As described in Permissions Explorer Overview, the Permissions Explorer is a tool that is designed to help answer these 2 questions:
who has permissions on this entity, and how
what entities does this user have permissions on, and how
If you haven't already, you might want to familiarize yourself with permissions profiles. See Working with Permission Profiles.
Anatomy of the Permissions Explorer
You display the explorer in the following ways:
Select an entity from a list page and choosing Actions > View Permissions on this Entity. Using this option puts the explorer in the context of the entity (keep in mind that the entity can also be a resource/user).
Select a resource from the Resource Workbench or the Resource page and choosing Actions > View User's Permissions. Using this option puts the explorer in the context of the user.
The Permissions Explorer will open in a new tab.
If the context is an entity (like the screenshot above, as is indicated by the explorer title), the left panel displays the users with permissions on the entity (Hyperspace Bypass). Only users with permissions on the Hyperspace Bypass project are displayed in the list. The middle panel displays the various profiles granting permission for the selected user to the selected entity; the Rule Type reflects how the permission is granted (global or team), and the Applied Entity shows how the user received the profile (as an individual user, or as part of a group or unit).
If the context is the user (see screenshot below), the top-left panel shows all the entity types the user has permission on. When you select an entity type, the lower-left pane shows all the instances of that entity type that user has permissions on. The middle panel shows one or profile granting permission to the user on the selected entity instance.
Note: Users can be included in multiple profiles for the same instance. This is good to remember when troubleshooting why a user still has permissions even after you deleted a profile.
Things to Keep in Mind
The explorer context is indicated by the explorer title:
- entity context = "People with Permissions on <entity type>:<entity title>"
- user context = "User's Permissions:<user name>"
Multiple profiles for the same entity:
A user can be mapped to multiple profiles for the same entity. For example, the user might be on the team of a project with a Team profile, and might also be a member of a group that has a global profile for the same project. This means if you delete the user from the project team, he/she will still have permissions to the project granted by the group profile.
Some questions the explorer can help you answer:
Who has permissions on my project?
I set up some permissions, but I'm not sure I did it correctly. How can I spot-check some users that I know should have certain permissions.
Someone has access to a project and I don't understand how.
Scenario 1: Who has permissions on my project?
You can easily see the members of the Hyperspace Bypass project team, along with their corresponding permissions profile, by simply looking at the project Team: Profile-Based Permissions section:
However, there maybe be permissions granted on Hyperspace Bypass that did not come by way of the project team. You can use the Permissions Explorer to see the routes of these additional permissions. For example, a user might be a member of a group that has global permissions on the project.
- Navigate to the Projects list and select Hyperspace Bypass.
- Choose Actions > View People with Permissions on this Entity.
The Permissions Explorer opens in a separate tab and displays a list of users/groups/units with permissions on Hyperspace Bypass. Alex Adams is at the top of the list again.
- Select Alex Adams.
Alex is associated with 2 profiles: Project Contributor and Project Viewer.
- Select Project Contributor.
The Project Contributor profile has a Team rule type, which means it conveys permissions for a specific users on the team of a specific entity. This profile was used when Alex was added to the Hyperspace Bypass project team. The actual permissions conveyed by the profile are displayed in the Permissions Hierarchy on the right-hand side; you can see that there are View permissions included in the profile.
- Now click Global Project View.
The Global Project View profile has a Group rule type, which means it conveys global project permissions (all instances) to all members of the group the profile is applied to: Full Users. Alex is a member of the Full Users group, which is the group this profile is applied to.
The Full Users group is given view permissions to all projects - you can see in the Permissions Hierarchy that there are View permissions.
It's good to know about this additional profile, because you might remove Alex from the project team and assume that he no longer has access to the Hyperspace Bypass project. To fully remove him, you'll have to remove the group profile, which would revoke permissions for all members of the Full Users group.