Overview of roles on all levels
Level | Role | Used by | Purpose |
|---|---|---|---|
| Customer area | |||
| Reader | All customer area members. | Grants to read-only access to customer area. Basic role to access customer area. | |
| User | All customer area members. This is assigned automatically when person is joining any project. | Granting read-only permissions to get into proper customer area + be able to create own project. | |
| Admin | Customer key persons | Grants ability to add/remove users in customer area (usually removing is used when employee is leaving company) | |
| Owner | Customer key persons | Grants ability to change roles for users + approval capabilities (buying licenses, approving raising of resources limits) | |
| Billing | Company accountants, ICT managers | Granting access to billing capabilities and details. | |
| Project | |||
| Reader | All project members. | Grants read-only access to portal project. Basic role to access portal project. | |
| User | Usually standard users | Grants ability to add/remove servers. | |
| Admin | Usually senior or lead team members | Grants ability to add/remove servers and SaaS entities (Jira projects, Confluence spaces, Bitbucket repositories) | |
| Owner | Usually project managers | Grants ability to add/remove users, change roles for users + approval capabilities like buying licenses, requesting/approving raising of resources limits | |
| Billing | Project accountants, project managers | Granting access to billing capabilities and details. | |
| Application | |||
| Reader | Not available for end-users. Granted automatically based on users membership of some application entities. | Usually gives ability to be able to login into application and reserves license where applicable. This is automatically managed by TDS, no actions required from end-users. | |
| User | Not available for end-users. Granted automatically based on users membership of some application entities. | Usually gives ability to be able to login into application + reserves license where applicable. This is automatically managed by TDS, no actions required from end-users. | |
| Administrator | Not available for end-users. Used by customer administrators only. | Reserved for customer administrators to be able to manage SaaS applications with partial administrator permission. | |
| Application entities | |||
| Reader | Usually project customers, collaborators or for example employees with access to some shared documentation. This role is granted automatically to any new member of entity. | Grants usually read-only access and comments to particular entity (differs by application type). Basic access to entity. | |
| User | Roughly 90% of users - developers, technical specialists... | Read-write access to particular entity (differs by application type). | |
| Admin | Usually senior developers, project managers. | Managing various stuff in entity (differs by application type). |
How role management works in TDS:
- There is no inheritance of roles between portal, area, project and entities/servers/applications levels.
- On project level there is "mass user management" functionality available - that allows synchronising user roles from project level to application entities level. This substitutes inheritance where necessary but still gives granularity for projects that need it.
- For security and convenience reasons removing user from lowest role in that particular level automatically removes him from all higher roles on that particular level. For example removing someone from user role removes him also from admin role.
Customer area roles
| Permissions | reader | owner | admin | billing | user |
|---|---|---|---|---|---|
| List projects member of | X | ||||
| Create Project | X | ||||
| List users in CA | X | ||||
| Add user to CA | X | ||||
| Delete user from CA | X | ||||
| Set and change roles | X | ||||
| List invitations* | X | ||||
| View billing | X |
*Only Portal admin can delete an invitation.
Project roles
| reader | owner | admin | billing | user | |
|---|---|---|---|---|---|
| Dashboard | |||||
| View dashboard | X | ||||
| View/edit favorite objects | X | ||||
| Create/edit/delete sticker | X | ||||
| SaaS | |||||
| List services | X | ||||
| Create/detele service | X | ||||
| View service detail | X | ||||
| List service users | X | ||||
| Add/remove service user | X | ||||
| Change service users roles | X | ||||
| Servers | |||||
| List servers | X | ||||
| View server detail (connections,apps) | X | ||||
| Create/delete server | X | X | |||
| Change server state | X | ||||
| Change server capacity | X | ||||
| Enable/disable server backup | X | ||||
| List server backups | X | ||||
| List server usage | X | ||||
| List server logs | X | ||||
| List server users | X | ||||
| Add/remove server user | X | ||||
| Change server user role | X | ||||
| Applications | |||||
| List applications | X | ||||
| View application detail | X | ||||
| Create/delete application | X | ||||
| Detail | |||||
View detail | X | ||||
| Modify project properties | X | ||||
| Manage service account | X | ||||
| Resources | |||||
| View resources | X | ||||
| Create/request resources | X | ||||
| Usage | |||||
| View usage | X | ||||
| Logs | |||||
| View logs | X | ||||
| Network | |||||
| View security groups/rules | X | ||||
| Add/modify security groups/rules | X | ||||
| Storage | |||||
| View storage | X | ||||
| Users | |||||
| Add/invite/remove user to/from project | X | ||||
| View users in project | X | ||||
| Change user roles | X | ||||
| User Detail | X | ||||
| Billing | |||||
| View billing | X |
Reader role is inherited by all other roles. Admin role inherits from user role.
Only Portal admin (tdsadmin) role has access to Admin section and additionally has visible a few more folders/buttons in Portal (Retrigger button in Project/Server/Settings).
Application roles
In SaaS applications there are no application roles available for standard users, those are reserved only for TDS administrators.
Roles available for standard users can be found below in entities roles chapter.
Application entities roles
Notes
- x - means that particular role has that particular permission(s)
- green colour - it shows what permissions each person gets when assigning roles as designed (whatever role including all lower roles)
| Application | Permissions | Roles | ||
|---|---|---|---|---|
| Reader | User | Admin | ||
| General | read access | x | ||
| comments possibilities | x | |||
| write access | x | |||
| administration access | x | |||
| Jira project | ||||
| view issues | x | |||
| comment issues | x | |||
| editing issues | x | |||
| moving issues between workflow steps | x | |||
| editing own comments | x | |||
| managing issues | x | |||
| managing versions | x | |||
| managing components | x | |||
| managing project workflows | x | |||
| Confluence space | ||||
| view pages | x | |||
| comment pages | x | |||
| editing pages | x | |||
| moving pages | x | |||
| editing own comments | x | |||
| managing pages | x | |||
| managing templates | x | |||
| deleting anyone's comments | x | |||
| Gitlab project/repository | ||||
| view code | x | |||
| committing code | x | |||
| creating merge requests | x | |||
| approving merge requests | x | |||
| Artifactory repository | ||||
| read repository | x | |||
| write into repository (annotate, deploy, cache, delete,/overwrite) | x | |||
| manage repository | x | |||
| SeedDMS folder | ||||
| read access to folder | x | |||
| write access to folder | x | |||
| manage folder | x | |||
| Subversion repository | ||||
| view code | x | |||
| committing code | x | |||
| Bitbucket repository | Read | x | ||
| Write | x | |||
| Admin | x | |||
Server roles
Notes
- x* - means that it requires additional check on "server roles"
- x** - means that "Server Admin" can manage server user roles up to his role hierarchy - in other words he cannot assign/delete "Server Owner" role
| area admin | area owner | project user | project admin | project owner | server user | server admin | server owner/creator | |
|---|---|---|---|---|---|---|---|---|
| Create server | x | x | x | x | x | |||
| Delete server | x | x | x* | x | x | x | ||
| Add user to server | x | x | x* | x | x | x** | x | |
| Remove user from server | x | x | x* | x | x | x** | x | |
| Change server user role | x | x | x* | x | x | x** | x | |
| Change server state (start, stop, ...) | x | x | x* | x | x | x | x | |
| Change server capacity | x | x | x* | x | x | x | x | |
| Server backups (enabling, disabling) | x | x | x* | x | x | x | x |
In short:
- Server Owner has more privileges when comparing to Server Admin but mostly in hardware management area - so he can delete the server and change server capacity,
- Server Admin is able to manage user roles in server but only for users that are up to his role hierarchy - Server Admin cannot manage Server Owners.