Access Control on Teams
You can control who is authorized to create Business Teams Service teams, change a team, or read the details of a team either by using J2EE roles when installing BTS, or, by specific teams whose members have particular access rights on other teams.
The access permissions have two levels of granularity:
- Global access permissions
- Team scoped access permissions
Global access permissions
The following permissions provide access control for all teams.
Administrators with full access
Global administrators act like a superuser, and can call any BTS REST API. Global administrators are:
- All members of the J2EE role teamserveradmin.
- All members of the global administrators team, which has the uuid 10000000-0000-0000-0000-000000000000.
Users that can create or update a team
All users of BTS are members of the J2EE role teamserveruser. These users can create or write a team if they satisfy one or more of the following conditions:
- The user is member of the creators team, which has the uuid 20000000-0000-0000-0000-000000000000.
- The user is a global administrator.
Reading details of a team
When creating or updating a team, the user can use the following REST APIs to find out which users exist in the user repository:
GET /teamserver/rest/groups
GET /teamserver/rest/users
To call these APIs, a user must satisfy one or more of the following conditions:
- The user is a global administrator.
- The user is member of the "creators" team, which has the uuid 20000000-0000-0000-0000-000000000000.
- The user is member of the "repository readers" team, which has the uuid 30000000-0000-0000-0000-000000000000.
- If the user passes the uuid of a team as context and has the permission to update that team. When a user can update a team, the user also has a reasonable need for obtaining the list of users or groups from the user repository.
Granting users authorization
To add a user to one of the predefined teams that has a uuid, uuid, a global administrator can call one of the following REST API calls:
PUT /teamserver/rest/teams/uuid
PATCH /teamserver/rest/teams/uuid
For example:
PUT /teamserver/rest/teams/30000000-0000-0000-0000-000000000000
For examples that use PUT and PATCH, see Using the BTS REST API.
Team scoped access permissions
Each team has the following administrative fields:
Field | Description |
---|---|
owner |
A user who is the main administrator of the team. The owner cannot be null. |
administratorTeam |
A team whose members are also administrators of the team. Members of this team can read and write the entire contents of the team, including the admin part. The administratorTeam field can be null. |
writerTeam |
A team whose members have the permission to change the team content. Members of this team can read and write the entire content of the team except the admin part. The writerTeam field can be null. |
readerTeam |
A team whose members have the permission to read the team content. Members of this team can read the entire contents of the team except the admin part. The readerTeam field can be null. |
What the owner of a team can and can't do
The owner (or administrator) of team has the permission to choose which user should be the owner of the team, or which team should be used as reader team, writer team, or administrator team. This does however not imply any permissions on the chosen team.
In the following example, although John Doe is the owner of the exampleteam team and can specify which teams are the readerTeam
, writerTeam
, and administratorTeam
, he cannot choose the individual
members of those teams unless he is also an owner, administrator or writer of them.
{
"uuid": "a1c81405-429a-4fc2-803e-b6e8cf03f7f1",
"distinguishedName": "cn=exampleteam,ou=team,dc=example,dc=com",
"displayName": "Example Team",
"description": "This is a new team",
"users": [
"cn=John Doe,ou=User,dc=example,dc=com",
"cn=Jane Doe,ou=User,dc=example,dc=com"
],
"groups": [
"cn=Example,ou=Group,dc=example,dc=com"
],
"teams": [
"a3c90404-419a-4fc5-804e-b7e9cf14f8f2"
],
"admin": {
"owner": "cn=John Doe,ou=User,dc=example,dc=com",
"administratorTeam": "aabb0000-517a-44de-413e-a78ccef3f2f2",
"writerTeam": "ccdd0101-517a-34de-112e-a7616273f343",
"readerTeam": "eeff0202-732a-5a4f-ee12-b86211c79ff1",
}
"metadata": {
"created": "2020-10-25T14:37:08.198Z",
"lastModified": "2020-10-25T14:37:08.198Z"
}
}