Dear community,
We are currently facing the following problem described below. Does anyone else has the same issue? How are you handling this topic?
TOPIC in a Nutshell:
Roles: |
Team Lead (TL) A |
Project Lead (PL) B |
Team (T) A |
Project Team (PT) B |
Situation:
PL B selects resources from TA via allocation
TL A needs to make hard allocations in order to confirm allocations
TL A can only do so when he is also given the same access rights as the PL B, which is definitely undesired.
TL A should only have the authorization to make the hard allocation of his resources in TA in a project he isn’t running / leading. Nothing else, no changes to the allocations, no further insights into the team, etc.
Problem 1: TL A can then not only make hard allocations, but by default also change allocations and even delete resources.
Problem 2: By default, TL A can then also see other resources, as he was given PL-rights which is a GDPR-problem (no need to know, hence breach of GDPR)
Solution:
Authorization concept should not contain the right to change anything in someone else’s project. TL always has only the right to make a hard booking and no one else (except admin or resource managers).
The system is so fragile in its handling that by coincidence it maybe possible to change allocations, let alone the right to view other department’s resources and their booking should be deleted.
Thanks and all the best,
Guido