Content
View differences
Updated by Niels Lindenthal over 2 years ago
**As an** OpenProject Admininistrator openproject instance admin
**I want to** set the permissions (read, write, none) of each project attribute in the Administration
**So that I** can ensure the "need-to-know-principle". This means the user can users get the relevant information they need - but only the information they need. need on a global scale.
**Acceptance criteria**
* In _Admininistration_ the project overview details page there is a tab "permission". -> _Projects_ -> _Project attributes_ -> <_Attribute A_> there are two sections needs clarification: on the right (similar to project overview or in the meetings view).
project administration settings? See comment 11/28/2023 1:15 PM by Oliver Günther; we would prefer option 1 (dynamic permissions)
* **Write**
Example: Project role A, Project role B
* **Read**
Project role D, Project role C, _Non member_ In this tab the permissions are defined for all project roles (none, read, write) and for all global roles. -> needs clarification: this tab should also be located in the project administration settings
* In _Administration_ Administration -> _Projects_ Projects -> _Project attritutes_ Project attritutes there is another a menu entry "_Permissions_" "Permissions" showing a two dimensional permission table that gives an overview of across all project attributes.
* The permissions are enforced -> needs further specification: see addition in all relevant views:
* Project overview
* Project list
* API permission matrix example
**Permission matrix example**
<figure class="table op-uc-figure_align-center op-uc-figure"><table class="op-uc-table"><thead class="op-uc-table--head"><tr class="op-uc-table--row"><th class="op-uc-table--cell op-uc-table--cell_head"><p class="op-uc-p"><br data-cke-filler="true"></p></th><th class="op-uc-table--cell op-uc-table--cell_head"><p class="op-uc-p">Attribute A</p></th><th class="op-uc-table--cell op-uc-table--cell_head"><p class="op-uc-p">Attribute B</p></th></tr></thead><tbody><tr class="op-uc-table--row"><td class="op-uc-table--cell"><p class="op-uc-p"><strong>Project Roles</strong></p></td><td class="op-uc-table--cell"><p class="op-uc-p"></p></td><td class="op-uc-table--cell"><p class="op-uc-p"></p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell"><p class="op-uc-p">Project Admin</p></td><td class="op-uc-table--cell"><p class="op-uc-p">write</p></td><td class="op-uc-table--cell"><p class="op-uc-p">write</p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell"><p class="op-uc-p">Project Member</p></td><td class="op-uc-table--cell"><p class="op-uc-p">read</p></td><td class="op-uc-table--cell"><p class="op-uc-p">write</p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell"><p class="op-uc-p">Project Reader</p></td><td class="op-uc-table--cell"><p class="op-uc-p">none</p></td><td class="op-uc-table--cell"><p class="op-uc-p">read</p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell"><p class="op-uc-p">[...]</p></td><td class="op-uc-table--cell"><p class="op-uc-p"></p></td><td class="op-uc-table--cell"><p class="op-uc-p"></p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell"><p class="op-uc-p"><strong>Global roles</strong></p></td><td class="op-uc-table--cell"><p class="op-uc-p"></p></td><td class="op-uc-table--cell"><p class="op-uc-p"></p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell"><p class="op-uc-p">Anonymous</p></td><td class="op-uc-table--cell"><p class="op-uc-p">none</p></td><td class="op-uc-table--cell"><p class="op-uc-p">none</p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell"><p class="op-uc-p">Non-member</p></td><td class="op-uc-table--cell"><p class="op-uc-p">read</p></td><td class="op-uc-table--cell"><p class="op-uc-p">none</p></td></tr></tbody></table></figure>
**Open**
* Migrations
* How to handle a very large number of roles and attributes in one table. We might need some filtering later.
* Introduction of specific project attributes on a project level -> when implemented, a separate permission structure (on project level) has to be specified
* Question: which effects would this have on the project list (and its exports)
* Question: The parallel implementation of attributes for projects and work packages (as suggested by Oliver) raises the follow-up question of filter options. What else would be needed to be able to implement common filters for project attributes and work package attributes?
**I want to** set the permissions (read, write, none) of each project attribute in the Administration
**So that I** can ensure the "need-to-know-principle". This means the user can
**Acceptance criteria**
* In _Admininistration_
Example: Project role A, Project role B
* **Read**
Project role D, Project role C, _Non member_
* In _Administration_
* The permissions are enforced
* Project overview
* Project list
* API
**Permission matrix example**
<figure class="table op-uc-figure_align-center op-uc-figure"><table class="op-uc-table"><thead class="op-uc-table--head"><tr class="op-uc-table--row"><th class="op-uc-table--cell op-uc-table--cell_head"><p class="op-uc-p"><br data-cke-filler="true"></p></th><th class="op-uc-table--cell op-uc-table--cell_head"><p class="op-uc-p">Attribute A</p></th><th class="op-uc-table--cell op-uc-table--cell_head"><p class="op-uc-p">Attribute B</p></th></tr></thead><tbody><tr class="op-uc-table--row"><td class="op-uc-table--cell"><p class="op-uc-p"><strong>Project Roles</strong></p></td><td class="op-uc-table--cell"><p class="op-uc-p"></p></td><td class="op-uc-table--cell"><p class="op-uc-p"></p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell"><p class="op-uc-p">Project Admin</p></td><td class="op-uc-table--cell"><p class="op-uc-p">write</p></td><td class="op-uc-table--cell"><p class="op-uc-p">write</p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell"><p class="op-uc-p">Project Member</p></td><td class="op-uc-table--cell"><p class="op-uc-p">read</p></td><td class="op-uc-table--cell"><p class="op-uc-p">write</p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell"><p class="op-uc-p">Project Reader</p></td><td class="op-uc-table--cell"><p class="op-uc-p">none</p></td><td class="op-uc-table--cell"><p class="op-uc-p">read</p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell"><p class="op-uc-p">[...]</p></td><td class="op-uc-table--cell"><p class="op-uc-p"></p></td><td class="op-uc-table--cell"><p class="op-uc-p"></p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell"><p class="op-uc-p"><strong>Global roles</strong></p></td><td class="op-uc-table--cell"><p class="op-uc-p"></p></td><td class="op-uc-table--cell"><p class="op-uc-p"></p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell"><p class="op-uc-p">Anonymous</p></td><td class="op-uc-table--cell"><p class="op-uc-p">none</p></td><td class="op-uc-table--cell"><p class="op-uc-p">none</p></td></tr><tr class="op-uc-table--row"><td class="op-uc-table--cell"><p class="op-uc-p">Non-member</p></td><td class="op-uc-table--cell"><p class="op-uc-p">read</p></td><td class="op-uc-table--cell"><p class="op-uc-p">none</p></td></tr></tbody></table></figure>
**Open**
* Migrations
* How to handle a very large number of roles and attributes in one table. We might need some filtering later.
* Introduction of specific project attributes on a project level -> when implemented, a separate permission structure (on project level) has to be specified
* Question: which effects would this have on the project list (and its exports)
* Question: The parallel implementation of attributes for projects and work packages (as suggested by Oliver) raises the follow-up question of filter options. What else would be needed to be able to implement common filters for project attributes and work package attributes?