Feature #66612: Reworked permissions: "create project", "create

Updated by Jens Ulferts 20 days ago

**As** a user
**I want to** understand, easily administrate and flexibly grant permissions to create and change workspaces (project, program & portfolio)
**so that** the permissions are granted correctly and as restricted as possible without wrongfully interrupting work.

**Context:**

There are currently a number of permissions already in place:

* create project (global)

* copy projects

* create subprojects

Limitations on the current structure is discussed in <mention class="mention" data-id="60623" data-type="work_package" data-text="#60623">#60623</mention> . #63544 suggests to add the global permissions "Manage project hierarchies" and "Create project hierarchies" and turn "Copy projects" into a global permission.

The two WPs mentioned above where created before programs and portfolios where thought about.  

**Acceptance criteria**

The following table lists the permissions that are either added or already exist

<figure class="table op-uc-figure_align-center op-uc-figure"><table class="op-uc-table"><tbody><tr class="op-uc-table--row"><td class="op-uc-table--cell">Permission</td><td class="op-uc-table--cell">Global</td><td class="op-uc-table--cell">Previous permission, changed or added</td><td class="op-uc-table--cell">Explanation</td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell">Create projects</td><td class="op-uc-table--cell">✅ </td><td class="op-uc-table--cell">Existed before (unchanged)</td><td class="op-uc-table--cell">Allows the creation of workspace of the type "project"</td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell">Create programs</td><td class="op-uc-table--cell">✅ </td><td class="op-uc-table--cell">Added</td><td class="op-uc-table--cell">Allows the creation of workspace of the type "program"</td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell">Create portfolio</td><td class="op-uc-table--cell">✅ </td><td class="op-uc-table--cell">Added</td><td class="op-uc-table--cell">Allows the creation of workspace of the type "portfolio"</td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell">Manage children</td><td class="op-uc-table--cell"> </td><td class="op-uc-table--cell">Replaces "Create subprojects"</td><td class="op-uc-table--cell">The permission allows selecting a child workspace to the workspace the permission is granted in. It no longer allows the creation of new workspaces.</td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell">Copy workspace</td><td class="op-uc-table--cell"> </td><td class="op-uc-table--cell">Replaces "Copy projects"</td><td class="op-uc-table--cell">Users will need any of "Create projects", "Create programs" or "Create portfolio" to actually copy a workspace. That way, the creation of projects is more tightly controlled. On the other hand, this might be complicated for users to understand.</td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell">Copy project templates</td><td class="op-uc-table--cell">✅ </td><td class="op-uc-table--cell">Added</td><td class="op-uc-table--cell">Allows copying project templates. Adding this permission separately, on top of "Create projects" allows to better support use cases where all projects should be based on a template.</td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell">Copy program templates</td><td class="op-uc-table--cell">✅ </td><td class="op-uc-table--cell">Added</td><td class="op-uc-table--cell">Allows copying program templates. Adding this permission separately, on top of "Create programs" allows to better support use cases where all programs should be based on a template.</td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell">Copy portfolio templates</td><td class="op-uc-table--cell">✅ </td><td class="op-uc-table--cell">Added</td><td class="op-uc-table--cell">Allows copying portfolio templates. Adding this permission separately, on top of "Create portfolios" allows to better support use cases where all portfolios should be based on a template.</td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell">Manage templates</td><td class="op-uc-table--cell">✅ </td><td class="op-uc-table--cell">Added</td><td class="op-uc-table--cell">Allows turning a workspace into a template and removing ~~suggests~~ the workspace from the set of templates.Potentially, this also needs to be separated into three different permissions, one per workspace type.Adding this permission might be out of scope as it is not strictly necessary for the epic.</td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell">Edit workspace</td><td class="op-uc-table--cell"> </td><td class="op-uc-table--cell">"Edit project" permission is renamed and changed </td><td class="op-uc-table--cell">Looses ability to manage parent</td></tr></tbody></table></figure> ~~permissions:~~

The following table lists use cases and the necessary permissions for them. Sometimes, global and workspace permissions are required at the same time:

<figure class="table op-uc-figure_align-center op-uc-figure"><table class="op-uc-table" style="border-color:#dfddd0;border-style:solid;"><tbody><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;">Use case</td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;">Required global permissions</td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;">Required project permissions</td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;">Remarks</td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;">Add a project (without hierarchy)</td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;">Create projects</td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"> </td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"> </td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);">Add a program (without hierarchy)</td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);">Create programs</td><td ~~program</td><td~~ class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"> </td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"> </td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);">Add a portfolio (without hierarchy</td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);">Create portfolios</td><td ~~portfolio</td><td~~ class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"> </td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"> </td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;">Turn a workspace (e.g project) into a child of another workspace (e.g. portfolio) </td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"> </td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;">"Manage children" in the parent project.Any permission in the child project (for visibility)</td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;">This action could be triggered from the child (current state) or from the parent or from both. </td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);">Create a workspace (e.g project) as a child of another workspace (e.g. portfolio) </td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);">Create projects/programs</td><td ~~projects/program</td><td~~ class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);">"Manage children" in the parent project.Any permission in the child project (for visibility)</td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);">This is the combination of the permission specifications above. E.g. if a user has both the "Create projects" permission as well as "Manage children" in e.g. a portfolio, a new project can be created with the portfolio as its parent right away.Create portfolio is not listed as a required global permission as a portfolio cannot be a child.</td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;">Copy a workspace (not a template)</td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;">create projects/portfolios/programs</td><td ~~projects/portfolio/program</td><td~~ class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;">"Copy workspace" in the workspace to be copied.</td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;">Workspaces in which the user has "Copy workspace" permission can not be copied. This is for the following reason:  This is risky as it allows privilege escalation - The user will suddenly e.g. see work packages by copying them to which they potentially didn't have access to in the first place. The alternative would be to still require the project permission of copying the workspace the permission is granted in.</td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);">Copy a project template</td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);">Copy project template</td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"> </td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);">Projects marked as template are completely copyable. It also does not require the "Copy workspace" permission in the copied template project.</td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);">Copy a program template</td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);">Copy program template</td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"> </td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);">Programs marked as template are completely copyable. It also does not require the "Copy workspace" permission in the copied template program.</td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);">Copy a portfolio template</td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);">Copy portfolio template</td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"> </td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);">Portfolios marked as template are completely copyable. It also does not require the "Copy workspace" permission in the copied template portfolio.</td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;">Turn a workspace into a template</td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;">Manage templates</td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;">Any permission in the project.</td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;">From #63544 (maybe out of scope) - Projects in which the user has no permission cannot be turned into templates.This is risky as it allows privilege escalation. A user might first turn a workspace into a template, then copy it to potentially gain access to information previously not accessible to them.</td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;">Remove a workspace from the set of templates</td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;">Manage templates</td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;">Any permission in the project.</td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;">From #63544 (maybe out of scope) - Projects in which the user has no permission cannot be removed from the templates.</td></tr></tbody></table></figure>

~~Explanation and thoughts about the permissions~~

* \[open\] Should the currently existing "Project" permission group be separated into sections per type:

<img class="op-uc-image op-uc-image_inline" src="/api/v3/attachments/771225/content"> Create project/program/portfolio

* This permissions is simply for creating a work space of that type.

* The distinction in permissions is necessary as different users (Project Manager vs Portfolio Manager) will create different types of work spaces

 

* \[open\] Seeding and migrations ~~ ~~

**Technical notes**

* 

**Permissions and visibility considerations**

* _To whom is this feature visible?_

* _When is it not visible?_

**Translation considerations**

* _Key terms and phrases in the key languages_

**Out of scope**

* 

_Set the_ **To be informed/consulted teams** _field to include all teams necessary to be informed of the changes._

Back

Side Menu

Content