diff options
Diffstat (limited to 'docs/en/rst/administering/groups.rst')
-rw-r--r-- | docs/en/rst/administering/groups.rst | 191 |
1 files changed, 191 insertions, 0 deletions
diff --git a/docs/en/rst/administering/groups.rst b/docs/en/rst/administering/groups.rst new file mode 100644 index 000000000..a14bb689e --- /dev/null +++ b/docs/en/rst/administering/groups.rst @@ -0,0 +1,191 @@ +.. _groups: + +Groups and Security +################### + +Groups allow for separating bugs into logical divisions. +Groups are typically used +to isolate bugs that should only be seen by certain people. For +example, a company might create a different group for each one of its customers +or partners. Group permissions could be set so that each partner or customer would +only have access to their own bugs. Or, groups might be used to create +variable access controls for different departments within an organization. +Another common use of groups is to associate groups with products, +creating isolation and access control on a per-product basis. + +Groups and group behaviors are controlled in several places: + +#. The group configuration page. To view or edit existing groups, or to + create new groups, access the "Groups" link from the "Administration" + page. This section of the manual deals primarily with the aspect of + group controls accessed on this page. + +#. Global configuration parameters. Bugzilla has several parameters + that control the overall default group behavior and restriction + levels. For more information on the parameters that control + group behavior globally, see :ref:`param-group-security`. + +#. Product association with groups. Most of the functionality of groups + and group security is controlled at the product level. Some aspects + of group access controls for products are discussed in this section, + but for more detail see :ref:`product-group-controls`. + +#. Group access for users. See :ref:`users-and-groups` for + details on how users are assigned group access. + +Group permissions are such that if a bug belongs to a group, only members +of that group can see the bug. If a bug is in more than one group, only +members of *all* the groups that the bug is in can see +the bug. For information on granting read-only access to certain people and +full edit access to others, see :ref:`product-group-controls`. + +.. note:: By default, bugs can also be seen by the Assignee, the Reporter, and + everyone on the CC List, regardless of whether or not the bug would + typically be viewable by them. Visibility to the Reporter and CC List can + be overridden (on a per-bug basis) by bringing up the bug, finding the + section that starts with ``Users in the roles selected below...`` + and un-checking the box next to either 'Reporter' or 'CC List' (or both). + +.. _create-groups: + +Creating Groups +=============== + +To create a new group, follow the steps below: + +#. Select the ``Administration`` link in the page footer, + and then select the ``Groups`` link from the + Administration page. + +#. A table of all the existing groups is displayed. Below the table is a + description of all the fields. To create a new group, select the + ``Add Group`` link under the table of existing groups. + +#. There are five fields to fill out. These fields are documented below + the form. Choose a name and description for the group. Decide whether + this group should be used for bugs (in all likelihood this should be + selected). Optionally, choose a regular expression that will + automatically add any matching users to the group, and choose an + icon that will help identify user comments for the group. The regular + expression can be useful, for example, to automatically put all users + from the same company into one group (if the group is for a specific + customer or partner). + + .. note:: If ``User RegExp`` is filled out, users whose email + addresses match the regular expression will automatically be + members of the group as long as their email addresses continue + to match the regular expression. If their email address changes + and no longer matches the regular expression, they will be removed + from the group. Versions 2.16 and older of Bugzilla did not automatically + remove users whose email addresses no longer matched the RegExp. + + .. warning:: If specifying a domain in the regular expression, end + the regexp with a "$". Otherwise, when granting access to + "@mycompany\\.com", access will also be granted to + 'badperson@mycompany.com.cracker.net'. Use the syntax, + '@mycompany\\.com$' for the regular expression. + +#. After the new group is created, it can be edited for additional options. + The "Edit Group" page allows for specifying other groups that should be included + in this group and which groups should be permitted to add and delete + users from this group. For more details, see :ref:`edit-groups`. + +.. _edit-groups: + +Editing Groups and Assigning Group Permissions +============================================== + +To access the "Edit Groups" page, select the +``Administration`` link in the page footer, +and then select the ``Groups`` link from the Administration page. +A table of all the existing groups is displayed. Click on a group name +you wish to edit or control permissions for. + +The "Edit Groups" page contains the same five fields present when +creating a new group. Below that are two additional sections, "Group +Permissions" and "Mass Remove". The "Mass Remove" option simply removes +all users from the group who match the regular expression entered. The +"Group Permissions" section requires further explanation. + +The "Group Permissions" section on the "Edit Groups" page contains four sets +of permissions that control the relationship of this group to other +groups. If the :param:`usevisibilitygroups` parameter is in use (see +:ref:`parameters`) two additional sets of permissions are displayed. +Each set consists of two select boxes. On the left, a select box +with a list of all existing groups. On the right, a select box listing +all groups currently selected for this permission setting (this box will +be empty for new groups). The way these controls allow groups to relate +to one another is called *inheritance*. +Each of the six permissions is described below. + +*Groups That Are a Member of This Group* + Members of any groups selected here will automatically have + membership in this group. In other words, members of any selected + group will inherit membership in this group. + +*Groups That This Group Is a Member Of* + Members of this group will inherit membership to any group + selected here. For example, suppose the group being edited is + an Admin group. If there are two products (Product1 and Product2) + and each product has its + own group (Group1 and Group2), and the Admin group + should have access to both products, + simply select both Group1 and Group2 here. + +*Groups That Can Grant Membership in This Group* + The members of any group selected here will be able add users + to this group, even if they themselves are not in this group. + +*Groups That This Group Can Grant Membership In* + Members of this group can add users to any group selected here, + even if they themselves are not in the selected groups. + +*Groups That Can See This Group* + Members of any selected group can see the users in this group. + This setting is only visible if the :param:`usevisibilitygroups` parameter + is enabled on the Bugzilla Configuration page. See + :ref:`parameters` for information on configuring Bugzilla. + +*Groups That This Group Can See* + Members of this group can see members in any of the selected groups. + This setting is only visible if the :param:`usevisibilitygroups` parameter + is enabled on the the Bugzilla Configuration page. See + :ref:`parameters` for information on configuring Bugzilla. + +.. _users-and-groups: + +Assigning Users to Groups +========================= + +A User can become a member of a group in several ways: + +#. The user can be explicitly placed in the group by editing + the user's profile. This can be done by accessing the "Users" page + from the "Administration" page. Use the search form to find the user + you want to edit group membership for, and click on their email + address in the search results to edit their profile. The profile + page lists all the groups and indicates if the user is a member of + the group either directly or indirectly. More information on indirect + group membership is below. For more details on User Administration, + see :ref:`users`. + +#. The group can include another group of which the user is + a member. This is indicated by square brackets around the checkbox + next to the group name in the user's profile. + See :ref:`edit-groups` for details on group inheritance. + +#. The user's email address can match the regular expression + that has been specified to automatically grant membership to + the group. This is indicated by "\*" around the check box by the + group name in the user's profile. + See :ref:`create-groups` for details on + the regular expression option when creating groups. + +Assigning Group Controls to Products +==================================== + +The primary functionality of groups is derived from the relationship of +groups to products. The concepts around segregating access to bugs with +product group controls can be confusing. For details and examples on this +topic, see :ref:`product-group-controls`. + |