Overview of roles on all levels
|Reader||All customer area members.||Grants to read-only access to customer area. Basic role to access customer area.|
|User||All customer area members. This is assigned automatically when person is joining any project.||Granting read-only permissions to get into proper customer area + be able to create own project.|
|Admin||Customer key persons||Grants ability to add/remove users in customer area (usually removing is used when employee is leaving company)|
|Owner||Customer key persons||Grants ability to change roles for users + approval capabilities (buying licenses, approving raising of resources limits)|
|Billing||Company accountants, ICT managers||Granting access to billing capabilities and details.|
|Reader||All project members.||Grants read-only access to portal project. Basic role to access portal project.|
|User||Usually standard users||Grants ability to add/remove servers.|
|Admin||Usually senior or lead team members||Grants ability to add/remove servers and SaaS entities (Jira projects, Confluence spaces, Bitbucket repositories)|
|Owner||Usually project managers||Grants ability to add/remove users, change roles for users + approval capabilities like buying licenses, requesting/approving raising of resources limits|
|Billing||Project accountants, project managers||Granting access to billing capabilities and details.|
|Reader||Not available for end-users. Granted automatically based on users membership of some application entities.||Usually gives ability to be able to login into application and reserves license where applicable. This is automatically managed by TDS, no actions required from end-users.|
|User||Not available for end-users. Granted automatically based on users membership of some application entities.||Usually gives ability to be able to login into application + reserves license where applicable. This is automatically managed by TDS, no actions required from end-users.|
|Administrator||Not available for end-users. Used by customer administrators only.||Reserved for customer administrators to be able to manage SaaS applications with partial administrator permission.|
|Reader||Usually project customers, collaborators or for example employees with access to some shared documentation. This role is granted automatically to any new member of entity.||Grants usually read-only access and comments to particular entity (differs by application type). Basic access to entity.|
|User||Roughly 90% of users - developers, technical specialists...||Read-write access to particular entity (differs by application type).|
|Admin||Usually senior developers, project managers.||Managing various stuff in entity (differs by application type).|
How role management works in TDS:
- There is no inheritance of roles between portal, area, project and entities/servers/applications levels.
- On project level there is "mass user management" functionality available - that allows synchronising user roles from project level to application entities level. This substitutes inheritance where necessary but still gives granularity for projects that need it.
- For security and convenience reasons removing user from lowest role in that particular level automatically removes him from all higher roles on that particular level. For example removing someone from user role removes him also from admin role.
Customer area roles
|List projects member of||X|
|List users in CA||X|
|Add user to CA||X|
|Delete user from CA||X|
|Set and change roles|
*Only Portal admin can delete an invitation.
|View/edit favorite objects||X|
|View service detail||X|
|List service users||X|
|Add/remove service user||X|
|Change service users roles||X|
|View server detail (connections,apps)||X|
|Change server state||X|
|Change server capacity||X|
|Enable/disable server backup||X|
|List server backups||X|
|List server usage||X|
|List server logs||X|
|List server users||X|
|Add/remove server user||X|
|Change server user role||X|
|View application detail||X|
|Modify project properties||X|
|Manage service account||X|
|View security groups/rules||X|
|Add/modify security groups/rules||X|
|Add/invite/remove user to/from project||X|
|View users in project||X|
|Change user roles||X|
Reader role is inherited by all other roles. Admin role inherits from user role.
Only Portal admin (tdsadmin) role has access to Admin section and additionally has visible a few more folders/buttons in Portal (Retrigger button in Project/Server/Settings).
In SaaS applications there are no application roles available for standard users, those are reserved only for TDS administrators.
Roles available for standard users can be found below in entities roles chapter.
Application entities roles
- x - means that particular role has that particular permission(s)
- green colour - it shows what permissions each person gets when assigning roles as designed (whatever role including all lower roles)
|moving issues between workflow steps||x|
|editing own comments||x|
|managing project workflows||x|
|editing own comments||x|
|deleting anyone's comments||x|
|creating merge requests||x|
|approving merge requests||x|
|write into repository (annotate, deploy, cache, delete,/overwrite)||x|
|read access to folder||x|
|write access to folder||x|
- x* - means that it requires additional check on "server roles"
- x** - means that "Server Admin" can manage server user roles up to his role hierarchy - in other words he cannot assign/delete "Server Owner" role
|area admin||area owner||project user||project admin||project owner||server user||server admin||server owner/creator|
|Add user to server||x||x||x*||x||x|
|Remove user from server||x||x||x*||x||x|
|Change server user role||x||x||x*||x||x|
|Change server state|
(start, stop, ...)
|Change server capacity||x||x||x*||x||x||x||x|
- Server Owner has more privileges when comparing to Server Admin but mostly in hardware management area - so he can delete the server and change server capacity,
- Server Admin is able to manage user roles in server but only for users that are up to his role hierarchy - Server Admin cannot manage Server Owners.