This topic describes how to create each type of permission profile.
The basic flow for creating a permission profile is to:
- Click New and give the profile a title
- Add permission rules to the profile
- Select the entities and associated permissions to grant the users defined by the rule type.
Note that you can do the steps in any order, the only thing you must do first is click New.
Remember that you can put multiple rule types in one profile. For example, you might want to grant permissions to all members of a unit, plus one user who is not in the same unit. You would put a User rule and a Unit rule in the same profile.
Note: If you are using the Centralized Resource Staffing feature, you will have additional profile permissions. See About Staffing Permissions for information.
You create a Global profile when you want to grant a user/group/unit selected permissions to all instances of an entity. For example, imagine you have a data analyst named Jacob Ladder, and you want to give him permission to edit all reports.
The example below shows how to give global permissions to a user. You would follow the same process for groups or units - in step 3 just select the appropriate radio button (user, group, or unit) and select
- From Admin/Permission Profiles, click New and create a new profile called 'Edit Reports'.
- Choose Add > Global.
- In the Add Permission Rule dialog, select the User radio button and then select the user (Frank True in this example) to whom you are granting permissions and click Select.
The Global rule now appears in the Permission Rules list:
Note that if you select multiple users, each user will be given its own rule - this makes it easy to inactivate or delete individuals
- In the Permissions Hierarchy, select Reports -> Edit. The Edit permission automatically includes permissions to edit the Details and the Team of any report.
- Click Save.
By default, all entity owners implicitly have view/edit permissions on the Details section of any entities they own - regardless of if there is an Owner profile. Implicit owner permissions are not derived from profiles; additional permissions are derived from profiles. For example, you can give entity owners permission to delete their owned instances by enabling this permission in a profile configured for the appropriate entity types and that uses the Owner rule - however, you cannot prevent an owner from viewing the Details section/tab. See Implied Permissions for Entity Owners.
Note that PPM Pro supplies an All Owner Permissions profile. You can use this one or delete it and create your own.
- From Admin/Permission Profiles, click New and create a new profile called 'Owner Permissions'.
- Choose Add > Owner. The Owner rule is in the Permission Rules list:
- In the Permissions Hierarchy, check the Dashboards -> Delete permission, for example, to allow dashboard owners to delete dashboards they own.
- Click Save.
You create team profiles to give entity team members permissions on the instance of the entity whose team they are on. For example, you can add people to a project's team along with a profile that describes the permissions they have for that project. You can have multiple team profiles for the same entity. Perhaps for a specific portfolio (XYZPortfolio) you want to give one user or set of users View permissions, and another set of users Edit permissions. You would create two profiles: View_Portfolios would have the Portfolio > View permission, Edit_Portfolios would have Portfolio > Edit permission. When you add members to the XYZPortfolio team, you will assign each user, or group of users, the appropriate profile.
- From Admin/Permission Profiles, click New and create a new profile called 'Full Edit Permissions'.
- Choose Add > Team.
- In the Add Permission Rule dialog, choose Portfolio. Note that you can create a profile that applies to multiple entity types by selecting more than one entity. The system will automatically create a rule for each entity type. So if you pick Portfolio and Dashboard, you will see two rules in the Permission Rules section.
The Team rule now appears in the Permission Rules list:
- In the Permissions Hierarchy, select Portfolios > Edit. For the purpose of this example, also select Dashboards > Edit permissions. (Remember, if you selected the Project entity, for example, configure the permissions under the Project branch.)
- Click Save.
- From the Portfolios tab, open the XYZPortfolio and click its Team tab.
- Click Add, select the user/group/unit from the Add New Team Member dialog, and choose 'Full Edit Permissions' from the Member Profile droplist.
- Click Select.
The users you selected now have permission to edit the XYZPortfolioDashboard.
Repeat to add users to the XYZPortfolioDashboard.
(Note: With the ability to now grant permissions on projects of specific categories, we think the Associations rule type will become obsolete and we are considering deprecating. Please avoid using, and if this confuses you, please post a question in Community Discussions or enter a support case to ask for assistance.)
You create an association profile to give unit members the selected permissions on portfolios or projects that satisfy various associations. Associations describe the relationship between the unit and the portfolio. The associations are:
Funded by Unit
Owned by Unit
Provided by Unit
An association profile contains one or more association type. For each association type, you specify the permissions to grant on the project/portfolios in a unit's Associations tab that have the matching association type. The unit members are granted the project/portfolio permissions specified in the profile.
For example, imagine you want to ensure that all members of Unit A have permission to view all portfolios with a 'Benefits Unit' association with Unit A (that is, the portfolios have been added to Unit A's Associations tab with the 'Benefits Unit association). You would do the following:
- From Admin/Permission Profiles, click New and create a new profile called 'View Portfolios'.
- Choose Add > Association.
- In the Add Permission Rule dialog, choose 'Benefits Unit' and click Select.
The Association rule now appears in the Permission Rules list:
- In the Permissions Hierarchy, select Portfolio > View.
- Click Select.
Users in Unit A now have permissions to view associated portfolios that have the 'Benefits User' association.
See Creating Staffing Permission Profiles for information about creating staffing profiles.