I have two projects. I need to assign some users to project A and some to project B. Issues of Project A should not be visible to user of Project B and vice versa. Only project manager should be able to access and grant permission to project A,project B,project C etc. users.
JIRA is quite flexible about how you grant permissions. You can put people in a group (such as jira-users or jira-developers) and you can also put people in to roles within projects.
For your requirements you should modify the permission scheme used by your two projects. Do something like this:
For the permission browse project allow project role (Users) and the group Project Managers.
For the permission Administer Projects allow the group Project Managers.
Then, add all your Project Managers to the group Project Managers. Next, for Project A, add the users you want to be on this project to the role of Users for Project A. Similarly for Project B, add the users you want to be on this project to the role of Users for Project B.
This now means that anyone who is a Project Manager can administer projects and can also view them. But only users who have been given a Users role on a project will be able to see them and users that are not Project Managers will not be able to administer anything.
This is just an example of the kind of approach you can take. Experiment with putting users in groups (which you do in the User Management menu) and with adding users to roles (which you do in the projects administration menu). You will also want to add a new custom permission scheme and make sure that scheme is used by each of the projects.
This Atlassian page covers configuring permissions in more detail
Related
It seems the only way to share a dataset so that another person can run queries on the tables from the dataset is to make that person a Project user. See permissions
This means that the user would have access to all the datasets on the project. This seems to me that is is highly inconvenient. Am I missing something?
For user to run query - user need to have bigquery.jobs.create permission
If your user already has this permission in any other project - you can just simply share your dataset with this user with Can View Access Level
If user is new and does not have yet bigquery.jobs.create in any other project - you can just add this user to your project with this permission only.
And still you need add this user to ACL for that
specific dataset
Important: Please also note - if you give user permission to create jobs in your project - you will be billed for respective queries.
If user has its "own" project and only has view access to you data - in this case bill goes to user's project
I have this case where Designers and Managers works on a project with a certain Role.
Is this ER Diagram design correct?
I have doubt in Manager, Designer, Role, and Project relation.
ER Diagram:
Or do I just make it as attribute?
Here is the Database table Representation
The case also states to show that Administrator manages almost everything. Do I have to make a "Manages" relations?
Here is the complete case:
• Administrators can login to manage everything
• Managers can login and can work on Projects
• Designers can also login and can work on Projects
• Customers own Projects
• Managers, Designers and Customers have profile pages listing the projects they are related to. Administrator don't have.
• Managers can have Designers working for them
• Designers only have one Manager at a time and Administrator can change the Manager of the Designer at any time
• Managers and Designers who working on a Project is assigned a Role that the Administrator can manage (e.g. Project Champion, Lead Architect, Safety Engineer, etc)
• Project needs to have rich text as the description
• Project needs to be able to have many photos and PDF files
• Only Managers and Designers who is working on the Project can edit the project (Administrator also can)
Making Role an attribute means a Designer/Manager can only work on a Project in a single Role. Making it an entity with a cardinality of N in the relationship means a Designer/Manager can work on a Project in multiple Roles.
Between those options is the possibility of making it an entity with a cardinality of 1 in the relationship (meaning the PK consists of Manager/Designer and Project). Whether to make it an entity or an attribute depends on whether you have information about Roles or just want to record a value.
Your question about whether to make a Manages relation is unclear - I can't decide for you what "Almost everything" means.
I have service accounts per BigQuery project. I need to put joins on tables in different projects using service accounts configured on each project.
Here is what i have:
Service_EmailAccount1 -> project1
Service_EmailAccount2 -> project2
I can connect to tables using these service accounts in respective projects but when I try to join data on different tables which are in different projects, I get access errors.
Reason is when i build the BigQuery service , I am using a JSON file which is specific to project as it contains the project id.
How can I join tables in different projects using service accounts?
Assuming you run your query by Service_EmailAccount1
In this case you should just share your respective dataset in project2 with Service_EmailAccount1
And you must make sure both datasets are in the same location
That's all you need
See more about Access Control concept in BigQuery
I believe that the following idea might be helpful, for example, you are using service_emailaccount1 to get access of project1,
go to bigquery, click the project name, then choose -> switch project -> manage projects, you will go to IAm & Admin page
choose project1 and then you will see the permission page for the project.
add service_emalaccount2 to be a viewer/editor to this project1(if account1 is the owner)
Then, I believe that both accounts will access project1.
This is what I will do to get access to several projects, and I am not sure we can use different service account to querying from different project in one query. Thx
How to create yii rights menu for two different user logins where they have separate roles and permissions for them .In brief yii rights module to be created separately for two different user logins.
I have created an application where every individual group of users must have a role created for them. Say for example there is a group such as joy they should have separate rights extension and another group fun those users must have separate rights extension to them
I'm trying to setup customer access to some of my BigQuery data. I'll start off with my requirements, then what I think the solution needs to be, though I'm not sure how to execute.
Requirements
Separate billing per customer for queries
I don't want to make my dataset public
Read only access to specific datasets
Accessible via Excel connector
No access rights to my main project
They manage their own access privileges, I don't want to have to add and remove individual users from direct dataset access on behalf of all our clients.
Nice to have - Web UI access
What I've Done
Created a new Google Developer Project
Added a view-only user on that project
Added a service account
Granted access to my BigQuery dataset to the service account
Here are the options for granting dataset access from the documentation:
I imagine that I need to setup some sort of special group, but I can't figure out how to do it.
Thanks in advance!
In BigQuery there are two different concepts:
The first one is billing (for queries and any other billable
activity) that is linked with a Google Cloud Project.
The second one is access to a dataset.
Having said that, to fulfil your requirements you'd create a separate project for each of the customers, and grant access to the datasets in the granularity that you would want.
That way you would have the costs for each of the projects separated but billed to you. Be careful to give them only read access to the project, unless you want them to be able to create other services like VM or deploy GAE apps, as they'd be billed to you as well.
For example dataset [MyDatasetA] to users X and Y in projects Project1 and Project2, but access to [MyDatasetB] to users Y and Z in projects Project2 and Project3.
Thus, each project is accountable for the queries their users run, and you have your access control on each dataset without it being public.
Separate billing per customer for queries. Done with the independent projects.
I don't want to make my dataset public. Done with fine grained control access.
Read only access to specific datasets. Same as above.
Accessible via Excel connector. It should work without problems as they'd be first class BQ users.
No access rights to my main project. Again possible if they are restricted to their own projects.
They manage their own access privileges. This is trickier. I think they'd need more than read access to the datasets or more than read access to the projects to be able to add new users, if you use the project groups as access control.
Nice to have - Web UI access. Check out https://bigquery.cloud.google.com/
The project groups are groups that allow to select members with Viewer, Developer or Owner roles in one click, without the hassle of adding each member manually.
You get already three groups set-up for you to use: Viewers, Editors and Owners of the original project.
But you may create your own Google Groups and give those groups the permission you want.
The hint when doing so, is that new users will usually need to Display your project so that it appears in the BQ online browser. This is done by clicking on the arrow to the side of the project name in the BQ online browser followed by Switch to project then Display project with the project name that the Dataset belongs to.
Edit: Improved the explanation about Group access