You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 10 Next »

Introduction

Partners collaborate with Red Hatters across many products and Jira projects, which requires secure access controls in place in order to grant access to the appropriate projects and tickets.

This page outlines the configurations that must be in place in order to support partner access, plus what to check in the case that a partner cannot access a particular issue.

Project permissions and user/group role mappings

In order for a partner to have access to a Jira project, the project must:

  1. Support access by non-Red Hatters.
    1. Using Red Hat Standards (internal Red Hat page), this means that the project's permission scheme should be OJA-PRMS-002 or OJA-PRMS-003. 
    2. Projects with OJA-PRMS-001 applied do not support partner access.
  2. Have the right user/group role mappings configured to allow the right level of access. In most cases, this means adding individual partner users or partner groups* to the Users role, which (assuming OJA-PRMS-002 or OJA-PRMS-003 is applied) provides permissions to:
    • Browse issues they have access to view
    • Create new issues
    • Set the issue security level on issues they can access
    • Be assigned to issues they have access to view
    • Add comments and attachments to issues they have access to view
    • Link to other issues they have access to view
    • Manage watchers on issues they have access to view


*A note on partner groups

When onboarded, many partners are added to a partner confidential group that is synced to Jira. If that did not happen, Red Hatters can request that a new partner group be created in Jira, and there is the option to have it automatically populated by domain so that when a new partner user logs into Jira with the specified domain (@xyz.com), they are automatically added to their respective partner group. See Managing partner interactions in Jira (internal Red Hat page) for more details.

Note also that Jira can sync groups from Rover. Ideally, partner users use their partner account that has the domain of their partner company. However, partner engineers (a type of partner user) have redhat.com email addresses and sometimes use those for their Jira accounts. These partner engineers can be added to Rover groups that can also sync to Jira.


Issue security

Partners may not have access to all issues in a project due to the security level applied to each issue. Red Hat partners will not have access to issues with the following Red Hat Standard security levels (internal Red Hat page) applied (uncommon exceptions are noted in parentheses below):

  • Red Hat Employee
  • Embargoed Security Issue (unless they are explicitly added to a user picker field on the issue)
  • Red Hat Engineering Authorized (unless they are the reporter or added to the Contributors field)
  • Restricted (unless they are explicitly added to a user picker field on the issue)
  • Team (unless they are explicitly added to a user picker field on the issue or have the Scrum Master, Developer, or Administrator project role)

In most cases, partners are given access to issues in one of two ways:

  1. the ticket is unrestricted (no security level applied) or
  2. the security level is set to Red Hat Partner*, and the partner user has been added to the Contributors field or the partner group has been added to the Contributing Groups field


*A note on the Red Hat Partner security level

Because Jira users can only set the security level of an issue to levels that they have access to, it's possible that not everyone will see Red Hat Partner as an option in the Security Level field. If a Red Hatter cannot set the issue to Red Hat Partner or see an issue where the security level is set to Red Hat Partner, it's likely because they are not in the proper group. More details follow:

The ability to see and work on partner bugs requires that users be a member of the Red Hat Bugzilla See Partner Bugs Jira group (which underlies Red Hat Partner security level). This group is fed by the LDAP group bugzilla-see-partner-bugs

To be added to the see_partner_bugs group in Bugzilla, you must apply for the packager role (note that members of the Red Hat Support may choose the support_staff role). Access to that role in Bugzilla will grant you access to the see_partner_bugs Bugzilla group, which in turn feeds the LDAP group bugzilla-see-partner-bugs. Access to this LDAP group provides access to the Jira group Red Hat Bugzilla See Partner Bugs. To access roles, go to bugzilla.redhat.com > My Links > Workflows > Request Group Membership.

See Partner bugs for more details about the restrictions in place for broad access to partner issues in Jira.


Additional optional configurations

Automation can help streamline access to issues in Jira. There are a few ways to go about this:

  1. If the partners working in your project use their partner company email addresses for their Jira accounts, PME can enable automation that automatically sets the security level to Red Hat Partner and automatically sets the Contributing Groups field to the appropriate partner group when a person from the same domain opens a new Jira ticket. See Managing partner interactions in Jira (internal Red Hat page) for more details.
  2. Project admins can create custom automation rules to set the security level to Red Hat Partner and the Contributors and/or Contributing Groups field as appropriate based on a specific trigger.

FAQ

I'm a partner that collaborates on issues in a particular Jira project, and I can't see any issues. Why?

This is likely because the project's permission scheme does not support non-RH access. Have a project admin check the permission scheme applied to the project, and ensure it is OJA-PRMS-002 or OJA-PRMS-003.

I'm a partner that collaborates on issues in a particular Jira project, and I can see some issues but not all of the issues I'm linked to. Why?

This is likely because the particular issues you cannot see have a security level set that prevents you from accessing it. In most cases, issues that should be accessible to a particular partner user or partner group should be restricted using the Red Hat Partner security level and have the partner user or group added to the Contributors or Contributing Groups field. Check with someone who can access the ticket whether these are set properly on the ticket.

I'm a Red Hat employee, and I can't see some of the issues partners are working on. Why?

Not all Red Hat employees are in the group that grants access to view all partner issues in Jira. This group membership is limited to Engineering and Support associates and requires approval. The ability to see and work on partner bugs requires that users be a member of the Red Hat Bugzilla See Partner Bugs Jira group (which underlies Red Hat Partner security level). This group is fed by the LDAP group bugzilla-see-partner-bugs To be added to the see_partner_bugs group in Bugzilla, you must apply for the packager role (note that members of the Red Hat Support may choose the support_staff role). Access to that role in Bugzilla will grant you access to the see_partner_bugs Bugzilla group, which in turn feeds the LDAP group bugzilla-see-partner-bugs. Access to this LDAP group provides access to the Jira group Red Hat Bugzilla See Partner Bugs. To access roles, go to bugzilla.redhat.com > My Links > Workflows > Request Group Membership.

I'm a Red Hat employee, and I want to manage partner access in my project through a group rather than individual access. What do I do?

I'm a Red Hat employee, and I want new partner-opened issues to default to visibility to that partner's group. What do I do?

I'm a Red Hat employee that works in a project that has interactions from multiple partners. How do I segregate access appropriately?

  • No labels