Access Control & Governance Roles
In an enterprise environment, the integrity of resource data—such as labor rates, availability, and staffing commitments—is paramount. MSP Planner utilizes a sophisticated Role-Based Access Control (RBAC) system that separates the "Demand" (Project Management) from the "Supply" (Team Management).
This separation of concerns ensures that no single user can unilaterally commit resources without the approval of the respective resource owner, preventing "shadow staffing" and unauthorized over-allocation.
The Governance Architecture: Global vs. Scoped Roles
MSP Planner distinguishes between users who govern the entire system and those who manage specific operational boundaries.
1. Global Governance (Admin Roles)
Global roles provide a "helicopter view" of the entire organization, ensuring that standards are consistent across all teams and projects.
- Instance Admin: The ultimate authority. Inherits the "Administer Jira" permission. This role is responsible for the overarching system configuration and the appointment of delegated administrators.
- Delegated App Admin: Designed for HR Directors or Resource Officers. These users manage the organizational structure, define team boundaries, and maintain global calendars without needing full Jira Site Administration rights.
2. Scoped Operational Roles (Manager Roles)
Scoped roles are designed for day-to-day delivery. Their authority is limited to the specific "boundary" they manage.
- Team Manager (The Supply Side): Authority is scoped to specific Teams. They are the guardians of their team's capacity and the only ones authorized to assign resources to requests.
- Project Manager (The Demand Side): Authority is scoped to specific Jira Projects. They define the staffing needs and validate the proposed assignments.
Role Responsibility Matrix
To ensure a seamless workflow, the system enforces a strict "Check and Balance" mechanism.
| Role | Primary Objective | Key Authority | Governance Constraint |
|---|---|---|---|
| App Admin | System Integrity | Org Structure & Global Config | Cannot arbitrarily change project commitments |
| Team Manager | Capacity Health | Resource Assignment & Rates | Cannot create project-level demand |
| Project Manager | Delivery Success | Demand Definition & Acceptance | Cannot force a resource assignment |
| Viewer | Transparency | Own Timesheet Visibility | No modification rights |
Detailed Capability Mapping
The following matrix defines the operational boundaries for each role. Note: Users who hold multiple roles (e.g., a Team Lead who is also a Project Manager) receive the union of these permissions.
| Capability | Admin | Team Manager (Scoped) | Project Manager (Scoped) | Viewer |
|---|---|---|---|---|
| Define Org Structure (Teams/RBS) | ✅ | ❌ | ❌ | ❌ |
| Manage Resource Rates & Calendars | ✅ | ✅ (Managed Teams) | ❌ | ❌ |
| Create Resource Requests | ✅ | ✅ (For Managed Teams) | ✅ (For Managed Projects) | ❌ |
| Assign Resources to Requests | ✅ | ✅ (Managed Teams) | ❌ | ❌ |
| Accept/Reject Staffing Proposals | ✅ | ❌ | ✅ (Managed Projects) | ❌ |
| View Timesheets (Team Perspective) | ✅ All | ✅ Managed Teams | ❌ | ❌ |
| View Timesheets (Project Perspective) | ✅ All | ❌ | ✅ Managed Projects | ❌ |
| Access Configuration Tab | ✅ | ❌ | ❌ | ❌ |
Practitioner's Perspective: Implementing the "Separation of Concerns"
From a governance standpoint, the most critical aspect of the RBAC system is the preventative nature of the workflow.
In many organizations, Project Managers "claim" resources through informal agreements, leading to conflicting priorities and burnout. By enforcing the Team Manager -> Project Manager hand-off:
- Capacity is Protected: No resource can be assigned to a project without the Team Manager's explicit consent.
- Commitments are Validated: No Project Manager can assume a resource is available until the Team Manager proposes the assignment.
- Auditability is Guaranteed: Every assignment is linked to a specific actor and a specific timestamp, removing ambiguity during project retrospectives.
Integrating with Jira Permissions
To ensure a seamless experience, MSP Planner synchronizes with your existing Jira permission scheme:
- Project Manager Role: Automatically derived from the Project Lead or Administer Projects permission in Jira. This ensures that as you change project leadership in Jira, the staffing authority in MSP Planner updates instantly.
- Admin Roles: Leverage Jira's global permissions to ensure that only trusted site administrators can appoint delegated app admins.
Summary Table: Role Assignment
| Role | Assignment Method | Typical User |
|---|---|---|
| Instance Admin | Jira Global Permission | Jira Site Admin |
| App Admin | Configuration -> Users & Roles | HR / Resource Director |
| Team Manager | Team Management -> Team Lead | Functional Manager / Lead |
| Project Manager | Jira Project Lead / Admin | Delivery Lead / PM |
| Viewer | Default | Team Member / Stakeholder |