• Direct and derived roles displays two different sets roles held by the user. Direct roles are those roles expressly assigned to the user. For example, the user requested and was approved for a certain role in a project. Derived roles are roles conferred to this user because she/he is a member of a project specifically associated with a project group's set of roles, or belongs to a user group assigned a unique set of roles.

• Details of permissions displays a screen rather unceremoniously entitled Permission Dump because it tabulates literally every single permission the user holds in your domain.

This site features a set of default roles that you may view using the Administer Roles link in the "Admin Options" of your Start Page. This displays the Role List page with all site roles listed as either domain or project-level. A brief description of each role is included.

To view a list of individual permissions associated with this role, click on the role name link in the Role List page. Each permission listed on the Editing Role page is characterized by both the site resource and site action that it enables, i.e. "Project - Suggest" or "Version Control - Update." The far right "Resource(s)" column defines in which site resources each permission is effective. The default is for each permission to apply to all available resources.

As domain administrator, you have the option to modify this site's pre-packaged roles by changing the permissions associated with them as needed. Placing a check mark in the boxes next to a permission removes this permission from the role.

If you wish to add permissions to a role, click the Add New Permission link at the top of the Editing Role page. This screen gives you a list of all available permissions. To add permissions, place check marks in the appropriate boxes.

In addition to editing roles by adding and removing permissions, you can modify or limit which resources the permissions associated with that role will apply to. The resource section at the bottom of the Add Permission to Role page lets you determine in which site resources to allocate the role's new permissions.

• Selecting "All available resources .*" applies the selected permissions for this role universally to all site resources available to this role, including both web content and source code.

• Choosing "All web pages /www/.*" limits the selected permission for this role specifically to web pages. This means the scope of these permissions does not pertain to any source code level access, but only to web page content. For example, assigning the "Version Control - Commit" permission to a role and designating "All web pages /www/.*" as the resource results in users with this role only being able to check out and commit web page content, not project source code.

See the section on Viewing and adding resources for more information about site resources.

If your site has special requirements that none of the default roles meet, you can also create custom roles and assign the appropriate permissions to them. To do this, in the Role List page click the "Add New Role" link in either the domain or project section, depending upon the type of role you want to create. Depending upon which one you click, this displays either the Add Domain Role or Add Project Role page. You can switch between these pages using the links at the top of this page.

You must determine what you want the scope of your newly created role to be. If you want to create a role that enables certain user actions universally across the site, add the new role as a domain role. If you want to create a role with permissions that are not universally enabled across this site, you should add the new role as a project role. When project roles are assigned, their associated permissions are granted to the user only within that project.

The Add Domain Role and Add Project Role pages list every permission/action available at that level. Use this feature with extreme caution! Assigning permissions to roles may have security implications.

Resources are all of the different elements used in this site including tools, content, projects, and web pages. User roles and permissions on this site are defined by the specific resources they apply to. For example, each of these permissions -- "Mailing List - View," "Project - Suggest," "Version Control - Commit" -- is comprised of a certain resource on this site and the action being permitted within that resource. In these three examples, the resources are, respectively: mailing list, project, and version control.

Resources are described on this site using regular expressions. Thus, the pattern or regular expression meaning all available resources is ".*".

You can view a complete list of all available resources on this site by clicking the Resource List link at the top of the Editing Role page. The default items in the Resource List page are "All available resources (.*)" and "All web pages (/www/.*)". Clicking on the resource link displays the Edit Resource screen where there is short, identifying description and the pattern that represents the resource as a regular expression.

As the domain administrator, you can also create new resources and define them using the Add New Resource link at the top of the Editing Role page. This is a powerful and flexible administrative feature. For example, you might decide that you want to create new user roles with permissions that only apply to certain types of files. If these were java files, you could define that as a resource using the regular expression "*.java". Then you could either create new roles or modify existing roles by adding permissions defined with this "*.java" resource. Your newly created resource automatically appears in the Add Permission to Role page. When you grant these roles to users, their permissions are limited to java files only.