Content
View differences
Updated by Jens Ulferts 9 months ago
**As** a user
**I want to** understand, easily administrate and flexibly grant permissions to create and change workspaces (project, program & portfolio)
**so that** the permissions are granted correctly and as restricted as possible without wrongfully interrupting work.
**Context:**
There are currently a number of permissions already in place:
* create project (global)
* copy projects
* create subprojects
Limitations on the current structure is discussed in <mention class="mention" data-id="60623" data-type="work_package" data-text="#60623">#60623</mention> . #63544 suggests to add the global permissions "Manage project hierarchies" and "Create project hierarchies" and turn "Copy projects" into a global permission.
The two WPs mentioned above where created before programs and portfolios where thought about.
**Acceptance criteria**
The following table lists the permissions that are either added or already exist
<figure class="table op-uc-figure_align-center op-uc-figure"><table class="op-uc-table"><tbody><tr class="op-uc-table--row"><td class="op-uc-table--cell"><p class="op-uc-p"><strong>Permission</strong></p></td><td class="op-uc-table--cell"><p class="op-uc-p"><strong>Global</strong></p></td><td class="op-uc-table--cell"><p class="op-uc-p"><strong>Previous permission, changed or added</strong></p></td><td class="op-uc-table--cell"><p class="op-uc-p"><strong>Explanation</strong></p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell"><p class="op-uc-p">Create projects</p></td><td class="op-uc-table--cell"><p class="op-uc-p">✅ </p></td><td class="op-uc-table--cell"><p class="op-uc-p">Previous (unchanged)</p></td><td class="op-uc-table--cell"><p class="op-uc-p">Allows the creation of workspace of the type "project"</p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell"><p class="op-uc-p">Create programs</p></td><td class="op-uc-table--cell"><p class="op-uc-p">✅ </p></td><td class="op-uc-table--cell"><p class="op-uc-p">Added</p></td><td class="op-uc-table--cell"><p class="op-uc-p">Allows the creation of workspace of the type "program"</p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell"><p class="op-uc-p">Create portfolio</p></td><td class="op-uc-table--cell"><p class="op-uc-p">✅ </p></td><td class="op-uc-table--cell"><p class="op-uc-p">Added</p></td><td class="op-uc-table--cell"><p class="op-uc-p">Allows the creation of workspace of the type "portfolio"</p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell"><p class="op-uc-p">Create project from templates</p></td><td class="op-uc-table--cell"><p class="op-uc-p">✅ </p></td><td class="op-uc-table--cell"><p class="op-uc-p">Added</p></td><td class="op-uc-table--cell"><p class="op-uc-p">Allows copying project templates. Adding this permission separately, on top of "Create projects" allows to better support use cases where all projects should be based on a template.</p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell"><p class="op-uc-p">Create program from templates</p></td><td class="op-uc-table--cell"><p class="op-uc-p">✅ </p></td><td class="op-uc-table--cell"><p class="op-uc-p">Added</p></td><td class="op-uc-table--cell"><p class="op-uc-p">Allows copying program templates. Adding this permission separately, on top of "Create programs" allows to better support use cases where all programs should be based on a template.</p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell"><p class="op-uc-p">Create portfolio from templates</p></td><td class="op-uc-table--cell"><p class="op-uc-p">✅ </p></td><td class="op-uc-table--cell"><p class="op-uc-p">Added</p></td><td class="op-uc-table--cell"><p class="op-uc-p">Allows copying portfolio templates. Adding this permission separately, on top of "Create portfolios" allows to better support use cases where all portfolios should be based on a template.</p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell"><p class="op-uc-p">Manage templates</p></td><td class="op-uc-table--cell"><p class="op-uc-p">✅ </p></td><td class="op-uc-table--cell"><p class="op-uc-p">Added</p></td><td class="op-uc-table--cell"><p class="op-uc-p">Allows turning a workspace into a template and removing the workspace from the set of templates.</p><p class="op-uc-p">Potentially, this also needs to be separated into three different permissions, one per workspace type.</p><p class="op-uc-p">Adding this permission might be out of scope as it is not strictly necessary for the epic.</p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell"><p class="op-uc-p">Copy workspace</p></td><td class="op-uc-table--cell"><p class="op-uc-p"><br data-cke-filler="true"></p></td><td class="op-uc-table--cell"><p class="op-uc-p">Replaces "Copy projects<strong>"</strong></p><p class="op-uc-p">The dependency on both "edit project" as well as "manage members" is added.</p></td><td class="op-uc-table--cell"><p class="op-uc-p">Users will need any of "Create projects", "Create programs" or "Create portfolio" to actually copy a workspace. That way, the creation of projects is more tightly controlled. On the other hand, this might be complicated for users to understand.</p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell"><p class="op-uc-p">Create subprojects</p></td><td class="op-uc-table--cell"><p class="op-uc-p"><br data-cke-filler="true"></p></td><td class="op-uc-table--cell"><p class="op-uc-p">Removed</p></td><td class="op-uc-table--cell"><p class="op-uc-p"><br data-cke-filler="true"></p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell"><p class="op-uc-p">Select parent</p></td><td class="op-uc-table--cell"><p class="op-uc-p"><br data-cke-filler="true"></p></td><td class="op-uc-table--cell"><p class="op-uc-p">Has a class="op-uc-p">Replaces "Create subprojects<strong>"</strong></p><p class="op-uc-p">The dependency on "edit project".</p></td><td project" is added.</p></td><td class="op-uc-table--cell"><p class="op-uc-p">The permission allows selecting the parent workspace to the workspace the permission is granted in. It no longer allows the creation of new workspaces.</p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell"><p class="op-uc-p">Edit workspace</p></td><td class="op-uc-table--cell"><p class="op-uc-p"><br data-cke-filler="true"></p></td><td class="op-uc-table--cell"><p class="op-uc-p">"Edit project" permission is renamed and changed </p></td><td class="op-uc-table--cell"><p class="op-uc-p">Looses ability to select parent</p></td></tr></tbody></table></figure>
The following table lists use cases and the necessary permissions for them. Sometimes, global and workspace permissions are required at the same time:
<figure class="table op-uc-figure_align-center op-uc-figure"><table class="op-uc-table" style="border-color:#dfddd0;border-style:solid;"><tbody><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p"><strong>Use case</strong></p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p"><strong>Required global permissions</strong></p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p"><strong>Required project permissions</strong></p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p"><strong>Remarks</strong></p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p">Add a project (without hierarchy)</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p">Create projects</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p"><br data-cke-filler="true"></p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p"><br data-cke-filler="true"></p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p">Add a program (without hierarchy)</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p">Create programs</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p"><br data-cke-filler="true"></p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p"><br data-cke-filler="true"></p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p">Add a portfolio (without hierarchy</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p">Create portfolios</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p"><br data-cke-filler="true"></p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p"><br data-cke-filler="true"></p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p">Turn a workspace (e.g project) into a child of another workspace (e.g. portfolio) </p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p"><br data-cke-filler="true"></p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p">"Select parent" in the child project.</p><p class="op-uc-p">Any permission in the parent project (for visibility).</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p">This action could be triggered from the child (current state) or from the parent or from both.</p><p class="op-uc-p"><br data-cke-filler="true"></p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p">Create a workspace (e.g project) as a child of another workspace (e.g. portfolio) </p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p">Create projects/programs</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p">"Select parent" in the newly created project.</p><p class="op-uc-p">Any permission in the parent project (for visibility)</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p">This is the combination of the permission specifications above. E.g. if a user has both the "Create projects" permission as well as "Select parent" as the newly created project admin, a new project can be created with the portfolio as its parent right away.</p><p class="op-uc-p">Create portfolio is not listed as a required global permission as a portfolio cannot be a child.</p><p class="op-uc-p">The "Create subproject" button in the project administration is only displayed if the role the user will receive in a newly created workspace has the "Select parent" permission.</p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p">Copy a workspace (not a template)</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p">create projects/portfolios/programs</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p">"Copy workspace" in the workspace to be copied.</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p">Workspaces in which the user has "Copy workspace" permission can not be copied. Templates cannot This is for the following reason: <br><br><strong>This is risky as it allows privilege escalation - The user will suddenly e.g. see work packages by copying them to which they potentially didn't have access to in the first place. The alternative would be copied by that permission, it requires "Create XYZ from template".</p></td></tr><tr to still require the project permission of copying the workspace the permission is granted in.</strong></p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p">Copy a project template</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p">Create project from templates</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p"><br data-cke-filler="true"></p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p">Projects marked as template are completely copyable. It also does not require the "Copy workspace" permission in the copied template project.</p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p">Copy a program template</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p">Create program from templates</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p"><br data-cke-filler="true"></p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p">Programs marked as template are completely copyable. It also does not require the "Copy workspace" permission in the copied template program.</p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p">Copy a portfolio template</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p">Create project from templates</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p"><br data-cke-filler="true"></p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p">Portfolios marked as template are completely copyable. It also does not require the "Copy workspace" permission in the copied template portfolio.</p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p">Turn a workspace into a template</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p">Manage templates</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p">Any permission in the project.</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p">From #63544 (maybe out of scope) - Projects in which the user has no permission cannot be turned into templates.</p><p class="op-uc-p"><strong>This is risky as it allows privilege escalation. A user might first turn a workspace into a template, then copy it to potentially gain access to information previously not accessible to them.</strong></p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p">Remove a workspace from the set of templates</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p">Manage templates</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p">Any permission in the project.</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p">From #63544 (maybe out of scope) - Projects in which the user has no permission cannot be removed from the templates.</p></td></tr></tbody></table></figure>
* Seeding:
* The roles currently having any of the replaced permissions shall receive the permissions replacing them.
* All roles currently having "edit project" are granted the "Select parent" permission
* Roles having "Copy workspace"/"Copy projects" permission but lacking "Edit project"/"Edit workspace" or "Manage members" loose that permission.
* \[open\] Should the currently existing "Project" permission group be separated into sections per type:
<img class="op-uc-image op-uc-image_inline" src="/api/v3/attachments/771225/content">
* New default \[open\] Seeding and migrations
* \[open\] Should two other configuration options be added to differentiate between a new role selections are automatically granted in the administration analogous to what already exists for projects. a project vs a program vs a portfolio:
<img class="op-uc-image op-uc-image_inline" src="/api/v3/attachments/783645/content">
By default, If that is done, those settings will different roles would also have the "Project admin" role set. to be seeded (e.g. "Portfolio admin/manager").
**Technical notes**
* <br>
**Translation considerations**
* _Key terms and phrases in the key languages_
**Out of scope**
* <br>
_Set the_ **To be informed/consulted teams** _field to include all teams necessary to be informed of the changes._
**I want to** understand, easily administrate and flexibly grant permissions to create and change workspaces (project, program & portfolio)
**so that** the permissions are granted correctly and as restricted as possible without wrongfully interrupting work.
**Context:**
There are currently a number of permissions already in place:
* create project (global)
* copy projects
* create subprojects
Limitations on the current structure is discussed in <mention class="mention" data-id="60623" data-type="work_package" data-text="#60623">#60623</mention> . #63544 suggests to add the global permissions "Manage project hierarchies" and "Create project hierarchies" and turn "Copy projects" into a global permission.
The two WPs mentioned above where created before programs and portfolios where thought about.
**Acceptance criteria**
The following table lists the permissions that are either added or already exist
<figure class="table op-uc-figure_align-center op-uc-figure"><table class="op-uc-table"><tbody><tr class="op-uc-table--row"><td class="op-uc-table--cell"><p class="op-uc-p"><strong>Permission</strong></p></td><td class="op-uc-table--cell"><p class="op-uc-p"><strong>Global</strong></p></td><td class="op-uc-table--cell"><p class="op-uc-p"><strong>Previous permission, changed or added</strong></p></td><td class="op-uc-table--cell"><p class="op-uc-p"><strong>Explanation</strong></p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell"><p class="op-uc-p">Create projects</p></td><td class="op-uc-table--cell"><p class="op-uc-p">✅ </p></td><td class="op-uc-table--cell"><p class="op-uc-p">Previous (unchanged)</p></td><td class="op-uc-table--cell"><p class="op-uc-p">Allows the creation of workspace of the type "project"</p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell"><p class="op-uc-p">Create programs</p></td><td class="op-uc-table--cell"><p class="op-uc-p">✅ </p></td><td class="op-uc-table--cell"><p class="op-uc-p">Added</p></td><td class="op-uc-table--cell"><p class="op-uc-p">Allows the creation of workspace of the type "program"</p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell"><p class="op-uc-p">Create portfolio</p></td><td class="op-uc-table--cell"><p class="op-uc-p">✅ </p></td><td class="op-uc-table--cell"><p class="op-uc-p">Added</p></td><td class="op-uc-table--cell"><p class="op-uc-p">Allows the creation of workspace of the type "portfolio"</p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell"><p class="op-uc-p">Create project from templates</p></td><td class="op-uc-table--cell"><p class="op-uc-p">✅ </p></td><td class="op-uc-table--cell"><p class="op-uc-p">Added</p></td><td class="op-uc-table--cell"><p class="op-uc-p">Allows copying project templates. Adding this permission separately, on top of "Create projects" allows to better support use cases where all projects should be based on a template.</p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell"><p class="op-uc-p">Create program from templates</p></td><td class="op-uc-table--cell"><p class="op-uc-p">✅ </p></td><td class="op-uc-table--cell"><p class="op-uc-p">Added</p></td><td class="op-uc-table--cell"><p class="op-uc-p">Allows copying program templates. Adding this permission separately, on top of "Create programs" allows to better support use cases where all programs should be based on a template.</p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell"><p class="op-uc-p">Create portfolio from templates</p></td><td class="op-uc-table--cell"><p class="op-uc-p">✅ </p></td><td class="op-uc-table--cell"><p class="op-uc-p">Added</p></td><td class="op-uc-table--cell"><p class="op-uc-p">Allows copying portfolio templates. Adding this permission separately, on top of "Create portfolios" allows to better support use cases where all portfolios should be based on a template.</p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell"><p class="op-uc-p">Manage templates</p></td><td class="op-uc-table--cell"><p class="op-uc-p">✅ </p></td><td class="op-uc-table--cell"><p class="op-uc-p">Added</p></td><td class="op-uc-table--cell"><p class="op-uc-p">Allows turning a workspace into a template and removing the workspace from the set of templates.</p><p class="op-uc-p">Potentially, this also needs to be separated into three different permissions, one per workspace type.</p><p class="op-uc-p">Adding this permission might be out of scope as it is not strictly necessary for the epic.</p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell"><p class="op-uc-p">Copy workspace</p></td><td class="op-uc-table--cell"><p class="op-uc-p"><br data-cke-filler="true"></p></td><td class="op-uc-table--cell"><p class="op-uc-p">Replaces "Copy projects<strong>"</strong></p><p class="op-uc-p">The dependency on both "edit project" as well as "manage members" is added.</p></td><td class="op-uc-table--cell"><p class="op-uc-p">Users will need any of "Create projects", "Create programs" or "Create portfolio" to actually copy a workspace. That way, the creation of projects is more tightly controlled. On the other hand, this might be complicated for users to understand.</p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell"><p class="op-uc-p">Create subprojects</p></td><td class="op-uc-table--cell"><p class="op-uc-p"><br data-cke-filler="true"></p></td><td class="op-uc-table--cell"><p class="op-uc-p">Removed</p></td><td class="op-uc-table--cell"><p class="op-uc-p"><br data-cke-filler="true"></p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell"><p class="op-uc-p">Select parent</p></td><td class="op-uc-table--cell"><p class="op-uc-p"><br data-cke-filler="true"></p></td><td class="op-uc-table--cell"><p class="op-uc-p">Has a
The following table lists use cases and the necessary permissions for them. Sometimes, global and workspace permissions are required at the same time:
<figure class="table op-uc-figure_align-center op-uc-figure"><table class="op-uc-table" style="border-color:#dfddd0;border-style:solid;"><tbody><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p"><strong>Use case</strong></p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p"><strong>Required global permissions</strong></p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p"><strong>Required project permissions</strong></p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p"><strong>Remarks</strong></p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p">Add a project (without hierarchy)</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p">Create projects</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p"><br data-cke-filler="true"></p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p"><br data-cke-filler="true"></p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p">Add a program (without hierarchy)</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p">Create programs</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p"><br data-cke-filler="true"></p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p"><br data-cke-filler="true"></p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p">Add a portfolio (without hierarchy</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p">Create portfolios</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p"><br data-cke-filler="true"></p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p"><br data-cke-filler="true"></p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p">Turn a workspace (e.g project) into a child of another workspace (e.g. portfolio) </p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p"><br data-cke-filler="true"></p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p">"Select parent" in the child project.</p><p class="op-uc-p">Any permission in the parent project (for visibility).</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p">This action could be triggered from the child (current state) or from the parent or from both.</p><p class="op-uc-p"><br data-cke-filler="true"></p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p">Create a workspace (e.g project) as a child of another workspace (e.g. portfolio) </p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p">Create projects/programs</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p">"Select parent" in the newly created project.</p><p class="op-uc-p">Any permission in the parent project (for visibility)</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p">This is the combination of the permission specifications above. E.g. if a user has both the "Create projects" permission as well as "Select parent" as the newly created project admin, a new project can be created with the portfolio as its parent right away.</p><p class="op-uc-p">Create portfolio is not listed as a required global permission as a portfolio cannot be a child.</p><p class="op-uc-p">The "Create subproject" button in the project administration is only displayed if the role the user will receive in a newly created workspace has the "Select parent" permission.</p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p">Copy a workspace (not a template)</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p">create projects/portfolios/programs</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p">"Copy workspace" in the workspace to be copied.</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p">Workspaces in which the user has "Copy workspace" permission can
* Seeding:
* The roles currently having any of the replaced permissions shall receive the permissions replacing them.
* All roles currently having "edit project" are granted the "Select parent" permission
* Roles having "Copy workspace"/"Copy projects" permission but lacking "Edit project"/"Edit workspace" or "Manage members" loose that permission.
* \[open\] Should the currently existing "Project" permission group be separated into sections per type:
<img class="op-uc-image op-uc-image_inline" src="/api/v3/attachments/771225/content">
* New default
* \[open\] Should two other configuration options be added to differentiate between a new
<img class="op-uc-image op-uc-image_inline" src="/api/v3/attachments/783645/content">
By default,
**Technical notes**
* <br>
**Translation considerations**
* _Key terms and phrases in the key languages_
**Out of scope**
* <br>
_Set the_ **To be informed/consulted teams** _field to include all teams necessary to be informed of the changes._