User CategoriesThe shared accesses defined by user categories can be to certain types of business objects as defined in policies or other administrative objects, such as specific attributes, forms, relationships, or programs as defined in rules. When you create a group or role, you assign specific users to the category. When you create an association, you assign groups and roles to the association. A user can belong to any number of groups, roles, and associations. If many users need access to a type of business object, consider creating a user category to represent the set of users. You can include the user category in policy or rule definitions to define access. For example, suppose you create a user category, such as a group, and assign 25 users to the group. Then you assign the group to a state in the policy and grant the group full access. All 25 users within that group will have full access to objects governed by the policy. This table lists the user categories that can be defined.
Groups, roles, and associations can be used in these ways to identify a set of users:
There are just a few differences between the three categories:
Answer these questions to determine who should be in which group:
For example, suppose that a company is manufacturing a new product called product ABC. Depending on where the project is in its lifecycle, different people will work on the project, require access for different tasks, or use information related to it:
Group HierarchyYou can define a hierarchy of groups so that access privileges available to a higher group (parent group) are available to all of the groups below it (subgroups or child groups). In this example, the Field Service group is the parent of the Field
Support, Technical Documentation Services, and In-House Customer Support
groups. The Technical Documentation Services group is also a parent of the
Documentation and Training groups.
Role HierarchyRoles can also be hierarchical. In this example, the Assembly Manager
role is the parent of the Apprentices and Master Assembler roles. The Master
Assembler parent of the Component Assembler and Subassembly Assembler roles.
A child group or role can have more than one parent. Child groups and roles with more than on parent inherit privileges from each of the parents. Baseline Roles and Product Structure Design PoliciesPrior to the V6R2013 release, the baseline roles VPLMViewer, VPLMCreator, and VPLMProjectLeader roles were not hierarchically structured, even though the associated access rights were cumulative. In other words, the VPLMCreator role had the same access rights as the VPLMViewer role, plus some more, and the VPLMProjectLeader role had the same access rights as the VPLMCreator role (and thus VPLMView), plus some more. This resulted in a significant redundancy in policy and rule access definitions, as can be seen in the following example: policy "VPLM_SMB" state "IN_WORK" user "VPLMViewer" read,show,checkout filter "(organization.ancestor match context.user.assignment[$CHECKEDUSTER].org) && (project == context.user.assignment[$CHECKEDUSER.project" user "VPLMCreator" read,show,create,delete,modify,promote,demote,grant,revoke, changename,changeowner,changetype,checkin,checkout,lock, unlock,fromconnect,fromdisconnect,toconnect,todisconnect filter "(organization.ancestor match context.user.assignment[$CHECKEDUSER].org) && (project == context.user.assignment[$CHECKEDUSER].project)" user "VPLMProjectLeader" read,show,create,delete,modify,promote,demote,grant,revoke, changename,changeowner,changetype,checkin,checkout,lock, unlock,fromconnect,fromdisconnect,toconnect,todisconnect filter "(organization.ancestor match context.user.assignment[$CHECKEDUSER].org) && (project == context.user.assignment[$CHECKEDUSER].project)" In V6R2013 release, these roles were reorganized hierarchically to leverage the native inheritance role mechanism of the 3DEXPERIENCE Platform so only those accesses that are specific to each role need to be specified: policy "VPLM_SMB" state "IN_WORK" user "VPLMViewer" read,show,checkout filter "(organization.ancestor match context.user.assignment[$CHECKEDUSTER].org) && (project == context.user.assignment[$CHECKEDUSER.project" user "VPLMCreator" delete,modify,promote,demote,grant,revoke,changename, changeowner,changetype,checkin,checkout,lock,unlock, fromconnect,fromdisconnect,toconnect,todisconnect filter "(organization.ancestor match context.user.assignment[$CHECKEDUSER].org) && (project == context.user.assignment[$CHECKEDUSER].project)" The
|