Configure user roles

User roles control the portal content a user can access, and what level of access the user has to project artifacts and data. For example, a someone assigned a project_admin role generally can make changes to project artifacts, while someone with a project_user role would typically have read-only access. What a user with a given role can access is controlled by the permissions configuration. In Polarion, permissions are applied to roles, and roles are assigned to users.

User roles can be assigned in the repository scope, and in individual projects. Repository-scope roles control permissions of users when they log on to the repository. Project-scope roles control permissions of users when they log on to a project.

  • User roles are configured in the User ManagementRoles topic in the Administration interface.

  • The level of access for each defined role is configured in User ManagementPermissions Management.

  • Configured roles can be assigned to users in either User ManagementRoles, or User ManagementUsers.

Default Roles

Polarion comes preconfigured with several default user roles for different scopes. These are documented: Default Roles and Permissions.

Manage Role Definitions

You can add or delete role definitions for the repository or a project. If you add a new role definition, you need to configure permissions for it in User ManagementPermissions Management: (see Configure User Permissions). If you assign a role to a user without defining permissions for the role, the user assigned to it cannot access anything in the repository. Also, access rights for the Subversion repository should be adjusted for the new role in User Management Access Management (topic available only when using a Polarion ALM product license), or in the SVN access file directly.

Add a Role definition:

  1. Log on with administrator permissions for the scope in which you want to define the new role, and enter Administration.

  2. If adding a repository-scope role, select Repository in the Open dialog box, otherwise, select the project for which you want to add a new role definition.

  3. In Navigation, User Management and select Roles. The Roles administration page appears, listing the roles currently configured for the scope in which you are working.

  4. In the page toolbar, click Create New Role.

    A new role definition form appears in the lower half of the page.

  5. Enter a role identifier in the ID field. For example: project_tester. Don't use spaces in the ID.

  6. In the Users section of the page, select the user(s) to whom you want to assign the new role. (This is optional - you can assign the role to users at a later time.)

  7. Click the Create button to save the new role definition.

  8. Open User ManagementPermissions Management, click the By Role tab, and select the new role you just created in the Role list.

  9. Grant all the permissions you want users who are assigned the role to have, and click Save when finished.

Delete a Role definition:

  1. Log on with administrator permissions for the scope having the role definition you want to delete, and enter the Administration interface.

  2. In Navigation, expand User Management and select Roles.

  3. On the Roles page, in the table listing currently configured role definitions, select the role definition you want to delete.

  4. Important: In the role definition detail form in the lower part of the page, review the list of users who are assigned the role you are about to delete, and make sure these users have some other role assigned — at least the repository-scope user role, for example. After you delete the role definition, any users who were assigned only that role and no other lose access to all content in the portal.

    When you are ready to proceed, click Delete and confirm the action when prompted.

Assign Roles to users

You can assign one or more roles to any user. A role definition must already exist in order for the role to be assigned to users.

It is possible to assign a user multiple roles in a project, but this is not the recommended practice. In particular, the roles project_admin and project_user should be used exclusively, adding only the project_assignable role if the user should appear in the list of users in the Assignee field. In general, assign a role that provides the user all the permissions needed to perform his/her tasks, and no more.

For example, by default the project_admin provides all the permissions of a project_user, so you do not need to assign it in addition to project_admin.

Tip:

You can easily review which permissions are granted by a role assignment. Select the role name on the By Role tab in AdministrationUser ManagementPermissions Management (click Expand All).

  1. Log on with administrator permissions for the scope in which you want to make role assignments, and enter Administration.

  2. Use the Open Project or Project Group dialog to select Repository, or a project.

  3. In the Navigation panel, select User Management Roles.

  4. In the Roles table, select the role you want to assign to users.

  5. In the Users table (lower half of the page), click Edit.

  6. In the Name column of the Users table, select a user in the drop-down list. The selected user is assigned the selected role.

  7. To assign more users to this role, click the icon in the Actions column, and select another user in the Name list in the new table row.

  8. When you have added all the users you want to assign the role, click Save to complete the assignment(s).

The Assignable Role:

Users must have a role of assignable and/or project_assignable in order to have Work Items assigned to them.

If users report that they are missing in Assignee lists, an administrator should make sure such users are assigned the Assignable role in the appropriate scope.

The User Role:

By default, permission to log on to the portal is granted to users having a role of user. If a user cannot log on, review the assigned roles and make sure the repository-scope role user is assigned. When a new user account is created, this role is not automatically assigned. You can tell if the user does not have this role if the user account page shows [disabled] in red text. See Create User Accounts for more information.

Synchronizing Roles with Repository

The Roles page of Administration provides the Synchronize SVN Access File button on the page toolbar. The button updates the access file of the Subversion repository, synchronizing it with the role definitions and user role assignment configurations. (Only the first part of the access file is affected, not the directory rules in the second part). It ensures that access file contains group for every user role and that group membership is in sync with role assignment.

Generally, an administrator should only need to run this synchronization if people with an assigned role cannot access repository resources as expected. This can either be from externally editing the access file, or manually changing the user-roles.xml configuration file in the repository. Run the Synchronize SVN Access File once the manual file modifications are complete.