We’re testing TRIRIGA Platform 3.5.3 and we noticed a difference in the (project context) “Company/Project” toggle visibility. The users have access to the license “IBM TRIRIGA Workplace Performance Management Projects” and it now displays the toggle option (it didn’t display before). When we remove this license, the toggle disappears. Is this new behavior documented anywhere? I did some research and I couldn’t find anything. Is there a way to remove this option for specific groups?
[Admin: This post is related to the 02.13.17 post about the relationship between project context and security.]
I am looking for any resource that will provide information on how security for the Document Manager works with Company level views and Project level views. A couple of preliminary questions. (1) Can security group settings control what action displays or not? I cannot seem to get consistent results when changing settings in a particular security group. (2) Next, when the user is in Project level view, how do you control security settings for the Document Manager in this view?
The Document Manager actions are controlled by access given on the Permissions tab of the folder/document. Access can be: View, Modify, Download, Create, or Full Admin access. (Admin users have access to all actions by default.) For the user who creates a document record, all access to the document is given implicitly.
Similarly for the Project container: Only documents of the project for which the user is the author have all access. Access to other documents in the project is controlled by the access given on the Permissions tab of the folder/document.
[Admin: To see other related posts, use the Document Manager tag.]
By default, the “Company|Project” toggle switcher allows switching to a capital project. Is it possible to switch to a facility project?
No. The facility project was not created with the same structure as the capital project. So the silo behavior that is associated to the capital project is not provided for facility project. But it would be possible to create a custom solution to do so. Or if you would like to see this sort of behavior in the as-shipped application, you might enter an RFE to request that enhancement.
[Admin: This post is related to the 02.13.17 post about project context. To see other related posts, use the Project Context tag or “capital project” search phrase.]
We have some capital projects created, and they are viewable only when logged in as an Admin-level person. But as non-Admins, we are unable to view the projects. If we login as a non-Admin and click on the magnifying glass, a query comes where no projects are shown in searching for it. It’s no use whether I select company-level or project-level. Any clues on access? Or how a non-Admin can see the projects?
Were the non-Admin user groups added to the Security tab of the project?
[Admin: This post is related to the 02.13.17 post about project context and security. To see other related posts, use the Admin Group tag.]
The project context can be set to a project where the user does not have Capital Project security access. A user cannot modify or update data inside the project when they do this. However, the TRIRIGA platform should prevent the setting of this context from ever occurring in the first place.
Users can set the project container through direct URL manipulation. Moving forward, the privilege escalation vulnerability has been resolved.
[Admin: This post is related to the 03.01.17 post about a privilege escalation vulnerability in the Report Manager, and the 02.13.17 post about the relationship between project context and security.]
TRIRIGA has the notion of project-based security scope, also called project context. At the upper right-hand side of the main TRIRIGA portal, there is a toggle to switch between Company and Project-level security, as well as a query to find and select in which project to operate.
To see and select a project, the user must be given specific security access to a project. This is done by adding the user’s group or the specific user to the Security tab of the project. Once the user or users have been granted access to the project, and they select the project from the project selector on the portal, they are then in the “context of the project.”
Any records created in the project context are then owned by that project, and security is restricted to those records, so the records are only visible and editable to those people that have access to the project, and have also switched their scope to run in that project context.
Items like documents and folders within Document Manager will also operate in a project context. You may notice that files uploaded to the Notes & Documents tab of records in the project context have a different folder path within Document Manager. Because the entire Document Manager tree is also in the project context, it is necessary to have the parent folder created in the project context as well. This folder’s path will be different than the uploads on records at the company level.
[Admin: This post is related to the 04.08.16 post about where your documents go in TRIRIGA, and the 08.25.16 post about an issue with selecting child projects.]