Lab Management relies on specially-named roles to assign access.
For TeamForge users
Like
TeamForge,
Lab Management relies on specially-named roles to assign access. Your
TeamForge
projects will need specially-named roles to work with
Lab Management. When you set up a
project for the first time in
Lab Management, these roles will be created for you in your project.
In increasing level of privilege, the roles are:
- Lab Management - User Access
- Lab Management - Root Access
- Lab Management - Project Admin -- Users with a role in a project that grants Project
Administrator in an TeamForge project are automatically granted the Lab Management-Project
Admin role in the corresponding Lab Management project
- Lab Management - Domain Admin --This role is automatically granted to TeamForge site administrators.
Note: Lab Management 2.4 supports site-wide roles and global roles in
TeamForge.
- With TeamForge 6.0 and later, you can create the "Lab Management - Domain Admin" site-wide role.
So, a user with this role, in addition to TeamForge site
administrators, can log in as a Lab Management domain administrator.
- In TeamForge 5.4.x and earlier versions, the Lab Management - User Access,
Lab Management - Root Access, and Lab Management - Project Admin roles were project-specific. In TeamForge 6.0 and
later, they can be made global roles and inherited in projects.
For CEE users
In contrast to CEE, which
relies on permissions and uses roles as customizable baskets of permissions,
Lab Management needs special roles to work. For example, in CEE, the Developer role comes by default with a certain set of permissions but these can be customized by the Site Administrator. In
Lab Management, the roles cannot be customized.
Lab Management uses three project roles and one domain role in CEE, which must all be present in your CEE site that is attached to the
Lab Management Manager. Any person with Domain Administrator privileges can create these roles, which are listed in the order of the minimum-to-maximum number of privileges:
- Lab Management - User Access (project role)
- Lab Management - Root Access (project role)
- Lab Management - Project Admin (project role) -- is automatically granted, on a per-project basis, to users with the corresponding CEE project's Project Owner role
- Lab Management - Domain Admin (domain role)-- is automatically granted to users with the Domain Admin and the Host Admin roles in CEE
Why separate roles and permissions are used in Lab Management
It is very likely that in a real software development project, some separation exists between the administration of the development, QA, and test infrastructures and other aspects of project administration such as code commit privileges and user administration. For example, it is a common specification in security and compliance audits that the developers with commit access to the code should not have access to test systems. By giving separate Lab Management permissions, the Lab Management software enables this type of separation of duties to occur.
Permissions
While virtually all access to
Lab Management is arbitrated by the four roles, there is one exception. The Project Build Library is meant to be accessed by users who do not have any
Lab Management roles. Therefore, when these users download files from the Project Build Library,
Lab Management uses the Project Document - View permission to control access, which is granted as follows:
- For access to the pub area of the Project Build Library, the user must be a valid member of the CEE Domain.
- For access to the priv area of the Project Build Library, the user must have Project Document - View permission in that project.