5.9 KiB
sidebar_navigation | description | robots | keywords |
---|---|---|---|
[{title Roles and permissions} {priority 970}] | Manage roles and permissions in OpenProject. | index, follow | manage roles, manage permissions |
Roles and permissions
A role is a set of permissions that can be assigned to any project member. Multiple roles can be assigned to the same project member.
When creating a role, the "Global role" field can be ticked, making it a Global role that can be assigned to a users details and applied across all projects.
Topic | Content |
---|---|
Permissions | What are permissions and how can I access the permissions report? |
Create a new role | How to create a new (global) role. |
Edit and remove roles | How to change and delete existing roles. |
Global roles | Which global roles are there and what are their significances? |
Permissions
The permissions are predefined in the system, and cannot be changed. They define what actions a role can carry out. If a user has more than one role (including global and project roles), a permission is granted if it is assigned to any of those roles.
All permissions are shown sorted by OpenProject module in the create a new role page or when clicking on an existing role.
Permissions report
On the bottom of the roles list page there is a link to the Permissions report. This shows a grid of existing roles (columns) against permissions (rows); the intersections are ticked if the role has the permission.
A "Check/uncheck all" tick box is shown on each role or permission to allow bulk change. Be careful, this cannot be undone. If you make a mistake, do not save the report.
Project Modules
Note: If a project module is not enabled for a specific project it is not shown in that project's menu whether the user has permission for that module or not.
Create a new role
To create a new role, navigate to the administration and select Users & Permissions -> Roles and permissions from the menu on the left.
You will see the list of all the roles that have been created so far.
After clicking the green + Role button, a form will be shown to define the role and its permissions.
Complete the following as required:
- Role name - must be entered and be a new name.
- Global Role - this role applies to all projects, and can only be assigned in the user details. Once saved, the decision to make a role a "global role" can't be reverted. Ticking this box will show the available global roles and hide the regular permission options.
- Work packages... - tick to allow work packages to be assigned to a user with this role. This does not appear for global roles.
- Copy workflow from - select an existing role. The respective workflows will be copied to the role to be created.
- Permissions for this role - you can specify the permissions per OpenProject module. Click the arrow next to the module name to expand or compress the permissions list.
Select the permissions which should apply for this role. You can use "check all" or "uncheck all" at the right of a module permissions list. If a module is not enabled in a project it is not shown to a user despite having a permission for it.
Don't forget to click the Save button at the bottom of the page.
Edit and remove roles
To edit a role navigate to the roles overview list and click on the role name (1). If is not a global role it cannot be converted into one.
To remove an existing role click on the delete icon next to a role in the list (2). It cannot be deleted if it is assigned to a user.
Global roles
To create a global role tick the box "Global Role" when creating a new role.
You can choose between these global roles:
- Create project: Assign this role to users to enable them to create new projects without being system administrator.
- Create and edit users: Assign this role to users who should be able to create or invite new users and edit their profiles in a limited way. Users with this role can see all users of your OpenProject instance and can add users and edit the name, username, email address and language of a user. They can't delete or lock users. They can only see and add users to projects where they have permissions to see project members. The user profile will look like this for them (user name and email address were redacted):
- Create, edit and delete placeholder users: Assign this role to users (e.g. project admins) who should be able to manage placeholder users. Users with this role can see all placeholder users in your OpenProject instance and can create, edit and delete placeholder users. They can only see and add placeholder users to projects where they have permissions to see project members. A placeholder user's profile will look like this for them:
- Administrator: Technically, the system administrator is also a global role. However, it can't be configured and is assigned to a user in another way. Find out more here.