If you have many users who work on different projects, the following general plan provides you with the ability to manage them so that individual users get the permissions they need but only see the projects and other resources that they need to interact with:
Create role-based access groups for the various activities people perform. For example, create Build Manager and Developer groups. Assign permissions to these groups as appropriate for their jobs. Build Managers might have most of the available permissions, while Developers might have only permissions related to executing jobs.
Create additional groups for each cross-functional team in your organization. You might have an IDE team, a PrinterDriver team, and others.
Set the Access properties of projects, servers, and other resources to team groups. All the projects that are relevant to the PrinterDriver team should have the PrinterDriver access group as their access properties.
When you add a user to the system, assign a user to all the appropriate access groups. All users must be assigned to at least one role group and at least one team group.
If you follow these guidelines, users see only the projects that are relevant to them, and have permissions appropriate to their roles in those projects. Also, you can easily change user permissions as their jobs within your organization change.