Feature #66612: Reworked permissions: "create project", "create

Updated by Jens Ulferts 3 days ago

**As** a user
**I want to** understand, easily administrate and flexibly grant permissions to create and change workspaces (project, program & portfolio)
**so that** the permissions are granted correctly and as restricted as possible without wrongfully interrupting work.

**Context:**

There are currently a number of permissions already in place:

* create project (global)

* copy projects

* create subprojects

Limitations on the current structure is discussed in <mention class="mention" data-id="60623" data-type="work_package" data-text="#60623">#60623</mention> . #63544 suggests to add the global permissions "Manage project hierarchies" and "Create project hierarchies" and turn "Copy projects" into a global permission.

The two WPs mentioned above where created before programs and portfolios where thought about.  

**Acceptance criteria**

The following table lists the permissions that are either added or already exist

<figure class="table op-uc-figure_align-center op-uc-figure"><table class="op-uc-table"><tbody><tr class="op-uc-table--row"><td class="op-uc-table--cell">Permission</td><td class="op-uc-table--cell">Global</td><td class="op-uc-table--cell">Previous permission, changed or added</td><td class="op-uc-table--cell">Explanation</td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell">Create projects</td><td class="op-uc-table--cell">✅ </td><td class="op-uc-table--cell">Previous (unchanged)</td><td class="op-uc-table--cell">Allows the creation of workspace of the type "project"</td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell">Create programs</td><td class="op-uc-table--cell">✅ </td><td class="op-uc-table--cell">Added</td><td class="op-uc-table--cell">Allows the creation of workspace of the type "program"</td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell">Create portfolio</td><td class="op-uc-table--cell">✅ </td><td class="op-uc-table--cell">Added</td><td class="op-uc-table--cell">Allows the creation of workspace of the type "portfolio"</td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell">Create project from templates</td><td class="op-uc-table--cell">✅ </td><td class="op-uc-table--cell">Added</td><td class="op-uc-table--cell">Allows copying project templates. Adding this permission separately, on top of "Create projects" allows to better support use cases where all projects should be based on a template.</td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell">Create program from templates</td><td class="op-uc-table--cell">✅ </td><td class="op-uc-table--cell">Added</td><td class="op-uc-table--cell">Allows copying program templates. Adding this permission separately, on top of "Create programs" allows to better support use cases where all programs should be based on a template.</td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell">Create portfolio from templates</td><td class="op-uc-table--cell">✅ </td><td class="op-uc-table--cell">Added</td><td class="op-uc-table--cell">Allows copying portfolio templates. Adding this permission separately, on top of "Create portfolios" allows to better support use cases where all portfolios should be based on a template.</td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell">Manage templates</td><td class="op-uc-table--cell">✅ </td><td class="op-uc-table--cell">Added</td><td class="op-uc-table--cell">Allows turning a workspace into a template and removing the workspace from the set of templates.Potentially, this also needs to be separated into three different permissions, one per workspace type.Adding this permission might be out of scope as it is not strictly necessary for the epic.</td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell">Copy workspace</td><td class="op-uc-table--cell"> </td><td class="op-uc-table--cell">Replaces "Copy projects"The dependency on both "edit project" as well as "manage members" is added.</td><td ~~projects"</td><td~~ class="op-uc-table--cell">Users will need any of "Create projects", "Create programs" or "Create portfolio" to actually copy a workspace. That way, the creation of projects is more tightly controlled. On the other hand, this might be complicated for users to understand.</td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell">Manage parent</td><td ~~children</td><td~~ class="op-uc-table--cell"> </td><td class="op-uc-table--cell">Replaces "Create subprojects"The dependency on "edit project" is added.</td><td ~~subprojects"</td><td~~ class="op-uc-table--cell">The permission allows selecting the parent ~~a child~~ workspace to the workspace the permission is granted in. It no longer allows the creation of new workspaces.</td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell">Edit workspace</td><td class="op-uc-table--cell"> </td><td class="op-uc-table--cell">"Edit project" permission is renamed and changed </td><td class="op-uc-table--cell">Looses ability to manage parent</td></tr></tbody></table></figure>

The following table lists use cases and the necessary permissions for them. Sometimes, global and workspace permissions are required at the same time:

<figure class="table op-uc-figure_align-center op-uc-figure"><table class="op-uc-table" style="border-color:#dfddd0;border-style:solid;"><tbody><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;">Use case</td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;">Required global permissions</td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;">Required project permissions</td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;">Remarks</td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;">Add a project (without hierarchy)</td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;">Create projects</td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"> </td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"> </td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);">Add a program (without hierarchy)</td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);">Create programs</td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"> </td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"> </td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);">Add a portfolio (without hierarchy</td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);">Create portfolios</td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"> </td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"> </td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;">Turn a workspace (e.g project) into a child of another workspace (e.g. portfolio) </td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"> </td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;">"Manage parent" ~~children"~~ in the child ~~parent~~ project.Any permission in the parent ~~child~~ project (for visibility).</td><td ~~visibility)</td><td~~ class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;">This action could be triggered from the child (current state) or from the parent or from both. </td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);">Create a workspace (e.g project) as a child of another workspace (e.g. portfolio) </td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);">Create projects/programs</td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);">"Manage parent" ~~children"~~ in the newly created ~~parent~~ project.Any permission in the parent ~~child~~ project (for visibility)</td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);">This is the combination of the permission specifications above. E.g. if a user has both the "Create projects" permission as well as "Manage parent" as the newly created project admin, ~~children" in e.g.~~ a ~~portfolio, a~~ new project can be created with the portfolio as its parent right away.Create portfolio is not listed as a required global permission as a portfolio cannot be a child.The "Create subproject" button in the project administration is only displayed if the role the user will receive in a newly created workspace has the "Manage parent" permission.</td></tr><tr ~~child.</td></tr><tr~~ class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;">Copy a workspace (not a template)</td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;">create projects/portfolios/programs</td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;">"Copy workspace" in the workspace to be copied.</td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;">Workspaces in which the user has "Copy workspace" permission can not be copied. This is for the following reason:  This is risky as it allows privilege escalation - The user will suddenly e.g. see work packages by copying them to which they potentially didn't have access to in the first place. The alternative would be to still require the project permission of copying the workspace the permission is granted in.</td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);">Copy a project template</td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);">Create project from templates</td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"> </td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);">Projects marked as template are completely copyable. It also does not require the "Copy workspace" permission in the copied template project.</td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);">Copy a program template</td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);">Create program from templates</td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"> </td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);">Programs marked as template are completely copyable. It also does not require the "Copy workspace" permission in the copied template program.</td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);">Copy a portfolio template</td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);">Create project from templates</td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"> </td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);">Portfolios marked as template are completely copyable. It also does not require the "Copy workspace" permission in the copied template portfolio.</td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;">Turn a workspace into a template</td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;">Manage templates</td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;">Any permission in the project.</td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;">From #63544 (maybe out of scope) - Projects in which the user has no permission cannot be turned into templates.This is risky as it allows privilege escalation. A user might first turn a workspace into a template, then copy it to potentially gain access to information previously not accessible to them.</td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;">Remove a workspace from the set of templates</td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;">Manage templates</td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;">Any permission in the project.</td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;">From #63544 (maybe out of scope) - Projects in which the user has no permission cannot be removed from the templates.</td></tr></tbody></table></figure>

* \[open\] Should the currently existing "Project" permission group be separated into sections per type:

<img class="op-uc-image op-uc-image_inline" src="/api/v3/attachments/771225/content">

* \[open\] Seeding and migrations

* \[open\] Should two other configuration options be added to differentiate between a new role automatically granted in a project vs a program vs a portfolio:
<img class="op-uc-image op-uc-image_inline" src="/api/v3/attachments/783645/content">
If that is done, those different roles would also have to be seeded (e.g. "Portfolio admin/manager").

**Technical notes**

* 

**Permissions and visibility considerations**

* _To whom is this feature visible?_

* _When is it not visible?_

**Translation considerations**

* _Key terms and phrases in the key languages_

**Out of scope**

* 

_Set the_ **To be informed/consulted teams** _field to include all teams necessary to be informed of the changes._

Back

Side Menu

Content