Dividing the PDM Permission Pie

Simplifying Permissions By Applying Group Permission To Different Slices Of Your PDM Vault

The basics of Enterprise PDM Folder Permissions are easy to learn.

“I’ll create a group so I don’t have to modify every user… gotta have Read file contents… Show working versions of files-check! Add permission, Check out permission, great! OK, onto State and Transition permissions…”

But in our haste to get that vault up and running some of the more subtle permission setting features can be overlooked. Features that can keep a vault configuration uncluttered.

An Engineer By Any Other Name…

… smells, er, I mean works the same.

In general, Engineers have a certain consistent set of folder permission needs.

  • They need to be able to add files to the vault
  • The need to be able to edit (check out) files
  • They need to be able to see files that are not released (Show working versions)
  • Sometimes they need to be able to move files
  • In some companies they need to be able to delete files (that are not yet protected via a state permission!)
  • In some companies they might even be allowed to destroy files

Adding New Engineers Is Easy These needs would justify the creation of a single Engineering group.

Now adding new Engineers is easy. Simply add new engineers to the engineering group.

Great for a demo, but in the real world, it’s rarely that simple.

Divvying Up The PDM Pie

While engineers typically all perform the same tasks, often it is not desirable to give all engineers access to all engineering documents. Just like a family dinner, allowing everyone to stick their fingers into every slice of the pie creates an uncontrolled mess.

Many companies choose to divide their vault into slices (subfolders) based on a trait like a particular sub-company, product line, or general document security requirement.

Divvying Up The PDM Pie

Common configuration approach to address this need is to create several different Engineering groups.The intent is different engineers (and other groups like approvers) only care about [Read: “should have access to”] only a certain slice of the vault pie. A common configuration approach to address this need is to create several different Engineering groups.

While this is one possible solution, if the vault pie has a lot of slices, and more slices on the way, this solution can quickly get out of hand. Also, if you have the same need to split up your Approval and other basic groups, you’ve now just doubled your number of groups or worse. And if you need to reconfigure permissions for engineers in general, now you need to make that change in several groups.

But if your Engineers have the same foundational permission needs, there is another option that EPDM offers.

Exact Same Fork / Function – But Only In Your Assigned Slice

An often overlooked functionality of EPDM is the activation of group permissions in a specific folder on a user account level. We still define all the privileges at the group level, but we use the user account to define where to apply the group settings.

In our example, we have a company with four divisions inside the vault and both Engineers & Approvers to configure. All the Engineers do basically the same functions, as do all the Approvers. However, they need to be restricted to their slice (or slices) of the vault pie. To complicate matters even more, some folks are engineers in one division while also being approvers (but not engineers) in different division.

Here’s the current staffing and their responsibilities:

Engineers and Approvers Example

Since Devin is both an Engineer in some divisions, and an Approver in another we’ll demonstrate user configuration with his account. We’ll start by setting up the overall Engineering and Approvers groups without concerning ourselves with specific folder access.

Here is our Engineering group:

Engineering Group

We also configured the appropriate state & transition permissions. (Not shown.)

And here is our Approvers group:

Approvers Group

Approvers Group

We also configured the appropriate state permissions. (Not shown.) Now that the Engineers and an Approvers groups are configured, let’s set up Devin’s account.

Assigning Slices

Devin is an Engineer in both Division 3 and Division 4. He’s not allowed to work on files in Divisions 1 & 2, so when we assign him to the Engineering group we need to be specific.

In the User configuration for Devin, select Groups in the left pane (1), and then click on Add… at the bottom of the dialogue (2), and then select the Engineers group (3) but don’t click on OK yet.

PDM User Configuration

Note the additional details in the lower part of the Group Memberships dialog box. We are being told that we are currently adding Engineering membership to the folder CorporateVault. Since we don’t want to give Devin Engineering privileges to the entire vault, we’ll narrow down this assignment by clicking on the “…” button and selecting a different folder.

Selecting a Division Within The Vault

Click on OK and the listed folder membership will change to the subfolder.

Subfolder Selected

Click on OK, and the system will show that Devin is now in the group Engineers, but only for the Division_03 folder.


We repeat the process to give him is Division 4 Engineering privileges and his Division 2 Approval privileges.


I’ve gone ahead and configured the rest of the staff in a similar manner.

Accessing Slices

The vault is divided into four divisions, and each division folder has three memo documents.

Each vault is divided into four divisions, and each division folder has three memo documents

[NOTE: Since I’m using a shared view, users without access to certain slices of the pie might see those folders because the folders will be in the local cache. But they still will not have access to anything in those folders (as long as the cache is cleared.)]

If Abel, a Division 1 Engineer, enters the vault, he only has access to the Division 1 folder. Even if he can click on the folder for another division (because in my environment the folder is in local cache) he sees nothing.

Users can only see what they have permission to see.

As each user logs in, their differences in access are clearly evident, as shown below:

User Assigned Permissions Vault View


 Assigned Permissions Assigned Permissions


 Assigned Permissions  Assigned Permissions


Assigned Permissions  Assigned Permissions


 Assigned Permissions  Assigned Permissions


Assigned Permissions  Assigned Permissions

And just to be certain everything is working properly we’ll do a quick test. Daniel can modify documents in both Division 2 and Division 4.

Assigned Permissions

Daniel can also transition the documents into the Pending Approval state. Devin has access to divisions 2, 3, and 4. However, he is only an Approver in Division 2, and is restricted to Engineering rights in divisions 3 and 4. Which means he can approve Daniel’s document in Division 2 (And it is the only Division 2 document he can see!)

Assigned Permissions

But Devin cannot approve Daniels document in Division 4, because Devin is an Engineer in Division 4, not an approver.

Assigned Permissions

So if you have consistent user access needs, but difference slices of the vault in which to allow such access, this permission allocation method is one way you can keep your group configurations easier to handle.

Note: All DMFA characters are copyright Amber Williams per DMFA.
CAPINC was founded on one core principle: Provide the best solutions and services to assist our customers in designing and developing better products. CAPINC provides premier solutions and services in New England to assist our customers in accelerating their design and development process for better mechanical products. Our award winning technical support team is comprised of industry experts with hundreds of years of combined practical experience in mechanical design, design validation and analysis, product data management, and technical communication. We are the award winning 3D solutions partner offering SolidWorks software and training, and the entire Stratasys line of 3D printers and production systems. For more tech tips and blog tutorials check out CAPINC's blog and videos.