Permissions

FogBugz allows you to set up permissions (access control) so that only certain users can see or modify certain cases. Before you can start assigning permissions, you need to create a client or department.

Typically, you will use FogBugz access control for two purposes:

• If you have multiple external clients, you can give them all accounts on your FogBugz database without letting them see each other's cases, or even know about each other. When your client logs on to FogBugz, they will only be able to see cases associated with their projects, not with the projects of other clients. They won't even be able to find out about the other clients: they will have no way of seeing cases or users or projects unless you specifically grant them permission.
• If you are using a single FogBugz installation for multiple departments, you can set things up so that users only have permission to see cases in their own department.

FogBugz will give a particular user permission to access all the cases associated with a particular client or department. This means that before you can start assigning permissions, you need to create a client or department.

Example One: A Consulting Firm.

Beverage Gurus Inc. has three clients: Coca Cola, Pepsi, and Tastes Like Tar Cola ("TLT"). Each internal consultant is only allowed to see cases for the client they are working on. Personnel from the client companies are sometimes given accounts on FogBugz. Of course, they can only see cases related to their own projects.

Beverage Gurus does not want their Coca Cola clients to be aware that Pepsi is also a client of Beverage Gurus. Sneaky gurus!

Whenever FogBugz shows a dropdown list of users, it will not include everyone. It will only list users that you might encounter because you share permission to access some client. For example, consultants Alice and Bob are working on the Coca Cola account only, while Mike is working on the Pepsi account only. Normally, Alice and Bob will see each other in the user dropdown, but they'll never see Mike's name in a dropdown list or in a case. So if you make an account for the president of Pepsi in your FogBugz database, this name won't show up in dropdown lists when a Coca Cola client logs on, leading to suspicion, recriminations, lawsuits, and eventually a trip to Camp Cupcake.

But... and this is an important but... if you set up any clients which are visible to all users, this protection is lost. For example, if Beverage Gurus has a fourth client, the local Petting Zoo, and thinks that, heck, the Petting Zoo doesn't have anything confidential, we might as well let everyone in there, they run the risk that a Coke executive and a Pepsi executive will run into each other's names in the user dropdown list, since they share access to the Petting Zoo, and flip out. In summary, if you need to isolate users from one another, you can't have any clients that everyone can access.

Example Two: A Large Company

In a very large company with lots of departments or teams, where each department may work on several projects, it's helpful to divide up the projects according to department, even when there's no security reason to do so. This makes it easy to run filters so that the team management can look at all the cases across an entire department. And if you ever need to set up a secret internal project, you can do so.

Types of Access

When you create a Client or Department, you assign one of the following types of access to each user in FogBugz. This determines, in turn, the access (or lack thereof) that the given user will have to all Projects assigned to the Client or Department you are creating.

1. None - The user does not have permission to see or modify cases, or to create new cases.
2. Read - The user can read cases, but can't modify them in any way, and can't create new cases.
3. Modify - The user can create, read, and modify cases.

When you are editing a client or department in FogBugz, you have three choices:

1. You can give everyone access to the client or department. This is the default.
2. You can give everyone Read access to the client or department, and customize who has Modify access.
3. You can customize access on a per-user basis, deciding individually whether each user has None, Read, or Modify access.

If you choose option #1 or #2 for any client or department, you will not be able to completely, hermetically segregate groups of users from each other, because they can meet each other in that client or department.

Anyone who is configured as a FogBugz administrator will always have permission to read, write, and modify any case, anywhere.

Note that if all you want is for people to be able to submit cases, and be able to view the current status of only the cases they have submitted, this can be achieved by having them send an email to a FogBugz mailbox, or submit to a Project that you have marked as allowing public submissions.

Setting Up Permissions

Setting up permissions is done in four steps:

1. On the Site screen, set the Log On Method to "Type email address and password."
2. Create the appropriate clients or departments.
3. Edit the clients or departments to assign user permissions appropriately.
4. Assign each project to the appropriate client or department.