Content
View differences
Updated by Jens Ulferts about 11 hours ago
**As** a user
**I want to** understand, easily administrate and flexibly grant permissions to create and change workspaces (project, program & portfolio)
**so that** the permissions are granted correctly and as restricted as possible without wrongfully interrupting work.
**Context:**
There are currently a number of permissions already in place:
* create project (global)
* copy projects
* create subprojects
Limitations on the current structure is discussed in <mention class="mention" data-id="60623" data-type="work_package" data-text="#60623">#60623</mention> . #63544 suggests to add the global permissions "Manage project hierarchies" and "Create project hierarchies" and turn "Copy projects" into a global permission.
The two WPs mentioned above where created before programs and portfolios where thought about.
**Acceptance criteria**
The following table lists the permissions that are either added or already exist
<figure class="table op-uc-figure_align-center op-uc-figure"><table class="op-uc-table"><tbody><tr class="op-uc-table--row"><td class="op-uc-table--cell"><p class="op-uc-p"><strong>Permission</strong></p></td><td class="op-uc-table--cell"><p class="op-uc-p"><strong>Global</strong></p></td><td class="op-uc-table--cell"><p class="op-uc-p"><strong>Previous permission, changed or added</strong></p></td><td class="op-uc-table--cell"><p class="op-uc-p"><strong>Explanation</strong></p></td><td class="op-uc-table--cell"><p class="op-uc-p">Ticket</p></td></tr><tr class="op-uc-p"><strong>Explanation</strong></p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell"><p class="op-uc-p">Create projects</p></td><td class="op-uc-table--cell"><p class="op-uc-p">✅ </p></td><td class="op-uc-table--cell"><p class="op-uc-p">Previous (unchanged)</p></td><td class="op-uc-table--cell"><p class="op-uc-p">Allows the creation of workspace of the type "project"</p></td><td class="op-uc-table--cell"><p class="op-uc-p"><mention class="mention" data-id="68918" data-type="work_package" data-text="#68918">#68918</mention> </p></td></tr><tr "project"</p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell"><p class="op-uc-p">Create programs</p></td><td class="op-uc-table--cell"><p class="op-uc-p">✅ </p></td><td class="op-uc-table--cell"><p class="op-uc-p">Added</p></td><td class="op-uc-table--cell"><p class="op-uc-p">Allows the creation of workspace of the type "program"</p></td><td class="op-uc-table--cell"><p class="op-uc-p"><mention class="mention" data-id="68918" data-type="work_package" data-text="#68918">#68918</mention> </p></td></tr><tr "program"</p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell"><p class="op-uc-p">Create portfolio</p></td><td class="op-uc-table--cell"><p class="op-uc-p">✅ </p></td><td class="op-uc-table--cell"><p class="op-uc-p">Added</p></td><td class="op-uc-table--cell"><p class="op-uc-p">Allows the creation of workspace of the type "portfolio"</p></td><td class="op-uc-table--cell"><p class="op-uc-p"><br data-cke-filler="true"></p></td></tr><tr "portfolio"</p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell"><p class="op-uc-p">Create project from templates</p></td><td class="op-uc-table--cell"><p class="op-uc-p">✅ </p></td><td class="op-uc-table--cell"><p class="op-uc-p">Added</p></td><td class="op-uc-table--cell"><p class="op-uc-p">Allows copying project templates. Adding this permission separately, on top of "Create projects" allows to better support use cases where all projects should be based on a template.</p></td><td class="op-uc-table--cell"><p class="op-uc-p"><br data-cke-filler="true"></p></td></tr><tr template.</p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell"><p class="op-uc-p">Create program from templates</p></td><td class="op-uc-table--cell"><p class="op-uc-p">✅ </p></td><td class="op-uc-table--cell"><p class="op-uc-p">Added</p></td><td class="op-uc-table--cell"><p class="op-uc-p">Allows copying program templates. Adding this permission separately, on top of "Create programs" allows to better support use cases where all programs should be based on a template.</p></td><td class="op-uc-table--cell"><p class="op-uc-p"><br data-cke-filler="true"></p></td></tr><tr template.</p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell"><p class="op-uc-p">Create portfolio from templates</p></td><td class="op-uc-table--cell"><p class="op-uc-p">✅ </p></td><td class="op-uc-table--cell"><p class="op-uc-p">Added</p></td><td class="op-uc-table--cell"><p class="op-uc-p">Allows copying portfolio templates. Adding this permission separately, on top of "Create portfolios" allows to better support use cases where all portfolios should be based on a template.</p></td><td class="op-uc-table--cell"><p class="op-uc-p"><br data-cke-filler="true"></p></td></tr><tr template.</p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell"><p class="op-uc-p">Manage templates</p></td><td class="op-uc-table--cell"><p class="op-uc-p">✅ </p></td><td class="op-uc-table--cell"><p class="op-uc-p">Added</p></td><td class="op-uc-table--cell"><p class="op-uc-p">Allows turning a workspace into a template and removing the workspace from the set of templates.</p><p class="op-uc-p">Potentially, this also needs to be separated into three different permissions, one per workspace type.</p><p class="op-uc-p">Adding this permission might be out of scope as it is not strictly necessary for the epic.</p></td><td class="op-uc-table--cell"><p class="op-uc-p"><br data-cke-filler="true"></p></td></tr><tr epic.</p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell"><p class="op-uc-p">Copy workspace</p></td><td class="op-uc-table--cell"><p class="op-uc-p"><br data-cke-filler="true"></p></td><td class="op-uc-table--cell"><p class="op-uc-p">Replaces "Copy projects<strong>"</strong></p><p class="op-uc-p">The dependency on both "edit project" as well as "manage members" is added.</p></td><td class="op-uc-table--cell"><p class="op-uc-p">Users will need any of "Create projects", "Create programs" or "Create portfolio" to actually copy a workspace. That way, the creation of projects is more tightly controlled. On the other hand, this might be complicated for users to understand.</p></td><td class="op-uc-table--cell"><p class="op-uc-p"><br data-cke-filler="true"></p></td></tr><tr understand.</p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell"><p class="op-uc-p">Create subprojects</p></td><td class="op-uc-table--cell"><p class="op-uc-p"><br data-cke-filler="true"></p></td><td class="op-uc-table--cell"><p class="op-uc-p">Removed</p></td><td class="op-uc-table--cell"><p class="op-uc-p"><br data-cke-filler="true"></p></td><td class="op-uc-table--cell"><p class="op-uc-p"><br data-cke-filler="true"></p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell"><p class="op-uc-p">Select parent</p></td><td class="op-uc-table--cell"><p class="op-uc-p"><br data-cke-filler="true"></p></td><td class="op-uc-table--cell"><p class="op-uc-p">Has a dependency on "edit project".</p></td><td class="op-uc-table--cell"><p class="op-uc-p">The permission allows selecting the parent workspace to the workspace the permission is granted in. It no longer allows the creation of new workspaces.</p></td><td class="op-uc-table--cell"><p class="op-uc-p"><br data-cke-filler="true"></p></td></tr><tr workspaces.</p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell"><p class="op-uc-p">Edit workspace</p></td><td class="op-uc-table--cell"><p class="op-uc-p"><br data-cke-filler="true"></p></td><td class="op-uc-table--cell"><p class="op-uc-p">"Edit project" permission is renamed and changed </p></td><td class="op-uc-table--cell"><p class="op-uc-p">Looses ability to select parent</p></td><td class="op-uc-table--cell"><p class="op-uc-p"><br data-cke-filler="true"></p></td></tr></tbody></table></figure> parent</p></td></tr></tbody></table></figure>
The following table lists use cases and the necessary permissions for them. Sometimes, global and workspace permissions are required at the same time:
<figure class="table op-uc-figure_align-center op-uc-figure"><table class="op-uc-table" style="border-color:#dfddd0;border-style:solid;"><tbody><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p"><strong>Use case</strong></p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p"><strong>Required global permissions</strong></p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p"><strong>Required project permissions</strong></p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p"><strong>Remarks</strong></p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p">Add a project (without hierarchy)</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p">Create projects</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p"><br data-cke-filler="true"></p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p"><br data-cke-filler="true"></p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p">Add a program (without hierarchy)</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p">Create programs</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p"><br data-cke-filler="true"></p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p"><br data-cke-filler="true"></p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p">Add a portfolio (without hierarchy</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p">Create portfolios</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p"><br data-cke-filler="true"></p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p"><br data-cke-filler="true"></p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p">Turn a workspace (e.g project) into a child of another workspace (e.g. portfolio) </p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p"><br data-cke-filler="true"></p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p">"Select parent" in the child project.</p><p class="op-uc-p">Any permission in the parent project (for visibility).</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p">This action could be triggered from the child (current state) or from the parent or from both.</p><p class="op-uc-p"><br data-cke-filler="true"></p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p">Create a workspace (e.g project) as a child of another workspace (e.g. portfolio) </p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p">Create projects/programs</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p">"Select parent" in the newly created project.</p><p class="op-uc-p">Any permission in the parent project (for visibility)</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p">This is the combination of the permission specifications above. E.g. if a user has both the "Create projects" permission as well as "Select parent" as the newly created project admin, a new project can be created with the portfolio as its parent right away.</p><p class="op-uc-p">Create portfolio is not listed as a required global permission as a portfolio cannot be a child.</p><p class="op-uc-p">The "Create subproject" button in the project administration is only displayed if the role the user will receive in a newly created workspace has the "Select parent" permission.</p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p">Copy a workspace (not a template)</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p">create projects/portfolios/programs</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p">"Copy workspace" in the workspace to be copied.</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p">Workspaces in which the user has "Copy workspace" permission can be copied. Templates cannot be copied by that permission, it requires "Create XYZ from template".</p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p">Copy a project template</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p">Create project from templates</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p"><br data-cke-filler="true"></p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p">Projects marked as template are completely copyable. It also does not require the "Copy workspace" permission in the copied template project.</p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p">Copy a program template</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p">Create program from templates</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p"><br data-cke-filler="true"></p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p">Programs marked as template are completely copyable. It also does not require the "Copy workspace" permission in the copied template program.</p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p">Copy a portfolio template</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p">Create project from templates</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p"><br data-cke-filler="true"></p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p">Portfolios marked as template are completely copyable. It also does not require the "Copy workspace" permission in the copied template portfolio.</p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p">Turn a workspace into a template</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p">Manage templates</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p">Any permission in the project.</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p">From #63544 (maybe out of scope) - Projects in which the user has no permission cannot be turned into templates.</p><p class="op-uc-p"><strong>This is risky as it allows privilege escalation. A user might first turn a workspace into a template, then copy it to potentially gain access to information previously not accessible to them.</strong></p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p">Remove a workspace from the set of templates</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p">Manage templates</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p">Any permission in the project.</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p">From #63544 (maybe out of scope) - Projects in which the user has no permission cannot be removed from the templates.</p></td></tr></tbody></table></figure>
* Seeding:
* The roles currently having any of the replaced permissions shall receive the permissions replacing them.
* All roles currently having "edit project" are granted the "Select parent" permission
* Roles having "Copy workspace"/"Copy projects" permission but lacking "Edit project"/"Edit workspace" or "Manage members" loose that permission.
* \[open\] Should the currently existing "Project" permission group be separated into sections per type:
<img class="op-uc-image op-uc-image_inline" src="/api/v3/attachments/771225/content">
* New default role selections are in the administration analogous to what already exists for projects.
<br>
<img class="op-uc-image op-uc-image_inline" src="/api/v3/attachments/783645/content">
<br>
By default, those settings will have the "Project admin" role set.
**Technical notes**
* <br>
**Translation considerations**
* _Key terms and phrases in the key languages_
**Out of scope**
* <br>
_Set the_ **To be informed/consulted teams** _field to include all teams necessary to be informed of the changes._
**I want to** understand, easily administrate and flexibly grant permissions to create and change workspaces (project, program & portfolio)
**so that** the permissions are granted correctly and as restricted as possible without wrongfully interrupting work.
**Context:**
There are currently a number of permissions already in place:
* create project (global)
* copy projects
* create subprojects
Limitations on the current structure is discussed in <mention class="mention" data-id="60623" data-type="work_package" data-text="#60623">#60623</mention> . #63544 suggests to add the global permissions "Manage project hierarchies" and "Create project hierarchies" and turn "Copy projects" into a global permission.
The two WPs mentioned above where created before programs and portfolios where thought about.
**Acceptance criteria**
The following table lists the permissions that are either added or already exist
<figure class="table op-uc-figure_align-center op-uc-figure"><table class="op-uc-table"><tbody><tr class="op-uc-table--row"><td class="op-uc-table--cell"><p class="op-uc-p"><strong>Permission</strong></p></td><td class="op-uc-table--cell"><p class="op-uc-p"><strong>Global</strong></p></td><td class="op-uc-table--cell"><p class="op-uc-p"><strong>Previous permission, changed or added</strong></p></td><td class="op-uc-table--cell"><p class="op-uc-p"><strong>Explanation</strong></p></td><td class="op-uc-table--cell"><p class="op-uc-p">Ticket</p></td></tr><tr
The following table lists use cases and the necessary permissions for them. Sometimes, global and workspace permissions are required at the same time:
<figure class="table op-uc-figure_align-center op-uc-figure"><table class="op-uc-table" style="border-color:#dfddd0;border-style:solid;"><tbody><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p"><strong>Use case</strong></p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p"><strong>Required global permissions</strong></p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p"><strong>Required project permissions</strong></p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p"><strong>Remarks</strong></p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p">Add a project (without hierarchy)</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p">Create projects</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p"><br data-cke-filler="true"></p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p"><br data-cke-filler="true"></p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p">Add a program (without hierarchy)</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p">Create programs</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p"><br data-cke-filler="true"></p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p"><br data-cke-filler="true"></p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p">Add a portfolio (without hierarchy</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p">Create portfolios</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p"><br data-cke-filler="true"></p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p"><br data-cke-filler="true"></p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p">Turn a workspace (e.g project) into a child of another workspace (e.g. portfolio) </p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p"><br data-cke-filler="true"></p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p">"Select parent" in the child project.</p><p class="op-uc-p">Any permission in the parent project (for visibility).</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p">This action could be triggered from the child (current state) or from the parent or from both.</p><p class="op-uc-p"><br data-cke-filler="true"></p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p">Create a workspace (e.g project) as a child of another workspace (e.g. portfolio) </p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p">Create projects/programs</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p">"Select parent" in the newly created project.</p><p class="op-uc-p">Any permission in the parent project (for visibility)</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p">This is the combination of the permission specifications above. E.g. if a user has both the "Create projects" permission as well as "Select parent" as the newly created project admin, a new project can be created with the portfolio as its parent right away.</p><p class="op-uc-p">Create portfolio is not listed as a required global permission as a portfolio cannot be a child.</p><p class="op-uc-p">The "Create subproject" button in the project administration is only displayed if the role the user will receive in a newly created workspace has the "Select parent" permission.</p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p">Copy a workspace (not a template)</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p">create projects/portfolios/programs</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p">"Copy workspace" in the workspace to be copied.</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p">Workspaces in which the user has "Copy workspace" permission can be copied. Templates cannot be copied by that permission, it requires "Create XYZ from template".</p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p">Copy a project template</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p">Create project from templates</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p"><br data-cke-filler="true"></p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p">Projects marked as template are completely copyable. It also does not require the "Copy workspace" permission in the copied template project.</p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p">Copy a program template</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p">Create program from templates</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p"><br data-cke-filler="true"></p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p">Programs marked as template are completely copyable. It also does not require the "Copy workspace" permission in the copied template program.</p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p">Copy a portfolio template</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p">Create project from templates</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p"><br data-cke-filler="true"></p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);"><p class="op-uc-p">Portfolios marked as template are completely copyable. It also does not require the "Copy workspace" permission in the copied template portfolio.</p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p">Turn a workspace into a template</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p">Manage templates</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p">Any permission in the project.</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p">From #63544 (maybe out of scope) - Projects in which the user has no permission cannot be turned into templates.</p><p class="op-uc-p"><strong>This is risky as it allows privilege escalation. A user might first turn a workspace into a template, then copy it to potentially gain access to information previously not accessible to them.</strong></p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p">Remove a workspace from the set of templates</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p">Manage templates</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p">Any permission in the project.</p></td><td class="op-uc-table--cell" style="border-color:hsl(0, 0%, 60%);padding:9px;"><p class="op-uc-p">From #63544 (maybe out of scope) - Projects in which the user has no permission cannot be removed from the templates.</p></td></tr></tbody></table></figure>
* Seeding:
* The roles currently having any of the replaced permissions shall receive the permissions replacing them.
* All roles currently having "edit project" are granted the "Select parent" permission
* Roles having "Copy workspace"/"Copy projects" permission but lacking "Edit project"/"Edit workspace" or "Manage members" loose that permission.
* \[open\] Should the currently existing "Project" permission group be separated into sections per type:
<img class="op-uc-image op-uc-image_inline" src="/api/v3/attachments/771225/content">
* New default role selections are in the administration analogous to what already exists for projects.
<br>
<br>
**Technical notes**
* <br>
**Translation considerations**
* _Key terms and phrases in the key languages_
**Out of scope**
* <br>
_Set the_ **To be informed/consulted teams** _field to include all teams necessary to be informed of the changes._