How are my access rights defined ?
The rights that each user has on the various objects of the application are conditioned by several complementary parameters: they allow application administrators to control the scope of their users, in order to preserve the confidentiality of certain objects or to avoid interference between teams.
Access rights concern all the objects of the application: documents, parts, products and workflows. They are configured using three complementary tools: the distribution scope, the role of user profiles and access rules.
Distribution scope
The distribution scope delimits the maximum field of users who can access an object of the application: a user can see objects which are part of the distribution scope he/she is included in
The distribution scope can be setup at 3 levels:
To the owner of an object only
To users of one or several Sites
To all users of the Organization
The distribution perimeter is a property specific to each object of the application. When a user create a new object (ie: a document), the object is automatically associated with the scope of the creator. It is set by default to Organization when it is created, and can be modified using the Share menu.
User role
A user's role limits the type of action to which a user will be entitled in the application, on all objects. A user will never be able to perform actions that are not authorized by his role, namely:
Shared computer: can view objects and write comments, mostly used in workshops when several operators connect the same PC
Viewer: can additionally be assigned to workflow tasks
Manager: can additionally create/modify application objects
Admin: can additionally access the administration area to manage users, properties, views and integrations
A user's role is defined when it is created, and can be modified by an administrator in the user management portal.
Access rules and authorization level
The access rules system allows you to define a set of rules that give permissions to users. These authorizations are divided into four levels:
Viewing without downloading: the document can be viewed in the application, but not downloaded to the user's computer
Viewing: the document can be opened in the browser and downloaded, but not modified
Editing: the document can be opened and edited, but Draft revisions cannot be committed
Full access: all rights
The rules make it possible to grant a level of authorization to a group of users, on a group of objects. These groups are defined using criteria based on the properties of each object.
These rules are created and maintained by administrators, via the dedicated management portal in the administration area. To help you check which rules apply to which objects, they are listed in its Sharing tab.
To summarize...
The rights of a user on an object correspond to:
the highest level of access given to it by the access rules
restricted to the maximum rights of its role
provided that the user is within the distribution perimeter of the object