Secured Access to Native App Commands

Access can be granted to:

• The [All] user to make the command public
• A list of persons
• A list of roles (a role can represent a set of credentials, collaboration space, organization, or role)

Secured native app commands are deployed at build-time and runtime.

At build time:

• Check access everywhere needed in the native app
• Define the native app commands in the start-up data

At runtime:

• At installation: run start-up data MQL scripts
• Administration: modify native app command access

Secured commands do not grant access to [All]. The table below lists the roles granted access to each secured command. You can customize the access for your business requirements. If an upgrade adds new secured commands, you should customize them for your business requirements.

To determine if a user has access to a command, the app checks these access rights, in this order:

1. Is access granted to public ([all])?
2. Is the user a system administrator?
3. Is access granted to the specific person?
4. Is access granted to one of the person's credentials or a role, project, or organization of one of the person's sets of credentials?

If the user meets any of these criteria, the user can access that command. If the user does not have access to a command, this message displays:

You are not allowed to do this operation. Contact your administrator.

Access propagation along role/collaborative space/organization hierarchies is not supported. For example, if a user is assigned the credentials DESIGNER.MYCOMPANY.STANDARD and the DESIGNER role is a child of the BASIC DESIGNER role, that user has access to a native app command if access is granted to any of these:

• The specific user
• DESIGNER.MYCOMPANY.STANDARD credentials
• DESIGNER role
• MYCOMPANY organization
• STANDARD collaborative space

However, if access is granted to the BASIC DESIGNER role, then the access is not inherited to the DESIGNER role. This concept also applies to the collaborative space and organization hierarchies.

You can use the MQL modify command to customize command accesses. You must restart the application server after modifying commands.

For example, to remove access from all and add access to the DESIGNER.MYCOMPANY.ENGINEERING credentials, you can execute these MQL commands:

set context user creator;
modify command vplm::EXPORT
remove user all
add user DESIGNER.MYCOMPANY.ENGINEERING;

The keyword user in the modify command refers to the end-user. For more information, see MQL Command Reference: command Command.

Secured commands remove Public (all users) access from the commands and add the specific roles listed in the table. To define additional security for these commands, you can follow the procedures above to remove roles, or add roles, such as roles that include a specific organization or complete credentials.

For reference, you can use this MQL command to list all secured commands (the vplm:: commands are not supported for baseline behavior):

list command vplm::*

Secured Command	Internal Roles Granted
AddSubstitute	VPLMAdmin
Administration	VPLMAdmin
CATIA_MechanicalDesign_MechanicalInterfaceAttributesDisplay	VPLMAdmin
CATIA_MechanicalDesign_MechanicalInterfaceTemplateCreation	VPLMAdmin
CATIA_MechanicalDesign_MechanicalInterfacesCompatibilityCheck	VPLMAdmin
CATIA_Standard_Management	VPLMAdmin
CoexistenceAdmin	VPLMAdmin
ComponentFamilyWorkbench	VPLMAdmin
DATABASEDETACH	VPLMAdmin
DELMSDInputOutputViewCmd	public
DisableChangeControl	VPLMAdmin
Duplicate	VPLMAdmin
DuplicateUsingDistantData	VPLMAdmin
EnableChangeControl	VPLMAdmin
ENOVIA_CollaborativeSpace_Create	VPLMAdmin
ENOVIA_CreateAsNew	VPLMAdmin,VPLMCreator
ENOVIA_Editability_SwitchToEdition	VPLMAdmin
ENOVIA_Editability_SwitchToReadOnly	VPLMAdmin
ENOVIA_ImportExport_Delegate	VPLMAdmin
ENOVIA_ImportExport_Revoke	VPLMAdmin
ENOVIA_Lifecycle_RestoreIteration	VPLMAdmin
ENOVIA_Ownership_ChangeCollabSpace	VPLMAdmin
ENOVIA_Ownership_ManageAccess	VPLMAdmin
ENOVIA_Reservation_Lock	VPLMAdmin
ENOVIA_Reservation_MassiveUnReserve	VPLMAdmin
ENOVIA_Reservation_Unlock	VPLMAdmin
ENOVIA_Save_LocalSave	VPLMAdmin
ENOVIA_Save_New	VPLMAdmin
ENOVIA_Save_NewMinorRevision	VPLMAdmin
ENOVIA_Save_NewRevision	VPLMAdmin
ENOVIA_ThumbnailBuilder	All
ENOVIA_Workoffline	VPLMAdmin,
ENOVIA_Workspace_Delete	VPLMAdmin
ENOVIA_Workspace_ExploreReferenceData	VPLMAdmin
ENOVIA_Workspace_PartialSynchronize	VPLMAdmin
ENOVIA_Workspace_Reserve	VPLMAdmin, VPLMCreator
ENOVIA_Workspace_ReserveExclusively	VPLMAdmin, VPLMCreator
ENOVIA_Workspace_ReserveLocally	VPLMAdmin, VPLMCreator
ENOVIA_Workspace_RetrieveImages	VPLMAdmin, VPLMCreator
ENOVIA_Workspace_Unreserve	VPLMAdmin, VPLMCreator
EXPORT Note: vplm::EXPORT is deployed in these user commands: 3DLive Export (for review) Export Briefcase, Export for Authoring Export Batch (export briefcase) Editor Export (igs, stp) Downward Compatibility Batch.	VPLMAdmin
Freeze3DPosition	VPLMAdmin
IMPORT Note: vplm::IMPORT is deployed in these user commands: Import file (igs, stp and multicad dxf, prt, asm, and so on) Import CATIA File (FBDI) Import 3DXML (briefcase import).	VPLMAdmin
KnowledgeAdvisorWorkbench	VPLMAdmin
KnowledgeApplicationAuthoringWorkbench	VPLMAdmin
KnowledgeExpertWorkbench	VPLMAdmin
KnowledgeFeatureDictionaryWorkbench	VPLMProjectLeader
NewEvolution	VPLMAdmin
NewVersionUsingDistantData	VPLMAdmin
PLMRuleAuthoringWorkbench	VPLMAdmin
PLMTemplateAuthoringWorkbench	VPLMAdmin
ProjectApplicability	VPLMAdmin
ProjectResourceManagementWorkbench	VPLMAdmin
RepairSiteOwnership	VPLMAdmin
SAVE	VPLMAdmin
Snapshot	VPLMAdmin
SynchronizeAndTransferToMatrix	VPLMAdmin
SynchronizeWithMatrix	VPLMAdmin
TransferOwnership	VPLMAdmin
TransferUser	VPLMAdmin
WorkspaceAttach	VPLMAdmin
WorkspaceDelivery	VPLMAdmin
WorkspaceDetach	VPLMAdmin
WorkspaceEditContentDefinition	VPLMAdmin
WorkspaceSynchronization	VPLMAdmin