Permissions for Project Admins to view groups

Hello,

I only recently found out that users managing a project with "Project Admin" permissions are not able to see any Groups. They just don't appear on the screen for the Access, and they are not visible in the Team, even when a group is configured there. When selecting Team members or new access rules, the Project Admins are only able to select "All Users", or some group which belongs to a specific project they are in the Team of.

We use LDAP mapping of our used groups, so they are all Global groups and if an user is "Project Admin", they should of course be able to mangage Access/Team for that project, by using the tools at hand, e.g. groups.

Could you tell me how to handle that sort of thing? Do I have irregular permissions set for my groups, or what kind of permissions do the Project Admins need in order to read and use groups?

0
5 comments

View as Project Admin (Test Account CIT), who cannot see anything related to groups:View as myself (Global Admin), seeing everything related to groups (which I want for Project Admins as well):

0

Hello,

Groups are related to projects: when a new group is created, it must be linked to at least one project.

If a user has the default Project Admin role only in one project, the user cannot see groups that are linked to other projects because the user has no permissions to read other projects' data.

You need to either change the project in group settings to allow Project Admin to see it, or add the group to the project as System Admin.

0

Okay, so it is not usual to have LDAP groups describing teams in a company and those working together?

If I want a project where two teams work together, whoever is the project admin for that cannot administrate the project as they cannot see one of the groups, right? If I have a scrum master for the company, they cannot manage projects, as they are not member of the teams? This sounds wrong, as I don't see a problem with project admins having total control of whom they may give access to their own project.

My current workaround is to have a project "Group Permissions Workaround" and all LDAP groups belong to that project and all Youtrack users are project admin of that project. So every project admin can use all groups. This all feels like a giant hack...

Is there a way to add a permission so project admins can read Global Groups without being System Admin? Could you add a Feature request for me in the Jetbrains-Youtrack? :)

0

It is designed behaviour, I'm afraid: to view a group, a user needs a "Read group" permission in the project assigned to this group.

It is possible to create a separate role with a single "Read group" permission and assign this role to a user under the Global project. In this case, the user will see all groups but won't have any other permissions to modify/view other projects.

0

Thanks, that is indeed a very clean solution to the problem :)

/fixed for me

0

Please sign in to leave a comment.