permissions, click the check box under the Add field by the name of the permission you desire.
  7. Click the Create Role button. Use this feature with extreme caution! Assigning permissions to roles may have security implications.

About resources and actions

Resources are all of the different elements used in this site including tools, content, projects, and web pages. User roles and permissions on this site are defined by the specific resources they apply to. For example, each of these permissions -- "Mailing List - View," "Project - Suggest," "Version Control - Commit" -- is comprised of a certain resource on this site and the action being permitted within that resource. In these three examples, the resources are, respectively: mailing list, project, and version control.

Resources are described on this site using regular expressions. Thus, the pattern or regular expression meaning all available resources is ".*".

You can view a complete list of all available resources on this site by clicking the Resource List link at the top of the Editing Role page. The default items in the Resource List page are "All available resources (.*)" and "All web pages (/www/.*)". Clicking on the resource link displays the Edit Resource screen where there is short, identifying description and the pattern that represents the resource as a regular expression.

As the domain administrator, you can also create new resources and define them using the Add New Resource link at the top of the Editing Role page. This is a powerful and flexible administrative feature. For example, you might decide that you want to create new user roles with permissions that only apply to certain types of files. If these were java files, you could define that as a resource using the regular expression "*.java". Then you could either create new roles or modify existing roles by adding permissions defined with this "*.java" resource. Your newly created resource automatically appears in the Add Permission to Role page. When you grant these roles to users, their permissions are limited to java files only.