Simplifying Permissions By Applying Group Permission To Different Slices Of Your PDM Vault
The basics of Enterprise PDM Folder Permissions are easy to learn.
“I’ll create a group so I don’t have to modify every user… gotta have Read file contents… Show working versions of files-check! Add permission, Check out permission, great! OK, onto State and Transition permissions…”
But in our haste to get that vault up and running some of the more subtle permission setting features can be overlooked. Features that can keep a vault configuration uncluttered.
An Engineer By Any Other Name…
… smells, er, I mean works the same.
In general, Engineers have a certain consistent set of folder permission needs.
- They need to be able to add files to the vault
- The need to be able to edit (check out) files
- They need to be able to see files that are not released (Show working versions)
- Sometimes they need to be able to move files
- In some companies they need to be able to delete files (that are not yet protected via a state permission!)
- In some companies they might even be allowed to destroy files
These needs would justify the creation of a single Engineering group.
Now adding new Engineers is easy. Simply add new engineers to the engineering group.
Great for a demo, but in the real world, it’s rarely that simple.
Divvying Up The PDM Pie
While engineers typically all perform the same tasks, often it is not desirable to give all engineers access to all engineering documents. Just like a family dinner, allowing everyone to stick their fingers into every slice of the pie creates an uncontrolled mess.
Many companies choose to divide their vault into slices (subfolders) based on a trait like a particular sub-company, product line, or general document security requirement.
The intent is different engineers (and other groups like approvers) only care about [Read: “should have access to”] only a certain slice of the vault pie. A common configuration approach to address this need is to create several different Engineering groups.
While this is one possible solution, if the vault pie has a lot of slices, and more slices on the way, this solution can quickly get out of hand. Also, if you have the same need to split up your Approval and other basic groups, you’ve now just doubled your number of groups or worse. And if you need to reconfigure permissions for engineers in general, now you need to make that change in several groups.
But if your Engineers have the same foundational permission needs, there is another option that EPDM offers.
Exact Same Fork / Function – But Only In Your Assigned Slice
An often overlooked functionality of EPDM is the activation of group permissions in a specific folder on a user account level. We still define all the privileges at the group level, but we use the user account to define where to apply the group settings.
In our example, we have a company with four divisions inside the vault and both Engineers & Approvers to configure. All the Engineers do basically the same functions, as do all the Approvers. However, they need to be restricted to their slice (or slices) of the vault pie. To complicate matters even more, some folks are engineers in one division while also being approvers (but not engineers) in different division.
Here’s the current staffing and their responsibilities:
Since Devin is both an Engineer in some divisions, and an Approver in another we’ll demonstrate user configuration with his account. We’ll start by setting up the overall Engineering and Approvers groups without concerning ourselves with specific folder access.
Here is our Engineering group:
We also configured the appropriate state & transition permissions. (Not shown.)
And here is our Approvers group:
We also configured the appropriate state permissions. (Not shown.) Now that the Engineers and an Approvers groups are configured, let’s set up Devin’s account.
Devin is an Engineer in both Division 3 and Division 4. He’s not allowed to work on files in Divisions 1 & 2, so when we assign him to the Engineering group we need to be specific.
In the User configuration for Devin, select Groups in the left pane (1), and then click on Add… at the bottom of the dialogue (2), and then select the Engineers group (3) but don’t click on OK yet.
Note the additional details in the lower part of the Group Memberships dialog box. We are being told that we are currently adding Engineering membership to the folder CorporateVault. Since we don’t want to give Devin Engineering privileges to the entire vault, we’ll narrow down this assignment by clicking on the “…” button and selecting a different folder.
Click on OK and the listed folder membership will change to the subfolder.
Click on OK, and the system will show that Devin is now in the group Engineers, but only for the Division_03 folder.
We repeat the process to give him is Division 4 Engineering privileges and his Division 2 Approval privileges.
I’ve gone ahead and configured the rest of the staff in a similar manner.
The vault is divided into four divisions, and each division folder has three memo documents.
[NOTE: Since I’m using a shared view, users without access to certain slices of the pie might see those folders because the folders will be in the local cache. But they still will not have access to anything in those folders (as long as the cache is cleared.)]
If Abel, a Division 1 Engineer, enters the vault, he only has access to the Division 1 folder. Even if he can click on the folder for another division (because in my environment the folder is in local cache) he sees nothing.
As each user logs in, their differences in access are clearly evident, as shown below:
|User||Assigned Permissions||Vault View|
And just to be certain everything is working properly we’ll do a quick test. Daniel can modify documents in both Division 2 and Division 4.
Daniel can also transition the documents into the Pending Approval state. Devin has access to divisions 2, 3, and 4. However, he is only an Approver in Division 2, and is restricted to Engineering rights in divisions 3 and 4. Which means he can approve Daniel’s document in Division 2 (And it is the only Division 2 document he can see!)
But Devin cannot approve Daniels document in Division 4, because Devin is an Engineer in Division 4, not an approver.
So if you have consistent user access needs, but difference slices of the vault in which to allow such access, this permission allocation method is one way you can keep your group configurations easier to handle.