Make Programme Manager project permissions consistent

[steven-cd]

The permissions that programme (and system) managers get on individual projects have always been a bit inconsistent. Now that the project_admin role has been removed, we're in a position to try to address this, but there are a few options.

I think there's some principles that most people would agree with:

• Programme Managers should be able to assign Project Managers, because things wouldn't work without it
• They should also be able to assign other users (at least until #148 is fixed, but probably after as well)
• System Managers should have all the permissions Programme Managers have, because that's the approach we've taken for global permissions

Beyond that, I think there's three options that are vaguely sensible:

• Programme Managers have no other project permissions
• Programme Managers have all other project permissions that a project manager has
• Programme Managers have all read-only permissions

(Currently, none of these are what's in place - all of them cause some of our tests to fail, although giving them all permissions probably requires fewest test changes)

cc'ing @tomdoel @bw-faststream @jemrobinson for discussion

[steven-cd]

My opinion is that programme managers should not have the same permissions as project managers, because then what's the point of actually having a project manager role? I think it could encourage programme managers to set up the projects themselves without actually assigning a project manager, but it has the important distinction that none of the other participants on the project will be able to see who is co-ordinating the project (since the programme manager will not be listed as a participant).

If the programme manager actually needs to take action on the project, they would still be able to assign themselves as a project manager (which is how I interpret what's written in the paper ("They assign Project Managers and can, if they wish, take on this role themselves")). I think it therefore makes sense to give programme managers all the read-only permissions, but not the ability to create datasets etc.

[bw-faststream]

That makes sense in principle - in practice, its important that programme managers are able to take on the role of project manager with relative ease, as (at least early on) its likely to be programme managers that set up the first few projects on the system.

If programme managers can set themselves up as project managers, however - this should solve the problem and keep the distinction clear between the two roles - My vote is for read-only permissions. [Can there be more than one project manager per project?]

[steven-cd]

[Can there be more than one project manager per project?]

Yes, there's no limit on the number of project managers (or on any of the roles actually).

[jemrobinson]

I vote for Programme Managers not having permissions on a project as long as we can have multiple Project Managers on a project (and Programme Managers can therefore add themselves when needed).

[tomdoel]

Noting @jamespjh's comments from #117.

All. Programme manager powers are a superset of those of the Project manager.

Project manager has powers with respect to their own projects, but they have all people-assignment powers for those projects.

Programme manager has all people assignment powers with respect to all projects.

[tomdoel]

Personally, I would side more on the opinion of Programme Managers having Project Manager rights. My understanding is that Programme Managers are trusted facilitators at the Turing who help coordinate and manage projects. As such I think we have to trust them to act appropriately without going over the head of Project Managers. While I understand the point of having clear roles regarding managing projects (which is not so clear when a Programme Manager is performing actions), I think that in practice Programme Managers will be asked to help frequently and I think it would be confusing to make them have to add themselves to a project in order to perform administration tasks. I think of this like the GitHub model where projects can have individual owners but group administrators get inherited permissions.

[tomdoel]

However, given this is easy to change later if necessary, I'm happy to go with the consensus. I would still recommend Programme Managers having at least read-only permissions. And I would say Programme Managers should be able to add any user to a project, because we don't want to assume a Project Manager will always have access to the system userlist (see also issue #148). Probably @bw-faststream should make the final decision as the user representative.

[bw-faststream]

I'll defer to the consensus of Programme Managers having Project Managers rights - for the most part, programme managers will want to be helping project managers get set up and running on their projects - so it will make things easier to give them full access rights. As you say @tomdoel programme managers should be a select number of trusted parties, so there's rarely a situation where that would be an issue - For now lets give them full project manager access