You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 16 Next »

This page is a work in progress and is still being updated. Please watch the page for new updates. 


Introduction

Partners collaborate with Red Hatters across many products and Jira projects, which requires secure access controls in place in order to grant access to the appropriate projects and tickets.

This page outlines the configurations that must be in place in order to support partner access, plus what to check in the case that a partner cannot access a particular issue.

Project permissions and user/group role mappings

In order for a partner to have access to a Jira project, the project must:

  1. Support access by non-Red Hatters.
    1. Using Red Hat Standards (internal Red Hat page), this means that the project's permission scheme should be OJA-PRMS-002 or OJA-PRMS-003. 
    2. Projects with OJA-PRMS-001 applied do not support partner access.
  2. Have the right user/group role mappings configured to allow the right level of access. In most cases, this means adding individual partner users or partner groups* to the Users role, which (assuming OJA-PRMS-002 or OJA-PRMS-003 is applied) provides permissions to:
    • Browse issues they have access to view
    • Create new issues
    • Set the issue security level on issues they can access
    • Be assigned to issues they have access to view
    • Add comments and attachments to issues they have access to view
    • Link to other issues they have access to view
    • Manage watchers on issues they have access to view


*A note on partner groups

When onboarded, many partners are added to a partner confidential group that is synced to Jira. If that did not happen, Red Hatters can request that a new partner group be created in Jira, and there is the option to have it automatically populated by domain so that when a new partner user logs into Jira with the specified domain (@xyz.com), they are automatically added to their respective partner group. See Managing partner interactions in Jira (internal Red Hat page) for more details.

Note also that Jira can sync groups from Rover. Ideally, partner users use their partner account that has the domain of their partner company. However, partner engineers (a type of partner user) have redhat.com email addresses and sometimes use those for their Jira accounts. These partner engineers can be added to Rover groups that can also sync to Jira.


Fields

Partners who should have access to a subset of the issues in a Jira project can be added to individual users in either the Contributors or Contributing Groups field. The Contributors field is globally available in projects by default, but the Contributing Groups field is not. A project admin may need to request that it be added to their project.

Issue security

Partners may not have access to all issues in a project due to the security level applied to each issue. Red Hat partners will not have access to issues with the following Red Hat Standard security levels (internal Red Hat page) applied (uncommon exceptions are noted in parentheses below):

  • Red Hat Employee
  • Embargoed Security Issue (unless they are explicitly added to a user picker field on the issue)
  • Red Hat Engineering Authorized (unless they are the reporter or added to the Contributors field)
  • Restricted (unless they are explicitly added to a user picker field on the issue)
  • Team (unless they are explicitly added to a user picker field on the issue or have the Scrum Master, Developer, or Administrator project role)

In most cases, partners are given access to issues in one of two ways:

  1. the ticket is unrestricted (no security level applied) or
  2. the security level is set to Red Hat Partner*, and the partner user has been added to the Contributors field or the partner group has been added to the Contributing Groups field


*A note on the Red Hat Partner security level

Because Jira users can only set the security level of an issue to levels that they have access to, it's possible that not everyone will see Red Hat Partner as an option in the Security Level field. If a Red Hatter cannot set the issue to Red Hat Partner or see an issue where the security level is set to Red Hat Partner, it's likely because they are not in the proper group. More details follow:

The ability to see and work on partner bugs requires that users be a member of the Red Hat Bugzilla See Partner Bugs Jira group (which underlies Red Hat Partner security level). This group is fed by the LDAP group bugzilla-see-partner-bugs

To be added to the see_partner_bugs group in Bugzilla, you must apply for the packager role (note that members of the Red Hat Support may choose the support_staff role). Access to that role in Bugzilla will grant you access to the see_partner_bugs Bugzilla group, which in turn feeds the LDAP group bugzilla-see-partner-bugs. Access to this LDAP group provides access to the Jira group Red Hat Bugzilla See Partner Bugs. To access roles, go to bugzilla.redhat.com > My Links > Workflows > Request Group Membership.

See Partner bugs for more details about the restrictions in place for broad access to partner issues in Jira.


Additional optional configurations

Automation can help streamline access to issues in Jira. There are a few ways to go about this:

  1. If the partners working in your project use their partner company email addresses for their Jira accounts, PME can enable automation that automatically sets the security level to Red Hat Partner and automatically sets the Contributing Groups field to the appropriate partner group when a person from the same domain opens a new Jira ticket. See Managing partner interactions in Jira (internal Red Hat page) for more details.
  2. Project admins can create custom automation rules to set the security level to Red Hat Partner and the Contributors and/or Contributing Groups field as appropriate based on a specific trigger.

FAQ

I'm a partner that collaborates on issues in a particular Jira project, and I can't see any issues. Why?

This is likely because the project's permission scheme does not support non-RH access. Have a project admin check the permission scheme applied to the project, and ensure it is OJA-PRMS-002 or OJA-PRMS-003.

I'm a partner that collaborates on issues in a particular Jira project, and I can see some issues but not all of the issues I'm linked to. Why?

This is likely because the particular issues you cannot see have a security level set that prevents you from accessing it. In most cases, issues that should be accessible to a particular partner user or partner group should be restricted using the Red Hat Partner security level and have the partner user or group added to the Contributors or Contributing Groups field. Check with someone who can access the ticket whether these are set properly on the ticket.

I'm a Red Hat employee, and I can't see some of the issues partners are working on. Why?

Not all Red Hat employees are in the group that grants access to view all partner issues in Jira. This group membership is limited to Engineering and Support associates and requires approval. The ability to see and work on partner bugs requires that users be a member of the Red Hat Bugzilla See Partner Bugs Jira group (which underlies Red Hat Partner security level). This group is fed by the LDAP group bugzilla-see-partner-bugs To be added to the see_partner_bugs group in Bugzilla, you must apply for the packager role (note that members of the Red Hat Support may choose the support_staff role). Access to that role in Bugzilla will grant you access to the see_partner_bugs Bugzilla group, which in turn feeds the LDAP group bugzilla-see-partner-bugs. Access to this LDAP group provides access to the Jira group Red Hat Bugzilla See Partner Bugs. To access roles, go to bugzilla.redhat.com > My Links > Workflows > Request Group Membership.

I'm a Red Hat employee, and I want to manage partner access in my project through a group rather than individual access. What do I do?

If the partner you're working with did not have a group set up by the Engineering Partner Management group, then open a ticket to rh-issues@redhat.com providing the partner name and domain. You can request that anytime someone from that domain logs in, they get automatically added to the partner group. Then, you can map that group to a role in your project and/or add it to the Contributing Groups field on an issue to give everyone in that group access to the ticket.

I'm a Red Hat employee, and I want to share all tickets in my project with the partners I work with. Do I have to add them to every ticket?

No! If all issues should be accessible by the partner(s), you can grant the partner(s) or partner group an elevated role (like Developers) and keep the issues in the project unrestricted (no security level set). Just be sure you're using OJA-PRMS-002 or OJA-PRMS-003 (OJA-PRMS-001 does not support non-Red Hatter access).

I'm a Red Hat employee, and I want new partner-opened issues to default to visibility to that partner's group. What do I do?

Assuming all partners who might open ticket are using accounts associated with their company email addresses, open a ticket to rh-issues@redhat.com requesting that whenever someone from that domain opens a ticket, the security level defaults to Red Hat Partner and the partner group gets added to the Contributing Groups field.

I'm a Red Hat employee that works in a project that has interactions from multiple partners. How do I segregate access appropriately?

Using the Red Hat Partner security level along with adding values to the Contributors or Contributing Groups field is the best way to manage multiple partners working out of the same project. By specifying which partner users or partner groups should have access to each ticket, you are explicitly granting access to those tickets but not to others. Be sure you also use the Red Hat Employee security level on tickets that should not be accessible by anyone other than Red Hat employees.

  • No labels