Document number	Revision
DOCU12498	1

Project Security

Project Security BackgroundIntroductionBaseType securityColumn securityRoles

Background

In this article, you will learn about how default security is handled for Projects in Highstage.

Introduction

Note: Security in Highstage is highly customizable. This article introduces you to the default Project security configuration.

For Projects in Highstage, two concepts of security is introduced. General access to see, modify and create projects in Highstage is specified through Basetype security. As an additional layer of security, Column security specifies the security associated with each individual column on an item in Highstage:

These concepts are dependent on each others and is evaluated as a layered structure. Basetype security is initially evaluated, and only if the user have access to the basetype, the security for the specific column is evaluated through column security:

A number of Roles are associated with Projects. Being assigned to a specific role grants a user a specific privileges' or responsibility on the specific project. This document explain the roles which is default bundled with Highstage and their relation to column security.

BaseType security

Basetype security must be set to enable users to view, modify or create Projects in Highstage.

The following table gives you an overview of the basetype columns that permits users or user groups to view, create or modify Projects in Highstage:

Column	Description
TrustRead	All `Users` and/or `User groups` listed has permission to see all existing Projects.
TrustCreate	All `Users` and/or `User groups` listed has permission to create new Projects.
TrustModify	All `Users` and/or `User groups` listed has permission to modify existing Projects.

ADMINISTRATOR NOTE: Basetype security can be applied by navigating to SYSTEM > Types > Basetypes in the side navigation menu.

Column security

Column security refers to the responsibilities and permissions that are granted to users for each Project. These capabilities are granted through specific Roles which are associated with each individual Project.

The following table gives you an overview of the default columns and the required roles to view and/or modify them:

Column	Manager	Teammember	Trustee	Superuser ¹
active	`Read` / `Write`	`Read`	`Read`	`Read`
address	`Read` / `Write`	`Read` / `Write`	`Read`	`Write`
city	`Read` / `Write`	`Read` / `Write`	`Read`	`Write`
class	`Read` / `Write`	`Read` / `Write`	`Read`	`Write`
company	`Read` / `Write`	`Read` / `Write`	`Read`	`Write`
contact	`Read` / `Write`	`Read` / `Write`	`Read`	`Write`
country	`Read` / `Write`	`Read` / `Write`	`Read`	`Write`
email	`Read` / `Write`	`Read` / `Write`	`Read`	`Write`
entity	`Read` / `Write`	`Read` / `Write`	`Read`	`Write`
fax	`Read` / `Write`	`Read` / `Write`	`Read`	`Write`
ip	`Read` / `Write`	`Read` / `Write`	`Read`	`Write`
isworkspace	`Read` / `Write`	`Read`	`Read`	`Read`
manager	`Read` / `Write`	`Read`	`Read`	`Read`
name	`Read` / `Write`	`Read` / `Write`	`Read`	`Write`
note	`Read` / `Write`	`Read` / `Write`	`Read`	`Write`
obj	`Read`	`Read`	`Read`	`Read`
objtype	`Read` / `Write`	`Read` / `Write`	`Read`	`Write`
phone	`Read` / `Write`	`Read` / `Write`	`Read`	`Write`
postalcode	`Read` / `Write`	`Read` / `Write`	`Read`	`Write`
priority	`Read` / `Write`	`Read` / `Write`	`Read`	`Write`
teammembers	`Read` / `Write`	`Read`	`Read`	`Read`
trustcreate	`Read` / `Write`	`Read` / `Write`	`Read`	`Write`
trustees	`Read` / `Write`	`Read` / `Write`	`Read`	`Write`
url	`Read` / `Write`	`Read` / `Write`	`Read`	`Write`
workspace	`Read` / `Write`	`Read` / `Write`	`Read`	`Write`

Roles

A Role in Highstage refers to the assigned responsibility or privilege that determines a users' permissions to view, create or modify contents in Highstage:

For any Project in Highstage, the following roles exists:

Role	Description	Permissions	Required	Note
`Manager`	Ability to see and change any column and assign additional `teammembers` and `trustees`.	Can `read` and `modify` any existing column and are allowed to assign `manager` to another Highstage user.	❌	Only one single user can be assigned as `manager` on each Project at a time. If no `Manager` is specified, modifications to the Project requires administrator privileges'. Default `Manager` is set as the user who created the Project.
`TeamMember`	Ability to see and change any column but the `manager`. Can assign additional `trustees`.	Can `read` and `modify` any existing column but is not allowed to modify the existing `manager`.	❌	Any number of users and user groups can be assigned as `teammember`.
`Trustee`	Ability to see all Project information.	Has `read` permissions, but cannot make any changes to the `Project`.	❌	Any number of users and user groups can be assigned as `trustee`.
`SuperUser`	Ability to change any column but the `manager`. Can assign additional `trustees`.	Can `modify` any existing column but is not allowed to modify the existing `manager`.	❌	A `SuperUser` is not assigned to a Project but is granted through the selected user level. A `SuperUser` still requires `read` capabilities by being assigned as a `Manager`, `TeamMember` or `Trustee` to be able to make modifications.

highstage_footer

1 A SuperUser has the same Write permissions as a TeamMember. A SuperUser, however, still needs to be listed as a Manager, teammember or trustee to gain Read access to permit modifications to an existing Project. ↩