Who can access an application?

Application permissions help you minimize the need to create and assign many similar roles for individual users. You can permit or restrict access to individual applications within the project for whole classes of users.

When you define users, user groups and roles with specific permissions in one project, they can be inherited in one or more subprojects. This helps you avoid duplicating the effort of defining users, user groups and roles across projects.

Note: Project hierarchy must be set cautiously as you may overlook the inherited members and their corresponding roles. It is safer not to assign administrator level permissions to user groups or assign multiple roles to a member.

Application permissions supplement role-based access control (RBAC.) For each application's concepts, documents, file releases, trackers, and discussion forums, you can assign permissions globally based on user type.

For example, if you know that you want all project members to be able to view and submit to all project trackers, you can specify this application permissions. You need to configure these settings only once. All current and future project members will be able to view and submit to all trackers without having the tracker view/submit permission assigned to them individually via a role.

Before you do this, you should have identified your project as private, gated community, or public. Configuring permissions is a finer-grained level of control that operates within this hierarchy of project types.

Note: Some applications may be invisible to some users based on the roles you assign. If you set up a role that does not grant access to a particular application, and assign that role to a user who does not have some other role that does grant access to that application, that user cannot see the button for that application in the Web interface.

However:

If a user has any level of permission on a tracker or a task folder, that user can see the Reports button.
If a user has tracker administration permission on any tracker, or task administration in any task folder, that user can see the Project Admin button.

User classes

These are the classes of users to which you can assign application permissions:

User class	Description
All users with Role Permissions	Only project members with appropriate RBAC permissions.
All project members	All project members.
All project members and unrestricted users	All unrestricted users, whether or not they are project members, plus all project members.
All logged-in users	All restricted and unrestricted users (all logged-in users,) whether or not they are project members.
All users	All users, whether or not they are logged in or have CollabNet TeamForge accounts.

Restrictions by type of site

On some types of sites, you can't assign application permissions to certain classes of users. In such cases, you must use role-based access control (RBAC) permissions.

On a private site, you cannot set application permissions for these classes of users:
- All project members and unrestricted users
- All logged-in users
- All users
On a "Gated Community" site, you cannot set application permissions for these classes of users:
- All logged-in users
- All users