User roles & permissions

Full-function and read-only licenses

A full-function license permits the creation and modification of item records, approval of change forms, and the administration of collections in accordance with the role assigned to the user. A read-only license prevents the user from unlocking item windows, and therefore can't be used to create or edit items, add file attachments, or approve change forms. Viewing permissions are still regulated in accordance with the user's assigned role.

User accounts

Creating a person record (that is, a new member of the Persons collection) allows someone's name to appear on a PDXpert item or to receive an email notice.

A person can interact with the PDXpert client application only after an administrator has created a user account that combines:

  • An available full-function or read-only license; and
  • A Persons collection record (say, Nik Tesla); and
  • A named set of permissions as defined by a Roles collection member (like Analyst); and
  • An account or "log-in" name (ntesla); and
  • An optional account password (mypa$$w0rd).

A user account has two elements — an account (or "log-in") name and a password:

  • Account names can be any string of characters, such as some combination of the user's first and/or last names or employee number. An account user name is not case-sensitive.
  • Passwords are case-sensitive, and are managed by the account user. A temporary password is usually assigned when a log-in account is first created, and users are expected to change their passwords immediately. After the account is created, system administrators can never view a user's password; if a password is forgotten, a system administrator can only clear it or assign a new one.

For example, to add Nik Tesla as a change workflow observer, his Persons collection record must first be created. Although Nik may then receive observer emails, he would not be able to view the change unless he's also assigned a user account to open PDXpert.

Roles

PDXpert is installed with a standard set of security roles that permit users to access information appropriate for their responsibilities. Access can be further tailored on a per-role, and new user roles can be defined with their own set of permissions.

Administrator

Administrators have the ability to create and delete user accounts, authorize group reviewers, manage collections, set system options and workflows, and make other changes to the system environment.

A role has administrator permissions when Collections/Rules: Manage is marked in the related member of the Roles collection.

An administrator can also modify selected item attributes if the role allows access to those items and the Administrator Override user preference is marked.

Analyst

Analysts have overall responsibility for processing changes after they've been submitted. An analyst who's assigned to a change can edit fields, add and remove file attachments, modify any of the trustees' work, and route the change to the reviewing groups. Analysts who are not assigned to a change can process the workflow for any change form.

In addition to a system analyst, who can manage all item classes, there can be class-specific analysts:

  • Document analyst: This role is limited to act as trustee only for documents.
  • Part analyst: This role is limited to act as trustee only for parts.

Normal user

Normal users have free access to create new items, as well as create and edit change forms that can then be submitted for approval. If a normal user is an item trustee or an authorized reviewer, more permissions may be available.

  • Trustee: This is a self-assigned role; a trustee has certain rights to modify, release or delete items that the trustee has created.
  • Reviewer: A group's representative (assigned by an administrator) for examining and approving change forms and their associated items.

Guest

Guests can view any item for which they have appropriate permission, but cannot make any database additions, changes, or deletions. Guests do not have permissions to view collection members.

A guest role is defined by clearing all Create new and Manage checkboxes on the Roles collection member window.

Product Families

While roles define broad categories of access, the Product Families collection allows you to tailor access much more narrowly.

Product Team

Users identified on a Product Families collection member's Product Team tab have permissions to modify specific item attributes even after an item has been released.

Denied Access

You can exclude a person, group, or organization from viewing items belonging to a particular product family, even if a role generally permits the user to view, create, or manage items. You can override this exclusion by explicitly adding the user to the Product Team. For instance, you can exclude the entire marketing team from viewing a new product design by listing that group on the Denied Access tab, but then allow the project's marketing manager to work on the project by adding that user to the Product Team tab.

Group reviewers

Group reviewers represent their team's interest in the contents of a change form. One reviewer from each required group must approve a change form before it can be released; a single reviewer who disapproves the change prevents it from being released.

Obviously, to fully represent a group, a reviewer must have full access to the items affected by the change form. Therefore, reviewers typically will have broad permissions to view pending, released and canceled items, and must not be denied access by product family.

File access permissions

Access summary

To summarize user file access rights:

  • Any user may contribute a revision file before the item is processed for release, allowing the trustee to accept files from most other users.
  • An item file or external link is managed by the trustee and members of the product team.

As noted above, system, document and part analysts have trustee permissions for the related items.

File users

In the descriptions following, different users have various access permissions:

  • The file manager is the user named as the item's trustee (the item trustee), or the user who added the file (the file trustee).
  • Analysts are users who have been assigned a role with Is an analyst permission.
  • The product team are users listed on Product Family's Product Team list, as described above.
  • Other users are all users who are not excluded by the Product Family's Denied list.

Revision file access permissions

Add

If user is not a read-only account.

  • When iteration is not attached to a change or is attached to an Originated change
    • Item trustee
    • Analysts
    • Other users
  • When iteration is attached to a Submitted change
    • Analysts
Set permissions

If user is not a read-only account.

  • When iteration is not attached to a change or is attached to an Originated change
    • File manager
    • Analysts
  • When iteration is attached to a Submitted change
    • Analysts
Check-out/delete

If user is not a read-only account.

  • When iteration is not attached to a change or is attached to an Originated change
    • File manager
    • Analysts
    • Product team (if file access settings allow – see Note below)
    • Other users (if file access settings allow)
  • When iteration is attached to a Submitted change
    • Analysts
View/copy
  • File manager
  • Analysts
  • Product team (if file access settings allow)
  • Other users (if file access settings allow)

Item file access permissions

Add

If user is not a read-only account, and iteration is not attached to a Routed change.

  • Item trustee
  • Analysts
  • Product team
Set permissions

If user is not a read-only account, and iteration is not attached to a Routed change.

  • File manager (if file trustee is current member of Product team)
  • Analysts
Check-out/delete

If user is not a read-only account, and iteration is not attached to a Routed change.

  • File manager (if file trustee is current member of Product team)
  • Analysts
  • Product team (if file access settings allow)
  • Other users (if file access settings allow)
View/copy
  • File manager
  • Analysts
  • Product team (if file access settings allow)
  • Other users (if file access settings allow)

The system's default file access settings are applied as each file is attached. These settings can be edited in the file list Permissions dialog – see Step 4 of Attach a revision file or Attach an item file.

1126

Learn More
Help Guide Contents [PDF]