Gerrit (2.13.6)
I've completed the installation according to
https://gerrit-review.googlesource.com/Documentation/install-quick.html
Created a couple of users, applied keys, etc.
I only see two groups listed in the 'List groups'
"Administrators" and "Non-Interactive Users"
However the documentation indicates that there are the following
system groups: Anonymous Users, Change Owner, Project Owners, Registered Users which I do not see anywhere; Are they supposed to have been created during the installation?
Actually these groups don't really "exist", I mean you will not see them in the People > List Groups lists. They're kind of "virtual" groups... you can't add/remove people to/from them. For example, when someone logs in Gerrit he/she is automatically added to the "Registered Users" group, every Gerrit user (logged or not) belongs to the "Anonymous Users" (the group name was not well chosen).
They exist to be used to grant project permissions.
Related
We have Jenkins installed and I'm wondering how to add an existing user to a Jenkins group.
I find how-to's for the case where in Configure Global Security the Security Realm is set to Jenkins' own user database. We have set this to Active Directory - but maybe this doesn't make a real difference to the problem.
In section Authorization we have set Matrix-based security and there are already four groups defined from a previous user, those groups have some custom rights set, and a bunch of AD users were added to those group somehow.
My problem: if I try to add a new user, I can add it to the matrix and give him the rights, but I don't see how to simply add the user to the group. I don't want a huge list of users who all have the same rights - I just want them bundled each into one of the four groups. But how can I add a user to a group? It was possible somehow before, as there are obviously users added to those groups.
Maybe a plugin was uninstalled by accident and is missing for this purpose? But I guess that in that case the Matrix-based security wouldn't even be displayed anymore!?
Any help? Thanks.
In this specific case the groups are AD groups and the users are added to those groups in the AD, not in Jenkins. So, if you have set the Security Realm to Active Directory you must add users to groups on the active directory level - not within Jenkins.
TFS2015 u2. I'm editing a release definition, assigning approvers for an environment.
I have several server-level groups. When I start typing group names in the "Specific users" box on the Approvals page of environment properties, one of them ("Application Hosting Team") comes up, another ("QA Team") doesn't. The former is a part of collection admins, the latter has no specific rights. If I grant the QA team collection admin, it comes up, too.
Question - which rights do I have to grant (short of admin) so that TFS considers it eligible for approving releases? Preferably on collection level.
EDIT: Adding the server level group to "Project Readers" will do, but I'd hate to go through all the projects...
Found two collection level ways:
Create a collection level group, add server level group to that one, grant Allow for Edit collection level items
Add the server group to "Release Management Service Accounts"
Either works. The former is slightly more work, the latter might grant more rights than strictly necessary to approve releases.
I can successfully setup a feedback request but I can only add one stakeholder at a time. I thought I'd setup a TFS group and it would send the feedback request to each of the members of that group. No such luck, turns out the TFS groups don't even show on the list of stakeholders in my setup.
TFS Permissions on the group. Please let me know if you need any other information.
What am I doing wrong?
The submitted feedback will be sent to stakeholders via email. There's no email address for TFS group, so it is not possible to select TFS groups as Stakeholders.
You need to:
Create a group in Exchange or mail-enable an existing group in Active Directory, create one email address for the created group. (Check this for the details.)
Add the created Windows Group to TFS, and grand it with the required permissions. (Check this for the details.)
When submit the feedback request, type the group alias created in Step1 and click "Check Name". Then, the group will show up correctly, and requested feedback will be sent to everyone in that group.
I also tried a lot of ways to add a tfs group to stakeholder, but prove to be no way to add a tfs group, stakeholder can only show windows group. You can click "Browse" to select multiple users at a time or add a windows group to TFS group and then select this windows group.
We have a situation where TFS was taken into use when we all had 2 user accounts. We started using TFS with account A but, after a while, found out that account B was better. In the end we want to use the A accounts only for RDP sessions. We would now like to remove all the A accounts from TFS so that we don't make mistakes in assigning tasks to a person.
Deleting the old accounts from the AD is not an option, we still use those accounts for RDP sessions. What we did was migrate all the WI's from account A to account B. Thereafter I removed all permissions for the old A accounts, with in mind that TFS would clear those accounts since they are no longer in use. The double account in the assigned-to field
Unfortunately the old accounts are still visible despite they are no longer involved in any project or group. No rights for the (development) user
How can we remove those accounts from TFS? Maybe there is somekind of cache that needs to be cleared somewhere, or a rebuild of the warehouse?
Thanks in advance!
By Default the Assigned To field shows the list of all Valid TFS Users (this is a specific TFS Group). So if you don't want somebody to show up in that list you have to make sure they are not in the Valid TFS Users group. If you inspect this group in the TFS Admin interface you can see which other groups are members of it. Now it's just a matter of tracing through the many TFS security groups to make sure that those user accounts are not included anywhere that would result in them being part of TFS Valid Users.
I am having a little difficulty understanding when a person should configure JIRA permissions using groups and when they should use project roles. I have read the online documentation, however, the difference between the two seems subtle.
A group seems simple enough. Group users into a named bucket. Assign the group to one or more permissions within a permission scheme to enable access to functionality for any users within the group. Assign the permission scheme to a project to apply the permissions to that project.
A project role seems very similar. It does all of the above except that you can also add groups to project roles. It seems that a project role also allows a project administrator to add their own users to a project instead of requiring a system administrator.
However, I am not sure how I can leverage this. Here is an example of what I want to achieve.
Have multiple projects created in JIRA.
All of our managers, developers, etc. have the same permissions across all projects.
Our clients have access only to their projects.
I think that the best way to accomplish this is to:
Create an employees group to which I add all of our employees.
Create one or more project roles to which I add the appropriate clients.
Assign permissions to the Default Permissions Scheme using the employees group.
Copy the Default Permission Scheme to a new project specific scheme, e.g., client-scheme
Assign the client-scheme to the client specific project.
However, it seems that I am not leveraging project role membership. How does this come into play?
What is the best practice for using JIRA groups and project roles? What is the different between the two?
We are advising to work with roles as it has a couple of advantages
a. You can setup the complete configuration based on roles.
For instance you might have a workflow transition 'validated' which can only be executed by someone who is a tester.
You have the choice to add a transition condition 'user is in group tester' or 'user has the role tester'.
If you are working in an organisation where users have different roles in different projects, choosing the first transition condition (user is in group tester) will not work (or you would need a new workflow for each project)
The same applies for notifications.
You can configure a notification on the 'issue resolved' event, specifying that the 'users in group tester' get notified or 'users who have the role tester'.
When using roles, adding someone to a project is very simple - just check what role the person has in the project, add them in the project configuration (view members) and you are done. He will have the right permissions, get the right notifications ...
b. Configuration
When you use roles for configuration, you don't need system administration rights to add someone to a project. The project lead will be able to add the user. No need to bother the system admin.
Looking at your description, I would have
A project role 'employee'
A project role 'customer'
A group 'employees'
configure the project role such that the group employees is a default member of the project role employee
This way you can use the same permission scheme for all projects. When adding a new project, you just need to add the client specific userid to the client role.
When a new employee start, you add him to the employees group.
The day that you have a specific, ultra secret project, where only a couple of employees need to have access, you can remove the group 'employees' from the role 'employee' and add the specific users to the role.
Hope this helps
Francis
Historically, JIRA had groups first. Then roles came along and are the recommended way to control authorization in most cases.
~Matt
Groups are global. Roles can be thought of as per-project (local) groups.
Roles are much better: else with a large number of projects you quickly end up with a proliferation of Groups and permission schemes (one per project).
You lose nothing by using role-based permission schemes, since you can add a Group to a role.
But you gain a lot of flexibility. Eg you'd currently have the Employee role be filled with your Employees group for every project, but as your company and complexity grows, you can have different Employees per project, without having to change the permission schemes