State security rules

States have two types of security: privilege and attribute. Both are used to establish the requirements for modifying specific attributes. Decide which types of security to set on each state.
Privilege security
Privilege security defines a list of attributes that are modifiable when the user has the required privilege. For example, for the in_review state, if the verifier privilege has synopsis and description listed as modifiable attributes and the user sam has the verifier privilege, Sam can modify those attributes when the CR is in the in_review state.
Attribute security
Attribute security defines a list of attributes that are modifiable when the value of the specified attribute matches the user ID (that is, resolver="tom"). The attribute should be one whose value is a user ID (that is, the attribute can have the Web Type CCM_USER).
If either attribute security or privilege security rules are satisfied, the corresponding set of attributes is modifiable. (That is, privilege security and attribute security rules are ORed to obtain the set of modifiable attributes.) You can even use attribute and privilege security together. For example, ensure that only the person who submitted the CR (submitter) can edit the problem_description and severity attributes while the CR is still in the entered state.

Feedback