| Document number | Revision |
|---|---|
| DOCU12215 | 2 |
Basetype, Subtype and Workspace security
Basetype, Subtype and Workspace securityOverviewBasetype securityParameter DefaultTrusteesWorkspace TrusteesObject (item) resourcesWorkspace TrustCreateSubtype TrustCreate
Overview
The following documentation provides guide lines for setting up base security. A sample company containing the user groups Employees, Customer, Suppliers and Public (anonymous internet users) are used for clarification.
Observe that administrative users running as AdminRead will overrule all read security and get full read permission independent of security settings described below. Administrative users running as AdminWrite will overrule all read/write security and get full read/write permission independent of security settings described below
Basetype security
Security on basetypes may be set from the system menu (SYSTEM> SECURITY> Basetype security) . The basetype security functions as an outer security layer. The security settings on basetype overrules any other security settings on lower level (Workspace, Subtype and object resources).
Each basetype like Action, Doc, Part and Device has the security columns TrustRead, TrustModify and TrustCreate:
| Column | Description |
|---|---|
| TrustRead | Specifies one or more user groups or individual users. User contained in TrustRead has read permissions to objects of this type. In addition, users assigned with TrustRead permissions for any type, are permitted to review or approve objects of the associated type if they are listed as Reviewers or Approvers (assigned users are able to accept/reject a pending review/approval). |
| TrustModify | Specifies one or more user groups or individual users. User contained in TrustModify has modify permissions to objects of this type. However depending on object type the user may also require to be assigned as resource to get modify permssion to an object. For example to be able to edit a document the user must be author on the document in addition to be included in TrustModify on type doc. |
| TrustCreate | Specifies one or more user groups or individual users. Users contained in TrustCreate may create objects of this type. However for basetypes using workspaces like documents (doc type) the user must also be included in workspace TrustCreate to be able to create a document on the workspace. For types using subtypes the user must also be included in subtype TrustCreate to be able to create a document of the specific subtype. |
The above security columns does not inherit from parameter DefaultTrustees, by default users have no access, TrustRead, TrustModify and TrustCreate must be set explicitly on each basetype. Observe that to maximize performance the basetype security settings are cached for the duration of parameter CacheTime (default 10 minutes), click reset to enforce changes immediately.
In sample company the builtin security group Everyone is set as TrustRead, TrustModify and TrustCreate for types like Action, Doc, Part and Device. However for specific basetypes only authorized personal are assigned as TrustModify and TrustCreate. For example Project type may be read by everyone (TrustRead) but only modified and created by authorized personnel (TrustModify and TrustCreate).
Detailed permissions on lower level are set on Workspace (TrustRead and TrustCreate), on Subtypes (TrustCreate), and on specific objects as resources (for example Auhor, Reviewer, Approver, CopyTo on documents).
Parameter DefaultTrustees
Parameter DefaultTrustees defines user group(s) that by default have permissions.
DefaultTrustees may contain one or more Active Directory user groups imported through parameter LdapUserGroups. Alternatively DefaultTrustees may be set to the builtin security group Everyone.
A Workspace which is confidential must specify Trustees, otherwise DefaultTrustees will be used as Trustees for Workspace.
In the sample company the user group Employees is used as DefaultTrustees, thus by default granting all employees permissions to workspaces, unless Trustees have been specified at workspace:
DefaultTrustees is typically all employees in the company, which is a subset of LdapUserGroups. LdapUserGroups must include all users using the system.
In addition to employees LdapUserGroups may include external users, for example customers and suppliers.
Workspace Trustees
Workspace trustees specifies all user groups and individual users that are granted permissions to a Workspace. If no trustees have been specified then workspace trustees inherits from parameter DefaultTrustees, the inheritance is indicated by the value being surreounded by the square bracekt characters ‘[‘ and ‘]’ as: [employees]
The following is a view of workspaces in sample company. Employees have been been granted permissions to most workspaces:
Object (item) resources
Users assigned as resources on objects (items) will get permissions to the object although the object may reside in a confidential workspace. For documents the resource columns are Author, Reviewer, Approver and CopyTo. For actions the resource columns are Resource1 to Resource14 associated with resources for each step in action process in addition to CopyTo.
A consultant could in this way be granted editing permissions to a document by an employee adding the consultant as author of the document. The consultant would then get permissions to the specific document but no access to other documents in the workspace.
Workspace TrustCreate
The TrustCreate column specifies user groups and individual users that is granted create permissions to a workspace so that the user can create objects (for example documents) on the workspace. If no TrustCreate has been specified for the workspace then the value is inherited from workspace Trustees column, and if no value has been specified for Trustees column then the value is inherited from parameter DefaultTrustees.
A user does not need to be added to Trustees to be able to have TrustCreate permissions, if a user appears in TrustCreate but not in Trustees then the user will not have general access to workspace content, but only the content the user created or was assigned as resource.
Subtype TrustCreate
The Subtype (ItemType) TrustCreate column specifies user groups and individual users that is granted create permissions for specific subtype. If no trustees have been specified then subtype TrustCreate inherits from parameter DefaultTrustees.
In the sample company everyone is able to create actions of type FEATURE and PROBLEM, but only employees are able to create all subtypes:
