Project

General

Profile

Actions

Feature #4427

open

Create a new type of role for not project specific maintenance

Added by Holger Just almost 15 years ago. Updated over 5 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Permissions and roles
Target version:
-
Start date:
2009-12-16
Due date:
% Done:

0%

Estimated time:
Resolution:

Description

The current role / permission concept is based on the assumption that everything of the daily work is done inside of projects. While this is true most of the time, there are more and more cases where things are done outside the scope of a project.

One example of this is the new permission to create projects as a non-admin user (#2963). This is allowed, if a user has that right in at least one project (checked by performing a global permission check). If she has that permission she can create projects anywhere in the project tree (at least if I understood the feature correctly).

However, this is not what I would expect from that permission. I expected, that a user with that permission were able to create a subproject on the project with that permission only. That permission being consequently project specific. The opportunity to create projects anywhere in the project tree is something that I would expect from an admin user only.

Another example is the creation of trackers and issue states and its management (workflows et al.), or the creation of custom fields. This is currently only possible to admin users.

In large installations which are used by many different organizational units of a company, this can lead to a large indirection, as it is not feasible to have a huge amount of real admins with the ability to look in every project. So requests to have certain features added have to be directed to one of the few admin users.

To solve this, I propose an additional type of role. These new roles can be assigned to a user but no project. They should allow to grant a user certain global rights, like the creation of global projects, custom fields, new trackers, ... The goal is to prevent the misusage of global permission checks as done by he "create project" permission check in the ProjectsController

I think, these new roles could be fairly easily patched into the existing permission model and providing similar functionality as the global check. But the permissions / roles are explicitly declared by the user, who can then better understand the consequences of certain permissions.


Related issues

Related to Redmine - Defect #4431: Non-admin user cannot create project :for revision 3174Closed2009-12-17

Actions
Related to Redmine - Defect #6728: how to assign global rights?Closed2010-10-22

Actions
Related to Redmine - Feature #6670: Admin rights should not override rights given through rolesNew2010-10-14

Actions
Has duplicate Redmine - Feature #6800: howto assign global rightsClosed2010-11-02

Actions
Actions

Also available in: Atom PDF