This article covers the full range of trunk and branch permissions possible. It is intended to complement the article here which explains high level concepts and processes around branching: in practice it is typical that there needs to be greater control around the branching workflow than that implied by that article and the article below explains how to set the permissions to match your particular requirements.
Quick set up
Here are two quick basic set ups, both of which allow the user to change the content of the branch; one to allow the user to push changes back to the trunk, and one where they cannot.
Push back possible
Tag the trunk with : -
edit:role
and tag the branch with
edit:role
Push back not possible
Tag the trunk with : -
branch:role
view:role
and tag the branch with
edit:role
Detail
The branch tag applied to the trunk gives permission to perform branch actions on a node. By tagging the trunk with:
branch:role
you are saying that that role has the ability to work in a branch on that dataset, however, in addition, access to these branches has to be given explicitly.
The full set of possible combinations is shown here : -
To use this chart, determine what access you want the user to have to both the trunk and the branch (top row for the trunk and left column for the branch), then read off from the intersection what tags to apply to the trunk and the branch.
For example, if you want the user to be able to update the branch, but not see the trunk, select 'Hidden' in the top row and 'Update' in the left column. The tags to apply are therefore : -
Trunk tag : -
branch:role
Branch tag, any one of
view:role
or
update:role
or
edit:role
NOTE: If a user has created a branch they automatically have edit rights to that branch, there is no need for a tag to enable a user to access their own branch. (Though this doesn't give them edit rights to the trunk.)
Branch: syntax and meaning
In terms of a general approach to branching, if a dataset is tagged
branch:role
then the nodes inside any branches derived from the trunk can be edited (including delete) by any individual who is assigned 'role' in the Users dataset.
As a simplified case study, consider the hrbp role in the tags below:
The branch: tag is important on the Trunk in addition to the view: tag.
In the image above, the "update" tag is needed to extend permissions on the Trunk to the Branch.
Commentary
Note that the user must also be given explicit permission to view the branch over and above the trunk, otherwise they will not be able to see it on their screen.
Although it is implied that the branch: tag could also be thought of as meaning "able to edit in branch" only loosely can we say this as:
- branch: on a trunk does not give access to branches without view
- the ability to change the name of the branch comes from edit: on the branch
- properties belong to the trunk, no matter the permissions on the branch
- the ability to push back is defined by the permissions on the trunk i.e. view: on trunk will not give push
Note that it is not possible to provide differing permissions to branches associated with the same trunk. To put that another way, it is not possible to set tagging up so that User A can update Branch A but only view Branch B.
Comments