In this Admin Guide, we cover OAE User Permissions – understanding the permissions scheme, configuring project and global permissions, designating sensitive projects, and more.
Table of Contents
Overview of User Management
OAE User Permissions takes a “least permissions” approach to User Management. This means that anyone that is added to the proper Active Directory Group will be able to login to the system, but after successfully logging in, new users cannot see any projects or take any actions until an Administrator has updated their permissions.
Global Permission Levels
User
Users in the user group can login to the system, and that’s it. These users are generally granted specific project-level Permissions so they can view or edit only the projects they should have access to.
View
Users in the view group can see all projects in the system, but does not have the ability to edit any projects, unless given specific project Permission of Edit or Admin.
Edit
Users in the edit group can both View and Edit all projects in the system. They can access and update Project Settings, but only view System Settings – not update them.
Admin
Users in the admin group can do everything that users in the edit group, plus update System Settings. Admin permission is also required to create new projects.
Project Permission Levels
Global Permissions supersede Project Permissions. So Project Permissions are only used for granting permission that is greater than their Global Permissions to a user for a specific project.
There is no option for ‘None’ under Project Permissions, because not having access to a Project is the system default.
View
A user with View Project Permission can View that specific project, but not Edit it.
Edit
A user with Edit Project Permission can both View and Edit that specific project, but not update the Project Settings.
Admin
A user with Admin Project Permission can View and Edit the Project, and update Project Settings including Project Permissions.
This is particularly useful for granting access to a project for the Project Team, who want to see the estimate for their project.
Configuring Global Permissions
As a user with Global Admin permissions, you will be able to manage user permissions. OAE user permissions are managed in Keycloak. To update a user’s permissions:
- Click on Settings from the application menu:
- Go to the OAE User Permissions tab.
- Click on the blue User Management link. This will open up Keycloak.
- Click on the Users tab on the left sidebar.
- Search for the user you need to update and click on the username to edit their permissions.
- Navigate to the Groups tab.
- Swap out the assigned groups using the Join and Leave links in the relevant rows.
Note: A user can only be in a single group at a time. When changing a user’s group, you must remove their existing group and add the new group. Do not leave two groups assigned to a user.
Configuring Project Permissions
As a user with Global Admin Permissions or Project Admin Permissions, you have access to the Settings tab in Project Home.
From the project’s Settings, navigate to the Permissions pane on the left side.
From the Project Specific Permissions section, you can add permissions for a user by clicking the green plus (+) button.
Select the User and the Permission you would like to grant them, and click OK to add the Permission.
You can remove a user’s Project Permissions by clicking the green – (minus) button on the right of each row.
Sensitive Projects
If a project should not be visible to all users based on Global Permissions, users with the Project Admin permission can mark a project Sensitive. Users cannot view a Sensitive project unless they are directly added to the list of Project Specific Permissions. It will not be visible on the Dashboard, in Project or Work Item Search, in cross-project reporting, or any other location in the application.
To mark a project Sensitive, go to the Permissions pane in the project’s Settings tab, and hit the Make Sensitive button.
The system will remind you that only explicitly assigned users will be able to view the project. Clicking OK will mark the project Sensitive.
In OAE User Permissions, when a project is marked Sensitive, the project admin that marked it Sensitive will automatically be added to the Project Specific Permissions list. From there, that admin can add other users that need to be able to view, edit, or administer the project.
To indicate a project is Sensitive, the project will appear in various locations with a lock icon in various locations.
If a project should no longer be considered Sensitive, a user with Project Admin permission on the project can unmark it Sensitive, and the project will return to respecting the global permission structure in addition to the Project Specific Permissions.
To remove the Sensitive classification, go to Project Home > Settings > Permissions > Clear Sensitive.
The system will ask you to confirm that you want to remove the sensitivity of the project, which will revert the project to respecting all global level permissions. All users explicitly added to the project will remain with the previously assigned project permissions.
Clearing Project Permissions
From System Settings > User Permissions, you can clear ALL of a user’s Project Specific Permissions by clicking on the ellipsis (…) next to their Global Permissions, and clicking on the Clear Project-specific permissions… button.
This reduces the manual effort that may be required to revoke individual permissions to multiple projects that were granted to a user who should no longer have permissions.
Learn More
Check out the rest of our Admin Guides to learn more about configuring OAE.