Roles and permissions in Hipchat Data Center
Hipchat Data Center lets you manage your Hipchat team and users. Hipchat offers the following roles:
- delegated administrator
...and two special, non-role roles:
- room administrator
In addition to the Hipchat application roles, people who can access the operating system (the administrative user on VMWare deployments, or an AWS user with Console/SSH access) can use the command line interface to perform server maintenance tasks, like upgrading the deployment, changing the SSL certs, and resetting the owner.
Principle of max privilege
The roles in Hipchat are structured on the principle of maximum privilege.
- The Owner can modify anyone.
- Administrators and delegated administrators can modify anyone who is at the same level or below themselves.
- Users are unable to modify anyone.
- Nobody can modify someone in a higher permissions level, and nobody can grant privileges beyond what they themselves have.
Hipchat offers these roles to support your IT access security needs, letting you assign certain permissions to certain users. The roles below are listed from the highest level of permissions (owner) to the lowest level of permissions (user).
A Hipchat team has a single Owner, which is usually the person who set up the team. Think of the Owner as the account holder responsible for billing. While the Owner account has chat and admin capability, we strongly encourage you to create a personal account for chatting, and use the Owner account for team management only. The Owner is the only account that can transfer the owner role to another user.
There can be only one owner for a Hipchat team, so be sure to transfer ownership if your team's current owner is leaving your Hipchat team.
People with the administrator role can use the Hipchat apps to chat, and also have access to the team and server administration features in Hipchat. They can administer Hipchat in the following ways:
- Add and delete users
- Change peoples' roles (for example, from user to admin or delegated admin)
- Force a user to reset their password on next login
- Set up external authentication integration
- Require new users to have an email address from a specific domain
- Perform team admin tasks
- Enable and disable features (only allow Admins to create rooms, disable file uploads, etc.)
- Add, remove, or override emoticons
- Create APIv1 tokens
Note: They can't change the Hipchat Data Center team's name or owner.
- Perform server admin tasks, such as configuring the network connection
- View the history of messages and files shared for all rooms (both open and private)
- Manage all rooms, such as delete a message with a file, change the room administrator, or allow or disallow delegated administration of rooms)
You might have IT policies that restrict who can have administrator privileges, but what if you still need help managing rooms and users? A delegated administrator provides a role with a limited set of administrator privileges.
The delegated administrator can manage some users and rooms. Delegated administrators can manage in the following ways:
- Manage other delegated administrators and users
- Add and delete other delegated administrators and users
- Change peoples’ roles, for example, from user to delegated administrator
- Edit users’ details, such as @mention names or email addresses
- If enabled by an administrator, as a default for all rooms or on a per-room override basis:
- Manage rooms, such as delete a message with a file, or change the room administrator
- View the history of messages and files shared for all rooms (both open and private rooms)
By default, people with the user role can do the following:
- Download, install, and use the Hipchat apps
- Chat in any of the team's public rooms
- Be invited to, and chat in private rooms
- Read and send messages
- Download files
- Search the history of all open rooms and any private rooms they are members of
- Create an API v2 personal token
- Manage how they receive notifications
Normal users can also do the following, unless an administrator has disabled these features:
- Participate in private 1-1 chats
- Invite other users to join the team
- Create new chat rooms
- Update their own user profile
- Delete their own messages
- Chat over video
The owner, administrators, and delegated administrators can assign roles to people. They can only assign roles that are at the same level or lower than their roles. For example, a delegated administrator can assign the delegated administrator and user roles to people.
- Log in to Hipchat in your browser, go to User management.
- Find the person you want to assign a role to.
- In the Role menu, choose the role for the person you selected.
Delegating room administration
By default, delegated administrators can manage all rooms. Owners and administrators can change this default for all rooms or specific rooms.
To change whether delegated administrators can manage all rooms, go to the Hipchat admin web UI and click Settings.
To change whether delegated administrators can manage specific rooms, do the following:
- Go to the Hipchat admin web UI and click Rooms.
- Locate the room you want to change and click its name.
- Click the Permissions tab and change the setting.
Editing profile information
By default, users can edit their own profile information, such as name and email.
However, users can't edit their own profile if:
- a Hipchat administrator has disabled the ability for users to edit their own profile information in the team's Settings, or
- Hipchat is connected to and synchronizing with an external LDAP directory.
Other roles in Hipchat
Hipchat also has room administrator and guest roles.These roles are different from the others, in that administrators can't assign them to people, and they don't appear in the Roles menu. The following sections explain how people become room administrators and guests.
People become room administrators in two ways:
- They create a room in Hipchat
- A room administrator assigns them as room administrators
Rooms can have multiple room administrators. They can manage a room in the following ways:
- Rename the room
- Delete the room
- Archive or unarchive the room
- Set the room to private or public
- Enable a guest access URL (unless this has been disabled by an administrator)
- Invite or remove users (if the room is private)
- Assign other users as room administrators of that room
- Install, configure, or remove room-specific integrations (unless this has been disabled by an administrator)
Room administrators are unable to modify anyone in Hipchat, but they can assign other people as room administrators of their rooms (including private rooms).
- Log in to Hipchat in your browser.
- Go to Rooms > My Rooms.
- Choose the room > Permissions.
- Click Edit next to Room admins.
You can turn on guest access on a per-room basis.
In the Hipchat web app, a guest can read and send messages in rooms to which they have been invited.
Guests are unable to modify anyone in Hipchat.