IBM UrbanCode products use a role- and team-based security system. Permissions are assigned to roles, not to users. In IBM UrbanCode Deploy, for instance, roleless users can only access their user preferences.
Typically, when administrators set up security they also define roles and teams. An extremely useful role you can create is a Team Lead role. The Team Lead role can manage a team’s roster without further involvement from an administrator, or additional administrative permissions.
To test drive the role, create a role and name it Team Lead or something similar. Grant the Add Team Members permission from the Server Configuration area to the role, as shown in this figure. This permission enables users to manage their team rosters—add users to team roles, and remove users from their team. Users with this permission can manage the rosters of their own teams but not other teams.
Add the other permissions granted to team members. Do not add the Manage Security permission to the role. The Manage Security permission essentially creates an administrator-type role because it grants access to all security features, which is not what you want.
Users without the Manage Security permission cannot access the security options, but that’s fine. All users, even roleless users, can access their own My Team page. You do not need the Manage Security permission to view your teams.
You access your My Teams page from the My Profile menu, as shown in this figure.
The My Teams page lists the teams to which you belong—and no others. In this example, Demo User, user ID Demo, belongs to two teams—Demo Team and Demo2 Team. She is assigned to the Team Lead role for Demo Team, as shown in this figure. The Team Lead role enables her to delete users and add users to roles on the Demo Team. Even though Demo User does not have access to the system administration functions, she can act as team administrator by using her My Team page. If the Team Lead role did not have the Add Team Members permission, Demo User, like any other user, could review her teams but not modify them. The Add buttons would not be displayed.
What happens when a user is in the Team Lead role for some of their teams but not for others? As you would expect, a user without the Add Team Members permission cannot affect the team roster. In this example, Demo User is the team lead for Demo Team but not for Demo2 Team. If Demo User attempts to modify Demo2 Team’s roster, she is prevented and a message informs her that she does not have permission to change team membership.
Note: The UI can sometimes be slow to update, which can make it appear that an unexpected roster change occurred. If this happens, refresh the window.
Because all roles are available to all teams, the Administrator role, with all its privileges, are also available on the My Teams page. If Demo user attempts to add herself to the Administrator role for Demo Team, she is prevented even though she is the Team Lead. A user in a role with the Add Team Members permission cannot affect a role that has more permissions than the user with the Add Team Members permission. Because the Administrator role has more Server Configuration permissions than the Team Lead role, Demo user cannot add or remove users from the Administrator role.
To be effective, a team lead role needs, in addition to the Add Team Members, all permissions granted to roles the team lead is expected to manage. If you have team types with different permission sets, you might need several team lead roles–Development Lead and Production Lead, for example. The simplest solution is to grant all permission to the team lead role except those reserved for the Administrator role. Remember, users in lead-style roles can only affect the teams to which they belong.
Tip: User Preferences for Team Object Mapping
By default, the objects that you create are automatically mapped to the teams to which you belong. You can change this behavior with the Default Teams for New Objects parameter in your Preferences. Instead of all your teams, you can select a subset of them, or none at all.
updated November 13, 2015