Access Control on Teams

You can control who is authorized to create Business Teams Service teams, change a team, or read the details of a team either by using J2EE roles when installing BTS, or, by specific teams whose members have particular access rights on other teams.

The access permissions have two levels of granularity:

Global access permissions

The following permissions provide access control for all teams.

Administrators with full access

Global administrators act like a superuser, and can call any BTS REST API. Global administrators are:

Users that can create or update a team

All users of BTS are members of the J2EE role teamserveruser. These users can create or write a team if they satisfy one or more of the following conditions:

Reading details of a team

When creating or updating a team, the user can use the following REST APIs to find out which users exist in the user repository:

To call these APIs, a user must satisfy one or more of the following conditions:

Granting users authorization

To add a user to one of the predefined teams that has a uuid, uuid, a global administrator can call one of the following REST API calls:

For example:

PUT /teamserver/rest/teams/30000000-0000-0000-0000-000000000000

For examples that use PUT and PATCH, see Using the BTS REST API.

Team scoped access permissions

Each team has the following administrative fields:

Table 1. List of administrative fields for each team
Field Description
owner A user who is the main administrator of the team. The owner cannot be null.
administratorTeam A team whose members are also administrators of the team. Members of this team can read and write the entire contents of the team, including the admin part. The administratorTeam field can be null.
writerTeam A team whose members have the permission to change the team content. Members of this team can read and write the entire content of the team except the admin part. The writerTeam field can be null.
readerTeam A team whose members have the permission to read the team content. Members of this team can read the entire contents of the team except the admin part. The readerTeam field can be null.

What the owner of a team can and can't do

The owner (or administrator) of team has the permission to choose which user should be the owner of the team, or which team should be used as reader team, writer team, or administrator team. This does however not imply any permissions on the chosen team.

In the following example, although John Doe is the owner of the exampleteam team and can specify which teams are the readerTeam, writerTeam, and administratorTeam, he cannot choose the individual members of those teams unless he is also an owner, administrator or writer of them.

{
  "uuid": "a1c81405-429a-4fc2-803e-b6e8cf03f7f1",
  "distinguishedName": "cn=exampleteam,ou=team,dc=example,dc=com",
  "displayName": "Example Team",
  "description": "This is a new team",
  "users": [
    "cn=John Doe,ou=User,dc=example,dc=com",
    "cn=Jane Doe,ou=User,dc=example,dc=com"
  ],
  "groups": [
    "cn=Example,ou=Group,dc=example,dc=com"
  ],
  "teams": [
    "a3c90404-419a-4fc5-804e-b7e9cf14f8f2"
  ],
  "admin": {
    "owner": "cn=John Doe,ou=User,dc=example,dc=com",
    "administratorTeam": "aabb0000-517a-44de-413e-a78ccef3f2f2",
    "writerTeam": "ccdd0101-517a-34de-112e-a7616273f343",
    "readerTeam": "eeff0202-732a-5a4f-ee12-b86211c79ff1",
  }
  "metadata": {
    "created": "2020-10-25T14:37:08.198Z",
    "lastModified": "2020-10-25T14:37:08.198Z"
  }
}