About BigPicture

BigPicture installation

Quick start with BigPicture

BigPicture Export

Tutorials and tips


 BigPicture release notes

BigPicture Cloud Backlog


About BigGantt

BigGantt - Important Notice

BigGantt installation

BigGantt Cloud Backlog

 BigGantt release notes

 Release notes
 Jira Cloud

 Jira Server


 Jira Cloud

 Jira Server

 Jira Cloud

 Jira Server

 BigPicture Enterprise
 Jira Cloud

 Jira Server

Knowledge Base

Tutorials and tips


User access - Global Roles vs. Per Program Roles

To understand how our Roles structure works it is important to remember that the BigGantt and BigPicture operate in Jira environment, therefore have two spheres of permissions to follow:  Jira Permissions which give users and groups access to Projects and tasks within them and Plugin Roles that are assigned to users by our plugin. To learn more about Jira permissions please follow this link. Our plugin roles are structured as follows: Global Roles settings manage User's overall access to our plugin whereas per program Roles define or rather 'fine-tune' additional User's Roles per program. Please bear in mind that BigPicture roles do not affect/overwrite Jira roles in any way.

Global Roles - Permissions for everyone

Global settings can be found under: Jira ADMINISTRATIONAdd-onsSecurity menu.

First step to explain Roles is the default Global setting "Permissions for everyone". By the default 'Permissions For Everyone' is enabled. While it is ON every logged in user has the same (Administrative) level of permissions to all programs while working with the application and the per program Roles will be disabled. See the screenshots below.

Global Roles with "Permissions for everyone" switched ON

Program Configuration → Security Tab While "Permissions for everyone" is switched ON

This setting is useful with small projects or while evaluating our plugin. It is easier to test and learn how things work but a live environment may require more advanced access control.

Global Roles - Default Roles Swithced ON

Once the "Permissions for everyone" is not enough it is time to start using Default Roles. While Global roles are switched ON there are more possibilities to controll who has access to which programs. To best explain how Default Roles work on both levels let me say that the general rule of thumb is: Assign lowest possible Global Role for the users and then give Users higher Roles per program.

Global Role Assignment View

After clicking the "Assign roles" button, the program shows "Global roles assignment" screen. Global Roles grant access to all plugin programs (except for private programs as described below). It is of course possible to assign Roles to individual Users or to Groups. Depending on the Role chosen the User or Group will have one of the following access permissions.

Admin (Understood as Global admin) - Main administrator, has all access.

Program admin - Has access to program configuration. Can configure, edit programs, edit program tasks and view programs.

Program creator - Can create programs, edit programs, edit tasks and view programs.

Program editor - Can edit program tasks

Program user - Read only access to programs. Cannot edit anything. In this mode the user will see the "read only" icon next to the program name.

Of course to have access at all to any program a User must have at least "Program User" Global Role assigned or be a member of a group which has such a Role assigned. Please remember that it is not enough to only assign per program role to a User/Group. In such a case the User/Group WILL NOT be able to access the program. It is of course easy to guess that a higher Global Role takes precedence.

Private programs "Visible only to me"

It is important to remember that if a program is created as private i.e."visible only to me" than only the creator, (Global) Admin (not the Program Admin) and Jira Administrator has access to such a program unless a particular User or Group has a Role given for that particular program.

Program Creation dialog Box with "visible only to me" or "Visible to

Per program Roles

Per program Roles settings are under: Program ConfigurationSecurity menu.

Per program Roles

Similarily to Global roles it is possible to assign one of the following Roles to users or groups( apart from the Global Admin obviously). The difference is that they only apply to the currently edited program. The Roles are:

Program admin - Has access to program configuration. Can configure, create, edit programs, edit program tasks and view programs.

Program editor - Can edit program tasks.

Program user - Read only access to programs. Cannot edit anything. In this mode the user will see the "read only" icon next to the program name.

Frequently Asked Questions

Q: "If you choose “Permission for everyone” then every one has access to all programs - nothing else you can do to grant/ limit access because program security is totally disabled"

A: Yes, choosing this option grants the same (Administrative) level of permissions to all users who will be working with the application.

Q: "If you choose “Default roles”, and you grant access to some user/ group then they will have access to all the programs, no matter how you config specific program security. In other the words, the global security decides permission for all the programs no matter how different programs security is."

A: No, If Global Roles for the User are set to 'Program user" then the user can only browse programs created as "Visible for everyone" and will see the read only icon under the program logo but if the User also has 'Program editor' Role assigned per program than the user will be able to edit the tasks and the 'read only' logo will not be displayed in that particular program.

Q: "If in global security i assign role "Program user” to user X, and in program A, I don’t assigne any role X, then X still have access to program A."

A: Yes, but only if the program is visible to everyone otherwise No.

Q: If in global security I don’t assign any access role to user X (or any group with X inside) then user X cannot access program A even if in program A security i give access to user X.

A: Yes, a user must be assigned at least 'Program user' Role Globally to be able to use the plugin(see any programs).

Q: The program security is useless, because global security overrides everything program security does, and you can never manage program-specific security.

A: NO, Global security Roles manage access to all programs and Program security Roles manage access per program - we can say "fine tune" access for users. So if a user has Global "Program user" Role and per program has Admin Role than the user will have Admin Role in this particular program and Program user Role in other programs.

Q: The Global security, it’s “global” and you cannot manage program-specific security. It means that there’s only two security choices for a user: can access ALL 100% PROGRAMS or can access NO PROGRAM AT ALL.

A: No, The Global security settings manage overall access for Users and per program Roles manage additional roles for Users per program. It must be remembered that in order to manage per program Roles a User needs to have at least the lowest Global Role assigned.

Q: Is it correct to say that any User Role with more rights, such as Admin, will automatically include lower level access, or should a Program Editor typically also have to be added to the Program User role as well?

A: No. For example granting a user Program admin role does not give the user the right to add programs. Program creator can add programs.

Q: Global Admin has this view of programs in the Program Manager. The Program Admin on Add-On level should have the same view. Is this statement correct?

A:No. Programs created as “Visible only to me” will be visible for Global Admin and will not be visible for the Add-On level Program Admin. Also, if any user who can create programs created a program with the Program lead who happens to be the Add-On level Program Admin, this Add-on level Program Admin will also see such a program. Obviously, being a program lead gives the user Admin role for this particular program. To see other “visible only to me” programs Add-on level Program Admin needs to have at least Program user role granted specifically for each of the programs.

Q: When I only add a user to the Global Program User role, and she is not added to any Program level roles in any of the programs, she still sees [Program Name] , and still not the other programs.

A: This [Program Name] program was created as “visible to everyone”. Other programs were created as “visible only to me”. If the Global Program user does not have per program roles to programs that were created as “visible only to me” s/he will not be able to see them.

If you require any additional assistance with Security setup, please contact our Support Team as per instructions provided in this article: SoftwarePlant Support.