User roles & permissions

Full-function and read-only licenses

A full-function license permits the creation and modification of item records, approval of change forms, and the administration of collections in accordance with the role assigned to the user. A read-only license prevents the user from unlocking item windows, and therefore can't be used to create or edit items, add file attachments, or approve change forms. Viewing permissions are still regulated in accordance with the user's assigned role.

User accounts

Creating a person record (that is, a new member of the Persons collection) allows someone's name to appear on a PDXpert item or to receive an email notice.

A person can interact with the PDXpert client application only after an administrator has created a user account that combines:

  • An available full-function or read-only license; and
  • A Persons collection record (say, Nik Tesla); and
  • A named set of permissions as defined by a Roles collection member (like Analyst); and
  • An account or "log-in" name (ntesla); and
  • An optional account password (mypa$$w0rd).

A user account has two elements — an account (or "log-in") name and a password:

  • Account names can be any string of characters, such as some combination of the user's first and/or last names or employee number. An account user name is not case-sensitive.
  • Passwords are case-sensitive, and are managed by the account user. A temporary password is usually assigned when a log-in account is first created, and users are expected to change their passwords immediately. After the account is created, system administrators can never view a user's password; if a password is forgotten, a system administrator can only clear it or assign a new one.

For example, to add Nik Tesla as a change workflow observer, his Persons collection record must first be created. Although Nik may then receive observer emails, he would not be able to view the change unless he's also assigned a user account to open PDXpert.


PDXpert is installed with a standard set of security roles that permit users to access information appropriate for their responsibilities. Access can be further tailored on a per-role, and new user roles can be defined with their own set of permissions.


Administrators have the ability to create and delete user accounts, authorize group reviewers, manage collections, set system options and workflows, and make other changes to the system environment.

A role has administrator permissions when Collections/Rules: Manage is marked in the related member of the Roles collection.

An administrator can also modify selected item attributes if the role allows access to those items and the Administrator Override user preference is marked.


Analysts have overall responsibility for processing changes after they've been submitted. An analyst who's assigned to a change can edit fields, add and remove file attachments, modify any of the trustees' work, and route the change to the reviewing groups. Analysts who are not assigned to a change can process the workflow for any change form.

In addition to a system analyst, who can manage all item classes, there can be class-specific analysts:

  • Document analyst: This role is limited to act as trustee only for documents.
  • Part analyst: This role is limited to act as trustee only for parts.

Normal user

Normal users have free access to create new items, as well as create and edit change forms that can then be submitted for approval. If a normal user is an item trustee or an authorized reviewer, more permissions may be available.

  • Trustee: This is a self-assigned role; a trustee has certain rights to modify, release or delete items that the trustee has created.
  • Reviewer: A group's representative (assigned by an administrator) for examining and approving change forms and their associated items.


Guests can view any item for which they have appropriate permission, but cannot make any database additions, changes, or deletions. Guests do not have permissions to view collection members.

A guest role is defined by clearing all Create new and Manage checkboxes on the Roles collection member window.

Product Families

While roles define broad categories of access, the Product Families collection allows you to tailor access much more narrowly.

Product Team

Users identified on a Product Families collection member's Product Team tab have permissions to modify specific item attributes even after an item has been released.

Denied Access

You can exclude a person, group, or organization from viewing items belonging to a particular product family, even if a role generally permits the user to view, create, or manage items. You can override this exclusion by explicitly adding the user to the Product Team. For instance, you can exclude the entire marketing team from viewing a new product design by listing that group on the Denied Access tab, but then allow the project's marketing manager to work on the project by adding that user to the Product Team tab.

Group reviewers

Group reviewers represent their team's interest in the contents of a change form. One reviewer from each required group must approve a change form before it can be released; a single reviewer who disapproves the change prevents it from being released.

Obviously, to fully represent a group, a reviewer must have full access to the items affected by the change form. Therefore, reviewers typically will have broad permissions to view pending, released and canceled items, and must not be denied access by product family.


Learn More
Help Guide Contents [PDF]