Permissions management
This section provides reference information that can be useful when configuring user permissions and user roles.
Permissions Configuration
The information below is provided for programmers who may need to check permissions in some custom extension or script. Administrators should use the 
User Management
Permissions Management topic of 
Administration to configure user permissions.
The global security configuration is stored in the /.polarion/security/permissions.xml file.
Permissions configuration can be done for each project, so there can also be a project-scope premissions.xml. The project-scope premissions.xml file is stored in PROJECT_FOLDER/.polarion/security/.
When parsing permissions, Polarion checks the project scope first. If any are not specified in that scope, it checks the global scope.
Default user roles and permissions
User roles are roles that can be defined and assigned permissions by administrators. You can access the list of user roles in Administration: User Management: Roles. In Repository administration, only the repository-scope roles are shown. In project administration, only project-scope roles are shown. In addition to user roles, there are "dynamic roles". These are built-in roles used for controlling permissions for various artifacts such as Work Items and Documents.
The following tables provide a high-level description of the default user permissions. Note that permissions can be customized in the User Management: Permissions Management topic of Repository or project administration.
Roles assigned in the Repository (global) scope apply to all projects. For example if a user is given the global user role, that user will have the role and all globally configured permissions of the role in every project.
Role name | Description of permissions |
|---|---|
admin | Repository administrator. All permissions are granted. |
user | Repository user. Users with this role can log on and manage their own account settings. A user with only this role, without any project role(s), cannot access projects. Note that logon permission is tied to the user role and will not work if assigned to other roles... watcher, for example. |
Role name | Description of permissions |
|---|---|
project_admin | User granted access to Administration for the project in which the role is assigned. User has full administrator permissions within the scope of the project. User cannot access Administration in other projects where this role is not assigned him/her. User cannot access Repository Administration unless granted the role admin in that scope. Note: A user assigned that permission does not need to have the project_admin role assigned in any project. |
project_approver | Project-scope permission to review project content, including approving/disapproving Work Items, commenting Work Items and Documents, and resolving own comments. Users assigned this role for a project appear in the pick list of users who can be added as an Approving User in the Approvals section of the project's Work Items, available in the Table view of Work Items. |
project_assignable | Project-scope permission to have Work Items assigned. Users with this role appear in the pick list of users in the Assignee field of Work Items. By default this role has broad permissions allowing users to create, read, and modify project content, including browsing and running reports and builds. |
project_user | User is granted limited access to the project. User can read all objects but not modify or create them. User can download builds and view reports, but cannot initiate builds or refresh reports. Note that logon permission for projects is tied to the user role and will not work if assigned to other roles... project_watcher, for example. |