Task: Grant Select Users Access to a Project

JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

If you access the manual through the hub's Web GUI, the functionality will not be suppressed because the hub is a web server.
Alternatively, your browser may allow you to explicitly disable the security setting that suppresses functionality. See the CodeSonar FAQ for more information.

CodeSonar's Role-Based Access Control (RBAC) functionality allows you to restrict access to analysis information on a per-analysis, per-project, or per-project tree basis.

This task provides a concrete example of RBAC functionality: using roles and role-permissions to grant access to project ProjectX for users Alice, Bob, and Carol.

You will need to be authenticated as a user with G_ADMINISTER_USERS or G_MANAGE_USERS permission.

It is sufficient to authenticate as a user with the special Administrator role, which immutably has G_ADMINISTER_USERS permission. In particular, it is always sufficient to authenticate as special user Administrator.

Before you set up permissions, make sure the project and users already exist.

If ProjectX does not already exist on the hub, create it as a new, empty project.

If one or more of Alice, Bob, and Carol do not already have hub user accounts, create user accounts for them.

To grant access to ProjectX, we will create a Role with full permissions for ProjectX, then assign that Role to users Alice, Bob, and Carol.

If the CodeSonar Web GUI is not already open, open it now.

If you are not already signed into a hub user account that has sufficient permissions for this task, sign in now.

Navigate to the Roles page.

Click the Settings icon in the page header to view the Settings page.
Select the User Administration tab.
Click Roles.
The Roles page will open.

Create a new Role called ProjectX Team.

If necessary, scroll to the bottom of the Roles page so that the Create New Role form is visible.
Enter ProjectX Team in the New Role Name field.
Select a role from the Controlling Role menu. This role will be assigned all ROLE_* permissions for your new role when it is created.
Click the Create New Role button.
CodeSonar will create the new Role, then reload the page to show the updated set of Roles.

Click the ProjectX Team entry in the table of Roles to navigate to its Role Users page.
(You may need to use the table pagination controls to find the ProjectX Team entry.)

Set a description for the ProjectX Team Role.

In the role details section of the page, click the edit link next to the current Description ("none").
An editing form will open:
Enter a short description in the text field. For example, "Full permissions for ProjectX".
Click save.

Assign the ProjectX Team Role to Alice, Bob, and Carol.

In the user table, click the checkboxes in the Assigned column so that Alice, Bob, and Carol (and no other users) are selected.
Click the Save Changes button (under the table).
CodeSonar will save your changes, then reload the page to show the updated table.

Navigate to the Project Role-Permissions page for ProjectX.

Navigate to the Project page for ProjectX.
Click the Project Details link (under the page heading).
The Project Details section will expand.
Click the permissions link in the Project Details section (at top right).
The Project Role-Permissions page for ProjectX will open.

Assign all ProjectX permissions to the ProjectX Team Role.

Make sure all permission columns are showing in the table of Roles.
1. Click on any column heading to pop up the column management menu.
2. If the last item in the menu is Hide, all columns are already being displayed.
  If the last item is Show >, click that item and then click All in the submenu that opens. The table will update to show all columns.
Find the ProjectX Team row in the table.
Click to select all checkboxes in the ProjectX Team row.
Click the Save Changes button (under the table).

You will notice that some other roles have checkmarks denoting inherited role-permissions for ProjectX. These roles have been assigned permissions for one or more project trees that contain ProjectX, and so those permissions have been resource-inherited for ProjectX. In particular, the Administrator role has certain immutable role-permissions with respect to the root project tree. Since the root project tree contains all projects, the Administrator role will always have at least some permissions for every project including ProjectX.

You now have a role that grants full access to ProjectX, and users Alice, Bob, and Carol have been assigned that role. These users will therefore have full access to ProjectX and all its analyses.

Over the long term you may need to make occasional adjustments to the ProjectX Team Role. Some typical scenarios are listed in the following table.

Future Action	GUI Page
If more people join the ProjectX team, assign the ProjectX Team Role to their hub user accounts.	Role Users or User Roles
If people leave the ProjectX team, remove the ProjectX Team Role from their hub user accounts.	Role Users or User Roles
If you decide that you don't want the ProjectX Team Role to have administrative control over ProjectX and its analyses (for example, because you don't want its users to be able to grant access to other Roles), remove its PROJECT_ADMINISTER and ANALYSIS_ADMINISTER permission for ProjectX.	Project Role-Permissions
If ProjectX becomes defunct you may decide to delete the project from the hub, in which case it also makes sense to delete the ProjectX Team Role.	Roles or Role Users or User Roles
If the team associated with ProjectX acquires additional projects you may decide to manage the team's project permissions at the project tree level instead. Create a new project tree TeamX Projects at a suitable location in the project tree hierarchy. Move ProjectX and the other projects of interest so that TeamX is their parent project tree. Create a new Role TeamX, and assign the role to the team members. Navigate to the Project Tree Role-Permissions page for TeamX Projects and assign TeamX all permissions in the table. Delete the ProjectX Team Role (unless there are still some users that you only want to have access to this single project).	various (see task links at left)

Future Action

GUI Page

If more people join the ProjectX team, assign the ProjectX Team Role to their hub user accounts.

Role Users or User Roles

If people leave the ProjectX team, remove the ProjectX Team Role from their hub user accounts.

Role Users or User Roles

If you decide that you don't want the ProjectX Team Role to have administrative control over ProjectX and its analyses (for example, because you don't want its users to be able to grant access to other Roles), remove its PROJECT_ADMINISTER and ANALYSIS_ADMINISTER permission for ProjectX.

Project Role-Permissions

If ProjectX becomes defunct you may decide to delete the project from the hub, in which case it also makes sense to delete the ProjectX Team Role.

Roles or Role Users or User Roles

If the team associated with ProjectX acquires additional projects you may decide to manage the team's project permissions at the project tree level instead.

Create a new project tree TeamX Projects at a suitable location in the project tree hierarchy.
Move ProjectX and the other projects of interest so that TeamX is their parent project tree.
Create a new Role TeamX, and assign the role to the team members.
Navigate to the Project Tree Role-Permissions page for TeamX Projects and assign TeamX all permissions in the table.
Delete the ProjectX Team Role (unless there are still some users that you only want to have access to this single project).

various (see task links at left)

Task: Grant Select Users Access to a Project

Permissions Required

Preliminaries

Grant Users Access

Future Adjustments

Links