1.7A Permissions

Permissions 

Permissions in Clarizen allow your organization to compartmentalize work items, issues and other objects to be available only to users who have a relevant role related to that object.

A user who creates a new work item or issue can control who will have authorization to see and/or edit the object by controlling the roles on the object.

Basic permissions are built in to Clarizen, therefore some basic restrictions cannot be overridden.

It is possible for the organization to choose working in Enhanced Permissions mode in order to apply more access restriction and add another layer of compartmentalization.

Why Do I Need Permissions in Clarizen?

Permissions are important in order to:

  • Expose relevant data only to relevant users
  • Allow Managers to access their Direct Reports' data
  • Restrict external users from accessing a organization's internal information
  • Restrict access via various non UI Clarizen tools and integrations (such as the Excel plugin, Outlook plugin, iCal, InterAct and more)

Related System Settings

If you want to enable enhanced permissions, please verify (with your Clarizen Administrator) that the system setting "Permission Level" is set to "Enhanced" as detailed here .

Note:
Although the default value for this settings is "Basic", if your organization is an existing Clarizen organization from v5.3 (or before), the permission level may be set to "Enhanced" if in v5.3 system settings "Allow organization wide search for internal users" was set to Off.

High Level Matrix of User Types and Permissions

Note:
Even when the organization is working in Basic permissions mode, External users are always in enhanced permissions mode. Super Users permissions overrides the permissions mechanism and the user role restrictions and provides access to all work items and issues, risks & requests at all times.

Work Item Permissions Scenario

The below work item related permission matrices are based on the following scenario.

The scenario holds all the common combinations of work items and shortcuts that generally exist in project.

The scenario:

Work_Item_1.PNG

Note:
Our scenario relates to users that are Resources somewhere in the Project. Please refer to the "Current Project" section to see the permissions of users with other roles in the project (i.e. Project Manager, Reviewer etc.).
When selecting Permissions on the Group or Profile level, similar to "Sharing" on views, the PM can decide who will have read, edit or both reading and editing permissions for everyone assigned within the Group/Profile.
*Groups are users that are pre-defined in the system such as Admins, SuperUsers, External etc.
 
By selecting the appropriate owner/viewer, you determine the Permissions you are allowing for the group on the Parent project.
 
Group_permissions.PNG

Landing Page and Work Items Subsystem

In the Landing page and the work items module, users can see only objects where they have a direct role based on their permissions.

The Landing page and the work items module are designed to let the user see work items that are most relevant to them and there is a high probability that the user needs to access what they see. In order to achieve this, these sub systems are designed to show a limited portion of work items that the user has permission to see.

When assigning Permissions on a Group level the Permissions will roll down to the children on the WorkItems as well.  

If the Group contains sub-groups, same as reporting, the sub-group does not necessary posses the same permissions. 

In the image below you can see a scenario where internal/external users are marked as resources.

Internal_User_Permission.PNG

 

As shown, when the resource is assigned permissions on Task1, the user will have a view of the entire project. 

When a resource is assigned permissions in a task within a sub-project, the user will be able to view only information stored within the sub-project and not have access to the Parent project or any related information above the sub-project level.

Current Project

In the Current Project screen a user should be able to get a comprehensive view of the project including, shortcuts, dependencies, related objects etc., while keeping to the basic guidelines of permissions.

In order to achieve this, an internal user assigned as a resource on a project will have an indirect role on the entire project, and so has the ability to view other work items in the project.

External users will not have the same benefits as they generally need to be restricted from work items and issues that they aren't directly assigned to.

In the below scenario, internal/external users marked as resources. The users have permissions on work items marked in Green in the hierarchy and no permissions on the ones marked in Red.

Internal User

The following matrix shows what permissions an internal user has as a resource in various locations in the project hierarchy in the current project screen.

As explain above, an internal user (assigned Basic or Enhanced permissions) anywhere in the Parent project level (Task, Milestone etc) will have access to view the entire project.  When a resource is assigned permissions within a sub-task, the user will be limited to the information contained within the sub-project (and not have access to the Parent project).

External User

The following matrix shows what permissions an external user has as a resource in various locations in the project hierarchy in the current project screen.

As an external user, the Basic and Enhanced permissions are more specific.

Permission assignment for external user:

When assigned as an external user on the Parent level, the user will not be able to view any part of the project.

When assigned to a milestone, the user has access to the project, milestone and task directly associated to the assigned milestone.  However, the user will not have access to any view beyond those specified.

When assigned to a task, the user is limited to task and sub-tasks within the task and no additional views are available.

When Assigned on a sub-project level, the user's view is limited to the specific sub-project and relates milestones and tasks for the sub-project with no additional views.

Other Roles in the Current Project View

Other roles may have different types of permission in the work items of a project. Some of these roles are generated automatically (such as project manager and manager, which are set as the user who created the project) and some are granted by others (like adding a resource or reviewer to a work item in the project).

Assigning a role to other users is the only way one can grant access to users on their created projects.

The matrix below shows the permission type and extension of other roles in the project.

Issues Subsystem

In v5.4 Clarizen introduced a built-in mechanism to apply permissions, similar to the one based on role driven permissions already implemented in the work items.

One can have two roles on an issue, owner and reviewer. The user that either created an issue, or has a role as an assignee during each life cycle phase(Evaluated by, Closed by, etc.) will get an owner role on the issue.

Users that have been set as issue team members (on the right side panel) will have a reviewer role on the issue.

Uri as an assignee has an owner role on the I-303 issue

Gen and PTI as team members have a reviewer role on the I-303 issue

Internal User

The following matrix show what permissions an internal user has according to their role on an issue under the basic and enhanced permission modes.

External User

The following matrix show what permissions an external user has according to their role on the issue under the basic and enhanced permission modes

Note:
The same permission mechanism applied directly on issues in the issues subsystem also applies on issue subscription. When subscribing to receive notification on issues, users will receive notifications only on issues where they have at least viewing rights.

Time Tracking Subsystem

In Time Tracking, a user can report hours on specific tasks where they are a resource or have rights to report due to their role as project manager.

Direct managers are able to select one of their team members from the list in order to report hours on their behalf.

Expenses Subsystem

In the expenses subsystem, a user can create and approve expense sheets if they have the appropriate management and/or financial permissions.

Direct managers are able to select one of their team members from the list in order to create expense sheets on their behalf.

Search and Find

Both internal and external users are able to search for objects via the search and find windows. The resulting content is limited to objects where the user has at least viewing rights.

In the scenario below internal/external users are marked as resources. The user has permissions on work items marked in Green in the hierarchy and no permissions on the ones marked in Red. For permissions with other roles in the project, see the "Other roles in the current project" section.

Internal user under Basic permission mode

The following matrix shows what work items an internal user as a resource in various locations in the project hierarchy will be able to see in the results of search and find windows.

Internal User Under Enhanced Permission Mode

The following matrix shows what work items an internal user as a resource in various locations in the project hierarchy will be able to see in the results of search and find windows.

External user (always in enhanced permission mode)

The following matrix shows what work items an external user as a resource in various locations in the project hierarchy will be able to see in the results of search and find windows.

Regarding finding issues in the search and find windows, both external and internal users (under Enhanced Permissions mode) are able to see only Issues where they have any role.

If the user has no role at all for an Issue, they will not be able to see it in the results of search and find windows.

Note:
In find windows, the search results may be limited even further depending on the action trying to be performed on the selected object.

Reports

Reports are available to both internal and external users.

The same permission rules are applied for both predefined system reports and custom reports created by the end user. Some of the predefined system reports are available only for specific users according to the user type and their special permissions.

The same limitations apply on search and find objects in Clarizen, being applied both to predefined system reports and custom created ones.

Please refer to the " Search and Find " section for more details.

Non UI Data Access and Integrations

Non UI data access is a collection of features and tools that provides you with the ability to access Clarizen data via external tools and applications.

For example:

  • Web Service API
  • Excel plugin
  • Outlook plugin
  • Send Report action
  • iCalendar

The access to Clarizen data via non-UI data is available to both internal and external users.

The same limitations that are applied on search and find objects in Clarizen are also applied via non-UI data access.

Please refer to the " Search and Find " section for more details.

InterAct

An administrator that defines an InterAct rule, can decide to override the default system permissions behavior by unchecking the "Apply User Permissions" checkbox.

Please refer to the InterAct wiki page for more information.

By default, the same permission rules described in the "Search and Find" section are , being applied here as well.

Please refer to the " Search and Find " section for more details.

Direct Manager Special Permissions

In addition to the rights driven from a user's direct role on an object, a user also has a read-only rights on objects from their organizational position of being a Direct Manager of other users.

The definition of a direct manager includes a Direct Manager in many levels recursively. In real life, a CEO will be able to see all projects under the VP PMO and under each and every PM in the organization.

As a Direct Manager, one can access any Direct Report's objects in Clarizen (such as work items, issues etc.) via the various modules.

A user's Direct Manager is defined in the user property card:

Have more questions? Submit a request

Comments

Powered by Zendesk