Starting with Traction Release 3.1, Traction uses Access Control Lists
by default to manage user and group permissions. This
release also introduces server- and project-level groups. Groups can contain
users and other groups, and ACLs can be specified for users and groups.
ACL Note: ACLs are enabled by
default in the CommunicatorJournal and for new journal creation. To upgrade
existing journals to use ACLs, after installing Traction 3.1, go to Server
Setup | People and click the "Convert Permissions to ACLs" button.
Active Directory Support: Traction
3.1 also supports Microsoft's Active Directory and NTLM for authentication,
user, and group definition. For instructions on setting up Active Directory
and configuring ACLs for Active Directory users and groups, see Configuring NTLM and Active Directory.
This help note explains how to create Groups and Access Control Lists
at the Server
and Project
level.
Server Setup | People tab
In the People tab, you can create global Traction Groups (which can
be selected from any project) and you can control which users and groups
have Login or Administer
Server permissions.
Login permission is used in
conjunction with Active Directory to determine what Active Directory users
are permitted to use Traction.
Note: Until the first ACL is
defined, all users have both Login
and Administer Server permissions.
Creating Global Traction Groups
Click the Traction Groups button:
A Group editor dialog box will open:
Click the New button to create
a new group. You will be prompted to name the group, then you can add
users or groups to the group. I created a group called Founders
and included users cjn and grl.
Now click Apply and then Close. In the next section you will
learn how to assign Login and
Administer Server permissions
to the group.
Assigning Login and Administer Server permissions to Users or Groups
Click the Access Control List button:
An ACL dialog will appear. Note that your new group is not listed. Click
Add Group to choose it and click
OK.
Now you can see the ACL with your new group and you can click the checkboxes
underneath Allow to assign Login or Administer
Server permission.
Warning:
Be careful when defining ACLs and check your work before you press the
apply button. It is very easy to lock yourself out of your journal, which
will require you to get an owner-enabled license and owner login password
from Traction Software. Make sure at all times that at least one user
has both Login and Administer
Server permissions. Note that
if no ACLs are specified, all users have both Login and Administer
Server permissions. When you
first define an ACL that grants one of these permissions, that ACL becomes
authoritative and only the specified users (or group) will have the designated
permission.
When you are ready, click Apply:
Note that each user or group may belong to one or more groups. Accordingly,
their Effective Permissions depend
on the sum of all their permissions. You can click on any user or group,
then click Effective Permissions
to see their final computed permissions.
Project Setup - Members and Permissions
Project Setup | Members tab
In this tab, you can create groups for your project, or select global
groups defined in Server Setup | People tab.
First, click the project's group button (in this example, we will work
with the JFrank project):
A Project Groups dialog will
appear:
TIP: You can use the Choose
Project control to edit the groups for other projects
without closing the dialog.
Click New... to create a new
group. A prompt will ask you to provide a name for the group. I made one
called Coworkers.
Click Add User to pick a User
or Add Group to add a Group to
this group. I
selected User names Shep and
Rmf: When you are finished defining
the group, press Apply.
Now you can click Close to
close the window.
Project Setup | Permissions tab
Now that you have defined groups, you can assign permissions to individual
users or groups.
Click the Access Control Lists
button:
An Access Control List dialog
will appear showing existing permissions:
To add your new group to the list and assign permissions, you can click
Add Group, a dialog will appear:
You can select the new group and click OK.
The new group will appear in the ACL dialog where you can set permissions
for the group:
Allow and Deny
The Allow option provides the
given permission. Allow permissions
cascade; if a given user belongs to multiple groups, they will inherit
all Allow permissions assigned
to any group they are in.
The Deny permission overrides
all Allow permissions. So, if
you allow readpermissions to
a certain group, but choose to deny read permission to a specific user
in that group, then that user will not be allowed to read the project.
Effective Permissions
Since it is possible to specify permission for any user or group, and
because its possible for an individual user to belong to many groups,
the only way to know the ultimate permissions for any user or group is
to click on the user or group in the ACL editor: and click the Effective
Permissions button:
This will launch a dialog indicating the effective permissions for that
user or group. From here, you can click User
or Group buttons to select a
different user or group and see their effective permissions.
