Users must have permissions assigned to allow them to do anything on the site. Permissions are a combination of the actions that can be performed and the resources upon which they can be used. Actions include activities like reading, writing, editing, deleting, creating and suggesting. Resources can be anything from projects to users; any item that is added to the project is a resource.
When choosing what permission to grant to users it is important to keep in mind the minimum rights the user needs. For instance, if you want a user to be able to suggest a project document to the administrator for approval, you should grant the user ProjectDocument - Suggest permission but not the ProjectDocument - Approve permission. Likewise, if you would like a user to be able to view their own profile without being able to change it, you should grant them the User - View - Self permission but not the User - Edit - Self permission. For a full list of permissions with descriptions see Actions and Permissions.
Every user on this site is able to access features and conduct activities based upon roles the user has been granted. There are two kinds of roles:
Roles are either assigned to users through membership in a project, or through association with project groups or user groups. All roles have a default set of permissions associated with them. These permissions govern the users' ability to conduct certain actions on this site.
As Domain Administrator, you can:
You can also tailor roles and permissions for sets of users by creating user groups, and for sets of projects by making project groups. For more information about this, see Creating and editing project groups and Creating and editing user groups.
The fields and options on the Edit User page enable you to view and change the individual user's role assignments.
Note that when individual users are part of particular project groups or user groups, you can assign attributes and modify multiple user accounts associated with those groups by using the Project Group Edit or User Group Edit screens. See Creating and editing project groups and Creating and editing user groups for more information.
This site features a set of default roles that you may view using the Administer Roles link in the "Admin Options" of your Start Page. This displays the Role List page with all site roles listed as either domain or project-level. A brief description of each role is included.
To view a list of individual permissions associated with this role, click on the role name link in the Role List page. Each permission listed on the Editing Role page is characterized by both the site resource and site action that it enables, i.e. "Project - Suggest" or "Version Control - Update." The far right "Resource(s)" column defines in which site resources each permission is effective. The default is for each permission to apply to all available resources.
As domain administrator, you have the option to modify the default roles for the site by changing the permissions associated with them as needed. Placing a check mark in the boxes next to a permission removes this permission from the role.
If you wish to add permissions to a role, click the Add New Permission link at the top of the Editing Role page. This screen gives you a list of all available permissions. To add permissions, place check marks in the appropriate boxes.
In addition to editing roles by adding and removing permissions, you can modify or limit which resources the permissions associated with that role will apply to. The resource section on the Add Permission to Role page lets you determine to which site resources to allocate the role's new permissions.
After you have selected the permissions to add and determined the site resources to apply these to, click the Add Permissions button.
See the section on Viewing and adding resources for more information about site resources.
You have the option to create custom roles and assign the appropriate permissions to them to meet the needs of your site and/or projects within your domain. You should take some time to plan the scope of any new role you create before beginning the creation process. You can create roles for the Host, Domain, or Projects. Host roles enable ssociated user actions across all domains. Domain roles enable associated user actions across the site. Project roles enable associated user actions within the projects only. You can create roles that are specific to one or more particular projects or associate the roles across all projects.
Click the Create Role button. Use this feature with extreme caution! Assigning permissions to roles may have security implications.
Resources are all of the different elements used in this site including tools, content, projects, and web pages. User roles and permissions on this site are defined by the specific resources they apply to. For example, each of these permissions -- "Mailing List - View," "Project - Suggest," "Version Control - Commit" -- is comprised of a certain resource on this site and the action being permitted within that resource. In these three examples, the resources are, respectively: mailing list, project, and version control.
Resources are described on this site using regular expressions. Thus, the pattern or regular expression meaning all available resources is ".*".
As the domain administrator, you can view existing resources by clicking the Resources link in the Administration menu. The default items in the Resource List page are "All available resources (.*)" and "All web pages (/www/.*)". Clicking on the resource link displays the Edit Resource screen where there is short, identifying description and the pattern that represents the resource as a regular expression.
You can also create new resources to increase your ability to control user access. For example, you might decide that you want to create new user roles with permissions that only apply to certain types of files. If these were java files, you could define that as a resource using the regular expression "*.java". Then you could either create new roles or modify existing roles by adding permissions defined with this "*.java" resource. When you grant these roles to users, their permissions are limited to java files only.