Advice for permissions setup

[tciz_plastic]

Hello,

We have created groups for integrator and developer roles and would like to have only integrators allowed to make changes on /main branch, and both groups allowed to make changes on /main/dev branch.

Integrators are also developers in our case, so they are added to both groups but this causes the integrators to be denied permissions on the main branch.

 

As a solution, we can put each user in a single group. (integrators --> only in integrator group, devs --> only in dev group), and grant permissions to both of these groups where needed. 

Would this be the recommended approach? Any suggestions?

Thanks.

 

[manu]

Hi @tciz_plastic,

the following blogpost explains you scenario: http://blog.plasticscm.com/2014/07/securing-plastic-scm-system.html

The key is not to deny the permission, just disable it. Notice the "deny" permissions will prevail over the "granted" permission so if a user belong to multiple groups the "deny" will win.
On the other hand, if the X permission is not granted and not denied the user will not be able to do the X operation, unless it inherits the ability from another group.

 

[tciz_plastic]

Hi @manu,

Thank you for this advice, indeed it seems exactly what I am looking for. 

I assume a permission is disabled when it has both "Allowed" and "Denied" unchecked as below.

Kind regards

Engin

[manu]

Great!

1 hour ago, tciz_plastic said:

I assume a permission is disabled when it has both "Allowed" and "Denied" unchecked as below.

That's right. Not denying and not granting will avoid the user to perform the action but it opens you a way to combine permissions.

[tciz_plastic]

Thanks for the confirmation.

The support is great! 

[manu]

Thanks!