Acunote had role-based access control since beginning, but so far it provided only two predefined roles - Admin and User. Many customers asked us to add a third role for Guest users with read-only access to the organization data. Today I'm pleased to announce that Guest role is ready and available for all our customers on any pricing plan including the Free plan!
When implementing the Guest role, we've put a lot of work to redesign access control to guarantee security today and assure extensibility tomorrow.
Role in Acunote now defines a set of privileges for certain operations in the system. We implemented the white-list, "everything that is not allowed is forbidden" approach to security. This way we guarantee that the user can perform only those operations that are explicitly allowed by granting him a privilege.
The privilege that allows read-only access to projects and all data within projects is called view projects, sprints and tasks. This is what is granted for all users with the new "Guest" role.
"User" role grants privileges to create, update or delete sprints, tasks, tags, comments and attachments. "Admin" role additionally grants update org privilege to change organization settings. Privileges to create, update or delete users and repositories are also granted by the "Admin" role.
You can review the permission-to-role mapping in administrative interface under "Edit Organization" => "Roles". As before, roles (including "Guest" now) are assigned with the user management interface under "Edit Organization" => "Users".
We'd love get your feedback on how well Guest role works and how we can further improve the role-based access control. We anticipate that you may wish to customize predefined roles or create your own ones. This is surely coming in the feature and will be announced separately.