with the release of 1.9.2 project admins have access to the new export/import functionality. Thanks for that great feature.
To check permissions i asked a team mate to access the pages. He has access to his own projects. However, he can also export and even import my projects. He is also able to edit my projects. I have checked permissions, therefore. Myself i am a project admin to the project. Also registered users have permission to “configuration.view:all”. I do not understand, why my team mate is able to modify and export/import my project configurations. Only if i modify registered users and set “deny” permission to project administrator and edit project i can stop him from doing so.
Is this actually the default behaviour or is this a bug?
We’re not able to reproduce this here.
Can you let us know full details of the permissions, roles and groups the user has at each level? This should include the global permissions and roles allocated to the user and associated groups on the Access Control page and the permissions allocated to roles on the Roles page. It should also include permissions allocated on the Security page of the project wizard and on the Security page on the configuration wizard for any configurations shown unexpectedly on the export pages.
Note that the Export tab should be accessible to only to users which have
Configuration.Edit permission on any configuration or
Project.Edit permission on any project. They should not, however, be able to export any configurations for which they do not have
Configuration.Edit permission, or any project details for which they do not have
Project.Edit permission. The checkboxes for selecting configurations, project details and other items where do not have permissions should be struck out and disabled.
The Import tab should be accessible only to users which have
Project.Edit permission on any project. They should not, however, be able to overwrite any project details or configurations where they do not have
Project.Edit permission or create any projects where they do not any
Project.Create permissions. The checkboxes and selection boxes for overwriting and creating projects, configurations and other items where do not have permissions should be struck out and disabled.
My team mate is member of these groups:
- Project Administrators
- Configuration Administrators
If your team mate is a member of the global Project Administrators group with the Project Administrator role, then this gives him editing (and administrative) permissions for every project and configuration. This will allow him to edit, administrate, import and export every project and configuration.
To give him permission to edit a single project, remove him from the global Project Administrators group, then create a new access control entry on the Security page of the Project Wizard allocating him to the Project Editor (or Project Administration) role.
Alternatively, create a new group for people like your team mate, add him as a member and allocate the group to the Project Editor (or Project Administration) role on the Security page of the Project Wizard.
See Managing Security.
thanks for your clarification. To summarize: The “Security” TAB displays settings, that override global settings. It does not tell the effective rights, that users have to the projects and configurations.
Yes, that’s correct. The Security tabs on the project and configuration wizards show only the permissions set at the project and configuration levels respectively. We do realise that this is not entirely intuitive and are discussing ways to make the effective, inherited permissions more visible in the future.
Thanks a lot Dave for clarifying this.