docs/system-admin-guide/users-permissions/roles-permissions/README.md
A user is any individual who can log into your OpenProject instance.
Permissions control what users can see and do within OpenProject. Permission are granted to users by assigning one or more roles to the users.
A role bundles a collection of permissions. It is an convenient way of granting permissions to multiple users in your organization that need the same permissions or restrictions.
A user can have one or more roles which grant permissions on different levels.
Administrators have full access to all settings and all projects in an OpenProject environment. The permissions of the Administrator role can not be changed.
| Scope of the role | Permission examples | Customization options |
|---|---|---|
| Application-level: Full control of all aspects of the application | - Assign administration privileges to other users |
Global roles allow administrators to delegate administrative tasks to individual users.
| Scope of the role | Permission examples | Customization options |
|---|---|---|
| Application-level: Permissions scoped to specific administrative tasks (not restricted to specific projects) | - Manage users |
A project role is a set of permissions that can be assigned to any project member. Multiple roles can be assigned to the same project member.
[!NOTE] If a module is not enabled in a project it is not shown to a user despite having a permission for it.
| Scope of the role | Permission examples | Customization options |
|---|---|---|
| Project-level: Permissions scoped to individual projects (a user can have different roles for individual projects) | - Create work packages (in a project) |
Non member is the default role of users of your OpenProject instance who have not been added to a project. This only applies if the project has been set as public in the project settings.
[!NOTE] The Non-member role cannot be deleted.
| Scope of the role | Permission examples | Customization options |
|---|---|---|
| Project-level: Permissions scoped to individual projects for users which are logged in | - View work packages for users that are logged in | Assign different permissions to the role Non-member |
OpenProject allows to share project information with anonymous users which are not logged in. This is helpful to communicate projects goals and activities with a public community.
[!NOTE] This only applies if you disabled the need for authentication for your instance and if the project is set as public. The Anonymous role cannot be deleted.
| Scope of the role | Permission examples | Customization options |
|---|---|---|
| Project-level: Permissions scoped to individual projects for users which are <u>not</u> logged in | - View work packages for users that are not logged in | Assign different permissions to the role Anonymous |
Standard is the default role of users of your OpenProject instance. It is configured by administrators on the instance level.
[!NOTE] The Standard role cannot be deleted and it is applied to every user on the instance. Users cannot be assigned to, or unassigned from this role. Per default no permissions will be selected. Please adjust the permissions yourself.
| Scope of the role | Permission examples | Customization options |
|---|---|---|
| Application-level: Permissions scoped to specific administrative tasks (not restricted to specific projects) | - View user's mail addresses | Assign different permissions to the role Standard |
Administrators can add new roles with custom permissions or configure existing ones in Administration > Users and permissions > Roles and permissions.
The permissions report is a good starting point to get an overview of the current configuration of roles and permissions. To open the permissions report, navigate to Administration > Users and permissions > Permissions report.
Administrators can create new project roles in Administration > Users and permissions > Roles and permissions. Click on the green +Role button to create a new role.
Complete the following steps:
To create the new role, click on the grey Create button at the bottom of the page.
Administrators can create new global roles in Administration > Users and permissions > Roles and permissions. In the creation form check the box Global role.
The form shows the available global permissions which can be assigned to the new global role. They include:
[!TIP] To create a subproject for an existing project the project permission "Create subprojects" is also required.
Create portfolios
Create programs
[!NOTE] This allows administrators to delegate the administration of users to other people that should not have full control of the entire OpenProject installation (Administrator). These users can edit attributes of any users, except administrators. This means they are able to impersonate another user by changing email address to match theirs. This is a security risk and should be considered with caution.
[!NOTE] This allows administrators to allow the visibility of all users in the system. When this global permission is not assigned, project administrators only see:
- users who share a project with them,
- users in the same groups as them, or
- users they explicitly invite by email (if permitted).
[!NOTE] Users with this global permission cannot automatically see and edit all placeholder user in all projects. It is restricted to the placeholder users in projects in which the user has the respective permission to see or edit project member.
To edit an existing role, click on the role name in the roles overview table. Make your changes and save the update by clicking on the Save button at the bottom of the overview page.
To delete an existing role click on the delete icon next to a role in the list.
[!IMPORTANT] Roles that are assigned to a user cannot be deleted.