Assigning user roles in projects and frameworks
Assign roles to grant individual users and user groups access to projects and frameworks.
Before you start
| To... | You must... | Detailed information |
|---|---|---|
| grant individual users access to projects and frameworks | add users to Launchpad and assign each user the appropriate subscription | |
| grant user groups access to projects and frameworks | create groups in Launchpad | Adding and managing groups |
How it works
You can grant individual users and user groups access to projects and frameworks. Multiple users and user groups can be added as collaborators on a project or framework.
By default, new users and user groups are not assigned access to any projects or frameworks. Professional Managers must assign users and user groups the specific user types they require before they can work with projects and frameworks.
Note
To prevent accidentally locking yourself out of your own project or framework, you cannot change your own user type or remove yourself as a collaborator.
Default roles
- Individual user type When a user is added individually to a project or framework, they are assigned by default the user type with the least available access based on a combination of their subscription and Diligent One system-wide user type (Launchpad user type).
- Group user type When a user group is added to a project or framework, the group is assigned by default the user type with the least available access based on the lowest subscription assigned to a user in the group.
Default individual role based on subscription and Diligent One system-wide user type (Launchpad user type)
| Subscription | Launchpad user type | Default individual role |
|---|---|---|
| Professional | System Admin | Professional Manager
Note These users are automatically added to all existing projects and frameworks as part of the Professional System Admins group. You cannot update or delete this group because users in this group are implicitly granted the Project Admin privilege. |
| User | Professional User
Note If the user is granted the Project Admin privilege, their default role is Professional Manager. |
|
| Oversight | System Admin | Oversight Reviewer |
| User | ||
| Contributor | System Admin | Contributor User |
| User | ||
| None | System Admin | No access |
| User |
Default group role based on subscription with the least access
Example scenarios
| Total members in group | Group member subscription | Default group role |
|---|---|---|
| 10 |
10 Professional |
Professional User |
| 15 |
|
Oversight Reviewer |
| 20 |
|
Contributor User |
Effective roles are determined by individual and group roles
Access permissions are additive depending on a user's individual and group roles. If a user is added to a project or framework as an individual and as a member of one or more user groups, or as a member of multiple groups, the user can access everything that each separate role provides them access to. In practice, this level of access often matches the user's role with the highest level of access; this is called the user's effective role. Additionally, if a user is assigned as the owner of part of the project (e.g., an objective), they may have an even higher level of access to that item than their role(s) would otherwise allow.
Note
Users that do not have a valid subscription for their selected role cannot access projects or frameworks. Individual access must be equal to or higher than assigned group access.
Example scenarios
Scenario 1
You add Simon to a project as both an individual user and as a member of a user group:
| Assigned roles | Effective role |
|---|---|
|
Simon is granted Professional Manager role access to the project because his individual access is highest. |
Scenario 2
You add Simon to a project as a member of two user groups:
| Assigned roles | Effective role |
|---|---|
|
Simon is granted Professional Manager role access to the project because his access in Group A is highest. |
Scenario 3
You add Simon to a project as both an individual user and as a member of two user groups:
| Assigned roles | Effective role |
|---|---|
|
Simon is granted Oversight Executive role access to the project because his individual and Group A access is highest. |
Scenario 4
You don't add Simon to a project individually, but you do add him to a user group that has access to the project:
| Assigned roles | Effective role |
|---|---|
|
Simon is granted Contributor User access to the project because his Group A access is highest. |
Scenario 5
You add Simon to a project as an individual, to a user group that also has access to the project, and also assign him as the owner of an objective within the project:
| Assigned roles | Effective role |
|---|---|
|
Simon has Oversight Executive access to the project because his Group A access is higher than his individual access. He also has read and write access to Objective A because he owns it, whereas other Oversight Executives just have read-only access to it. |
Best practices
Add user groups and assign group roles
Adding groups and assigning group roles is the best way to control access to projects and frameworks, and enforce the principle of least privilege. Groups provide an efficient way to provision multiple users access to projects and frameworks simultaneously.
Add users as individuals and assign them roles
If a certain group member requires higher access to a project or framework, add them as an individual and assign them a higher role. Similarly, if a user does not belong to any groups, but requires access to a project or framework, add them as an individual and assign them a role.
Permissions
Only Professional Managers can add and remove collaborators and update individual and group roles. All other users can view which users and groups have access to projects and frameworks, and the level of access granted to each user and / or group.
Check a user's effective role in a project
Professional Managers can check each user's individual and effective role in each project, and change users' individual roles.
-
From the Launchpad home page (www.highbond.com), select the Projects app to open it.
If you are already in Diligent One, you can use the left-hand navigation menu to switch to the Projects app.
The Projects home page opens.
- Under System administration, click Manage users.
The InstanceName Users page opens.
- Click the name of the user whose permissions you want to see.
The User Details & Access Rights page opens for that user.
- At the bottom of the page, in the table, view the user's permissions for each project.
- In the Individual Access column, view or change the user's individual role for the project.
In the Effective role (read only) column, view the role with the highest level of access between the user's individual and group roles.
Note
This column only shows permissions on a project level. It does not show permissions a user may have due to being assigned as the owner to an item within the project.
Assign roles in a project
Assign individual users and groups a role in a project.
-
From the Launchpad home page (www.highbond.com), select the Projects app to open it.
If you are already in Diligent One, you can use the left-hand navigation menu to switch to the Projects app.
The Projects home page opens.
- Open a project.
The project dashboard opens.
- Under Project Overview > Collaborators, click Add.
The first four users are listed alphabetically under Collaborators. A unique count of users added individually and as part of a group to the project also displays.
Note
If multiple collaborators exist, the button says Manage.
The Share projectName side panel opens. The groups and individuals lists are paginated, with 50 groups and individuals displayed per page. Groups and individuals assigned the role None do not display in the side panel.
- Optional. Search for a group or an individual to see if they already have access to the project.
You can search for groups by name and individuals by name or email.
- Click Add Collaborators.
- Search for a group or an individual that requires access to the project.
You can search for groups by name and individuals by name or email.
- Select the appropriate groups and individual users, and click Close when you are finished.
Tip
If you are a Launchpad System Admin or group owner, you can click the # members link beside the appropriate group to open and manage the group in Launchpad.
- Assign a role to each group and individual user, and click Save.
For more information, see Projects app permissions.
Result The specified groups and individual users are granted access to the project. Groups and individual users are sorted by role from highest to lowest and then by alphabetical name.
Manage access to a project
Add more collaborators, change the access level of a user or group, or remove a user or group from the project.
-
From the Launchpad home page (www.highbond.com), select the Projects app to open it.
If you are already in Diligent One, you can use the left-hand navigation menu to switch to the Projects app.
The Projects home page opens.
- Open a project.
The project dashboard opens.
- Under Project Overview > Collaborators, click Manage.
The first four users are listed alphabetically under Collaborators. A unique count of users added individually and as part of a group to the project also displays.
Note
If only one collaborator exists, the button says Add.
The Share projectName side panel opens. The groups and individuals lists are paginated, with 50 groups and individuals displayed per page. Groups and individuals assigned the role None do not display in the side panel.
- Complete any of the following actions and click Save:
Action Steps View collaborators that already have access to the project Search for a group or an individual to see if they already have access to the project.
You can search for groups by name and individuals by name or email.
Add more collaborators - Click Add Collaborators.
- Search for a group or an individual that requires access to the project.
You can search for groups by name and individuals by name or email.
- Select the appropriate groups and individual users, and click Close when you are finished.
- Assign a role to each group and individual user.
Change the access level of the user or group Select the appropriate role next to the user or group. Remove a user or group from the project - In the list, find the user or group.
- Click the
.
Assign roles in framework
Assign individual users and groups a role in a framework.
- Open the Frameworks app.
The Frameworks home page opens.
- Click Go To beside the appropriate framework.
The framework dashboard opens.
- Under Framework Overview > Collaborators, click Add.
The first four users are listed alphabetically under Collaborators. A unique count of users added individually and as part of a group to the framework also displays.
Note
If multiple collaborators exist, the button says Manage.
The Share frameworkName side panel opens. The groups and individuals lists are paginated, with 50 groups and individuals displayed per page. Groups and individuals assigned the role None do not display in the side panel.
- Optional. Search for a group or an individual to see if they already have access to the framework.
You can search for groups by name and individuals by name or email.
- Click Add Collaborators.
- Search for a group or an individual that requires access to the framework.
You can search for groups by name and individuals by name or email.
- Select the appropriate groups and individual users, and click Close when you are finished.
Tip
If you are a Launchpad System Admin or group owner, you can click the # members link beside the appropriate group to open and manage the group in Launchpad.
- Assign a role to each group and individual user, and click Save.
For more information, see Projects app permissions.
Result The specified groups and individual users are granted access to the framework. Groups and individual users are sorted by role from highest to lowest and then by alphabetical name.
Manage access to a framework
Add more collaborators, change the access level of a user or group, or remove a user or group from the framework.
- Open the Frameworks app.
The Frameworks home page opens.
- Click Go To beside the appropriate framework.
The framework dashboard opens.
- Under Framework Overview > Collaborators, click Manage.
The first four users are listed alphabetically under Collaborators. A unique count of users added individually and as part of a group to the framework also displays.
Note
If only one collaborator exists, the button says Add.
The Share frameworkName side panel opens. The groups and individuals lists are paginated, with 50 groups and individuals displayed per page. Groups and individuals assigned the role None do not display in the side panel.
- Complete any of the following actions and click Save:
Action Steps View collaborators that already have access to the framework Search for a group or an individual to see if they already have access to the framework.
You can search for groups by name and individuals by name or email.
Add more collaborators - Click Add Collaborators.
- Search for a group or an individual that requires access to the framework.
You can search for groups by name and individuals by name or email.
- Select the appropriate groups and individual users, and click Close when you are finished.
- Assign a role to each group and individual user.
Change the access level of the user or group Select the appropriate role next to the user or group. Remove a user or group from the framework - In the list, find the user or group.
- Click the .
