Hi Nic,

Thanks for your quick reply. I've found that both projects are using 'Default software scheme'. Does that mean that they need to have different schemes first before I can make their permissions different?

Yes, you're absolutely right.  If you want different permissions for different projects, you'll need a new scheme to associate with the protected project(s)

You can do them from scratch, but I prefer copying an existing one and then tweaking it.  

Great, I've now copied the scheme and allocated the new scheme to my project. 

In the Browse Projects section, does the 'Application Access -Any logged in user' part make the Project role section useless in this case? Or are the both needed?

My thought is to remove the 'Any logged in user' part and create a Group with the people in that will need access? Is that the best way?

Again, spot on, almost. 

If you'd said "remove 'any logged in user' and let the desired users in some other way", it would be 100%. 

The "almost" is not because "add a group" is wrong, it's absolutely correct, but there is another option you might consider.

I default to using project roles instead of groups.  With a group, your administrators (either application or your directory admins) have to add and remove people from the groups.  If you use project roles, there's a bit more power than groups because you can get the project administrators to maintain the users - they can edit the users (and groups) in the various roles in the project.  You can also reuse the scheme for other projects that want to use different people.

Imagine you've got three sets of people, A, B and C, and several projects that they might be using.

If you do "Browse = group" in a permission scheme, then for each set of projects, you're going to need a different scheme, such that "Browse = group A", "Browse.= group B" and "Browse = group C", and on top of that, your system admins are going to have to maintain the groups.

If however, you have one scheme with "Browse = role: developer", then you can use the same one for all the projects, and your project admins can put groups A, B and C into the role for themselves, and/or name individuals.

Roles might well not be the right model for you, groups might be fine, but I wanted to show you that you have a bit more flexibility!

Thanks Nic for the detailed explanation, this really useful to know.

I think this is my final question now and then I'm sorted. Do the Roles spread across the projects or by creating 'user' does it create multiple roles with the same name, one for each individual project?  E.g. If I set 'Browse = role: user' in the permissions scheme that is used for Project A, B and C, can Group A get added to the role: user for Project A separately to the user role in Projects B and C, or is it the case that if I add Group A to the user role, then they would have access to all three projects?

Project roles exist universally across every project, but then contain only project-local users and groups

If you created a role of "Penguin wranglers" then you would see it in all your projects, but you could set up the projects like:

• Project ABC - Penguin wranglers: Alice, Bob, Chuck and group zookeepers
• Project DEF - Penguin wranglers: none
• Project GHI - Penguin wranglers: Bob and the group zookeepers

All the project memberships are independent, belonging to each individual project.

How do you add or remove people from a project role?
I cannot find anywhere to edit the role.

Thanks,

Gene

Go to Project -> People and remove them from there

Thank you!