Canopy
Canopy

Roles and permissions

Canopy uses a Role-Based Access Control (RBAC) system, and also sets a number of predefined global roles.

Global Roles

Canopy defines a number of global roles to make permission management easier with the system. The system defined roles are as follows:

Todo

Review permissions in table to confirm that it’s up to date.

Role name Default Permissions Description
Administrators
  • ALL
This is the global administrator. This user can perform any action on the system and access any object - i.e. no restrictions. However, the admins activities are logged.
Technical Managers
  • project-view
  • project-edit
  • project-content-edit
  • project-create
  • phase-view
  • phase-edit
  • phase-content-edit
  • finding-comment
  • report-comment
  • reporttemplate-view
  • reporttemplate-edit
  • opportunity-view
  • opportunity-edit
  • opportunity-content-edit
  • opportunity-create
  • scope-view
  • scope-edit
  • scope-content-edit
  • sow-comment
  • sowtemplate-view
  • sowtemplate-edit
  • questionnaire-view
  • questionnaire-edit
  • methodologytemplate-view
  • methodologytemplate-edit
  • methodologytemplate-comment
  • tariff-view
  • tariff-edit
  • taxonomytemplate-view
  • taxonomytemplate-edit
  • kb-view
  • kb-edit
  • kb-approve
  • kb-add
  • kb-comment
  • company-view
  • company-edit
  • company-create
A Technical Manager is a user role that is one step down from an administrator. They are able to perform practically all operations on the system, with the exception of administration level actions (e.g. user management).
Senior Analysts
  • project-create
  • reporttemplate-view
  • methodologytemplate-view
  • methodologytemplate-comment
  • opportunity-create
  • kb-view
  • kb-edit
  • kb-approve
  • kb-add
  • kb-comment
  • company-view
A Senior Analyst is a trusted user within the system who can perform key operations, including KB management and project creation. By default, these users can also view (read-only) companies and methodologies.
Analysts
  • kb-view
  • kb-add
  • kb-comment
  • methodologytemplate-view
  • methodologytemplate-comment
An Analyst has a reduced set of permissions and must be explicitly granted access to a company, opportunity or project before they can work on anything. They are allowed to create KB findings and comment on them.
Sales Managers
  • company-view
  • company-edit
  • company-create
  • opportunity-create
  • opportunity-view
  • opportunity-edit
  • opportunity-content-edit
  • sowtemplate-view
  • sowtemplate-edit
  • questionnaire-view
  • questionnaire-edit
  • tariff-view
  • tariff-edit
A special admin-like user for managing companies, opportunities and their related templates. However, this user has limited access to projects and other technical content.
Account Managers
  • company-create
  • opportunity-create
A user for managing companies and opportunities. No default access to projects is assigned, but has access to all companies and opportunities they create.
Peer Reviewer Special permissions assigned on a short life time (as needed) for modifying a specific report and commenting on it. These permissions are assigned based on the workflow engine.
Quality Assurer Special permissions assigned on a short life time (as needed) for modifying a specific report and commenting on it. These permissions are assigned based on the workflow engine.

A number of additional roles will be included in the next iteration of Canopy, including: low privilege user role and the KB admin role.

Object Roles

There are currently three main objects for assigning user access, outside of the global roles. These are:

  • Companies/Clients
  • Opportunities
  • Projects

The following screenshot shows an example of the User Access management interface that is part of the Edit Company dialogue. The default permissions for all company objects are listed in italic.

image0

It is possible to add users with additional access. Groups can not be added at the moment.

Permissions are grouped into a simple set of roles on each object, which are:

Read-only
A read-only role
Write
If available, this allows for the content of the object to be managed, but does not allow control over assigning access or deleting.
Admin
Perform any operation

The specific instances of these roles on their corresponding objects are explained next.

Company

Role Permissions Description
Read-only
  • company-view
Read-only access to a company.
Admin
  • company-edit
  • company-view
Manage the content and access control of a company.

Opportunity

Role Permissions Description
Read-only
  • opportunity-view
Read-only access to an opportunity.
Write
  • opportunity-content-edit
  • opportunity-view
Manage content associated with an opportunity. However, the structure of the opportunity cannot be changed (e.g. add more phase scopes).
Admin
  • opportunity-edit
  • opportunity-content-edit
  • opportunity-view
Manage the structure, content and access control of an opportunity.

Project

Role Permissions Description
Read-only
  • project-view
This is a read-only role. No editing can be performed by a user with this role.
Write
  • project-content-edit
  • project-view
Manage content associated with an opportunity. However, the structure of the opportunity cannot be changed (e.g. add more phases).
Admin
  • project-edit
  • project-content-edit
  • project-view
Manage the structure, content and access control of an opportunity.