Security Roles Migration

Contents: 1 Introduction 2 Inheritance of Roles 3 Box Types - Security Role Template 4 Box Types - Inheritance Mode 5 Role Migration

Contents: 1 Introduction 2 Inheritance of Roles 3 Box Types - Security Role Template 4 Box Types - Inheritance Mode 5 Role Migration

Introduction

Former security roles were migrated. As a result, some users could be granted permissions to Boxes formerly marked as "private."

In BigPicture 8, the distinction between private and public Boxes doesn't exist. Those settings have been retired and replaced with new security role management options that give you more flexibility.
There is no possibility of a person accidentally accessing or editing items they shouldn't (based on their Jira permissions). A user can't use the App to see anything they can't see in the connected tool (such as Jira) - those items will be greyed out. If Jira permissions don't allow a user to see or edit an issue, they won't be able to do it using the App. If a user has access only to half the issues in a Box, the other half will be marked as "No access."

Inheritance of Roles

In BigPicture 8, roles are always inherited from upper-level Boxes. Therefore, security roles granted in the Home (root) Box apply to all sub-Boxes in the hierarchy (all sub-Boxes and their children nested under the Home Box). For example, if someone is a Box Admin of the Home (root) Box, they automatically have the same permissions in all sub-Boxes through the hierarchy.

When you create sub-Boxes, the following roles are inherited:

Box Admin
Box Editor
Box Viewer

The sub-Box Creator role is not inherited.

Roles inherited from upper-level Boxes are not listed in Box Configuration > Security and must be modified in upper-level Boxes. Only roles assigned directly to a particular Box are listed.

Box Types - Security Role Template

In BigPicture 8, we introduced Box types. A Box type is akin to a template; it allows you to define various default Box settings, including security roles.

In Box Type settings, you can create a security role template (grant users various roles). Then, each time you create a new Box of that type, the roles are copied from the template into your new Box. A Box Admin can later manage those users in Box Configuration.

Box Types - Inheritance Mode

Each Box can have one of two available Inheritance modes when it comes to security roles:

Own with inherited (roles inherited from upper-level Boxes + user roles added directly to the Box).
Inherited only (user roles can't be added directly to the Box - the security tab is hidden. The Box type of the parent Box doesn't matter, the roles are still inherited).
Example: Program Increments below inherit roles from their direct parent (OMEGA), the Portfolio Box, and the Home (root) Box. Home and Portfolio are greyed out because the logged-in user does not have access to them (they were not assigned any roles in those Boxes). ALFA is a same-level box as OMEGA. It is not a parent of OMEGA, so roles from ALFA are not inherited by Program Increments nested under OMEGA.
Changing the Inheritance mode of a Box type impacts all Boxes of a given type (both existing and newly created). Changing the mode from "Own with inherited" to "Inherited only" overrides the setup of an individual Box - if a Box had a unique role assignment, it would be replaced with the setup of the upper-level Box. Reverting to "Own with inherited" restores the previously assigned roles. In the "Inherited only" mode, the Security tab of an individual Box is hidden (you can't access it in Box configuration).

Creating a new Box makes you its Admin (if the Inheritance mode allows it).

You can't create a Box you won't be able to configure and delete later.

Role Migration

In the table below, you can find an explanation of role migration from BigPicture 7 to BigPicture 8.

In general, you can find information on security in BigPicture 8 on the following pages:

Box Types - this page contains information on configuring the default Security settings that work as a template when you create new Boxes and the Inheritance mode.
Global Roles - this page explains App Administration settings and how access to the App is granted to, for example, Jira users.
Box configuration - this page explains what roles are available within the App and how to change them for an individual Box.
Technical Configuration of the App - this page provides information on how to activate/deactivate the use of roles within the App.
Security (Overview module) - this page explains the impact of setting up security Roles for the Home (root) Box and lists available roles.

BigPicture 7	BigPicture 8	Comment

BigPicture 7	BigPicture 8	Comment
App Admin (Global Role)	App Admin	With this security role, you have administrative access to every Box, Gadget, and to the Business Administration. As an App Admin, you can see all the created Boxes and access configuration areas.
Global User	App User Box Viewer (in all public Programs) Box Viewer in Security template of a "Program" Box type	A role still exists in BigPicture 8, but the access has changed: a Global Viewer gets access to the App itself (sees it in the header - the user can access the App and their user profile in the App drop-down at the top) but can't automatically access any Boxes. Migration: Users are added as Viewers to all public Boxes. Users are added as Viewers to the security role template for a "Program" Box type - this means that every time a new Box is created using the "Program" type, a user is granted Viewer access to the new Box. Global Role - users are added as Users of the App (Administration > Security). Changing/deleting access options: You can remove the user from the Security section in Box Configuration in each Box. Remove the user from the "Program" Box type by modifying the template in the Security Section. Then, a user will not be added to every newly created Box.
Global Editor	App User Box Editor in Home (root) Box	The Global Editor role doesn't exist in BigPicture 8. Migration: Users are added as Box Editors to the Home (root) Box - this makes them Editors of all Boxes (including previously private Programs). Global Role: Users are added as Users of the App (Administration > Security), which grants them access to the App itself. Changing/deleting access options: Inherited roles are not listed in sub-Boxes - this means that if you don't want a user to have Editor access to all Boxes, you have to remove them from the Home (root) Box. You can't selectively remove their Editor access from each Box - they must be removed from the Box Configuration of the Home (root) Box and granted new access to Boxes.
Global Program Creator	App User Box Viewer in all public Programs Box Viewer in Security template of a "Program" Box type sub-Box Creator in Home (root) Box	The Global Program Creator role doesn't exist in BigPicture 8. Migration: Users are added as Box Viewers in previously public Programs. Users are added as sub-Box creators to the Home (root) Box, so they can add new Boxes under Home (root). The sub-Boxes do not inherit this role. Users are added to the Security Role template of the "Program" Box type. Global Role: Users are added as App Users (Administration > Security), which grants them access to the App itself. Changing/deleting access options: The Sub-Box Creator role is not inherited. This role doesn't grant users Box access of any kind—it just lets them create sub-Boxes. If you don’t want a user to create new Boxes under the Home (root) Box, remove them from Box Configuration > Security of the Home Box. Remove users (Viewers) from individual Boxes (Box Configuration > Security)—users have been added as Viewers to all previously public Programs. If you don't want the users to automatically be added as Viewers in newly created Boxes of a "Program" type, go to App Administration > Program and remove them from the security role template of that Box type.
Global Program Admin	App User Box Admin in Home (root) Box	Global Program Admin role doesn't exist in BigPicture 8. Migration: Users became Home (root) Box Admins, which gives them Admin permissions in all Boxes (including previously private Programs). Since roles are always inherited from upper-level Boxes, they are effectively Admins in all Boxes under the Home (root) Box. They can edit/delete all Boxes (including previously private ones. They can create new Boxes. Global Role: Users are added as Users of the App (Administration > Security), which grants them access to the App itself. Changing/deleting access options: Inherited roles are not listed in sub-Boxes - this means that if you don't want a user to have Admin access to all Boxes, you have to remove them from the Home (root) Box. You can't selectively remove their Admin access from each Box.
Program Admin	App User Box Admin	Becomes a Box admin: Users are added as Box Admins to Programs where they were a Program Admin Global Role - users are added as Users of the App (Administration > Security) - this grants them access to the App itself.
Program Editor	App User Box Editor	Becomes a Box editor: Users are added as Box Editors to Programs where they were Program Editors Global Role - users are added as Users of the App (Administration > Security) - this grants them access to the App itself.
Program User	App User Box Viewer	Becomes a Box Viewer: Users are added as Box Viewers to Programs where they were Program Users Global Role - users are added as Users of the App (Administration > Security) - this grants them access to the App itself.
Program Lead	A Box Lead role doesn't grant users any permissions	Becomes a Box Admin: Users are added as Box Admins to Programs where they were a Program Lead. They still are listed as a Box Lead, but this doesn't grant them any permissions. In the future, if you want the Box leads to have special access, you need to add them to a Box with an appropriate role (Box Configuration > Security).