Roles and permissions

Canopy uses a Role-Based Access Control (RBAC) system, and also sets a number of predefined global roles.

Global Roles

Canopy defines a number of global roles to make permission management easier with the system. The system defined roles are as follows:

Role name

Default Permissions

Description

Administrators

  • ALL

This is the global administrator. This user can perform any action on the system and access any object - i.e. no restrictions. However, the admins activities are logged.

Technical Managers

  • project-view

  • project-edit

  • project-content-edit

  • project-create

  • phase-view

  • phase-edit

  • phase-content-edit

  • finding-comment

  • report-comment

  • reporttemplate-view

  • reporttemplate-edit

  • opportunity-view

  • opportunity-edit

  • opportunity-content-edit

  • opportunity-create

  • scope-view

  • scope-edit

  • scope-content-edit

  • sow-comment

  • sowtemplate-view

  • sowtemplate-edit

  • questionnaire-view

  • questionnaire-edit

  • methodologytemplate-view

  • methodologytemplate-edit

  • methodologytemplate-comment

  • tariff-view

  • tariff-edit

  • taxonomytemplate-view

  • taxonomytemplate-edit

  • kb-view

  • kb-edit

  • kb-approve

  • kb-add

  • kb-comment

  • company-view

  • company-edit

  • company-create

A Technical Manager is a user role that is one step down from an administrator. They are able to perform practically all operations on the system, with the exception of administration level actions (e.g. user management).

Senior Analysts

  • project-create

  • reporttemplate-view

  • methodologytemplate-view

  • methodologytemplate-comment

  • opportunity-create

  • kb-view

  • kb-edit

  • kb-approve

  • kb-add

  • kb-comment

  • company-view

A Senior Analyst is a trusted user within the system who can perform key operations, including KB management and project creation. By default, these users can also view (read-only) clients and methodologies.

Analysts

  • kb-view

  • kb-add

  • kb-comment

  • methodologytemplate-view

  • methodologytemplate-comment

An Analyst has a reduced set of permissions and must be explicitly granted access to a client, opportunity or project before they can work on anything. They are allowed to create KB findings and comment on them.

Sales Managers

  • company-view

  • company-edit

  • company-create

  • opportunity-create

  • opportunity-view

  • opportunity-edit

  • opportunity-content-edit

  • sowtemplate-view

  • sowtemplate-edit

  • questionnaire-view

  • questionnaire-edit

  • tariff-view

  • tariff-edit

A special admin-like user for managing clients, opportunities and their related templates. However, this user has limited access to projects and other technical content.

Account Managers

  • company-create

  • opportunity-create

A user for managing clients and opportunities. No default access to projects is assigned, but has access to all companies and opportunities they create.

Peer Reviewer

Special permissions assigned on a short life time (as needed) for modifying a specific report and commenting on it.

These permissions are assigned based on the workflow engine.

Quality Assurer

Special permissions assigned on a short life time (as needed) for modifying a specific report and commenting on it.

These permissions are assigned based on the workflow engine.

A number of additional roles will be included in the next iteration of Canopy, including: low privilege user role and the KB admin role.

Object Roles

There are currently three main objects for assigning user access, outside of the global roles. These are:

  • Clients

  • Opportunities

  • Projects

The following screenshot shows an example of the User Access management interface that is part of the Edit Client dialogue. The default permissions for all client objects are listed in italic.

image0

It is possible to add users with additional access. Groups can not be added at the moment.

Permissions are grouped into a simple set of roles on each object, which are:

Read-only

A read-only role

Write

If available, this allows for the content of the object to be managed, but does not allow control over assigning access or deleting.

Admin

Perform any operation

The specific instances of these roles on their corresponding objects are explained next.

Client

Clients were historically referred to as Companies and the Canopy API and backend still reflect this.

Role

Permissions

Description

Read-only

  • company-view

Read-only access to a client.

Admin

  • company-edit

  • company-view

Manage the content and access control of a client.

Opportunity

Role

Permissions

Description

Read-only

  • opportunity-view

Read-only access to an opportunity.

Write

  • opportunity-content-edit

  • opportunity-view

Manage content associated with an opportunity. However, the structure of the opportunity cannot be changed (e.g. add more phase scopes).

Admin

  • opportunity-edit

  • opportunity-content-edit

  • opportunity-view

Manage the structure, content and access control of an opportunity.

Project

Role

Permissions

Description

Read-only

  • project-view

This is a read-only role. No editing can be performed by a user with this role.

Write

  • project-content-edit

  • project-view

Manage content associated with an opportunity. However, the structure of the opportunity cannot be changed (e.g. add more phases).

Admin

  • project-edit

  • project-content-edit

  • project-view

Manage the structure, content and access control of an opportunity.