User roles & permissions

Each PDXpert license has one or more user accounts.

Each user account is given to one person for their exclusive use. User accounts are personal, and cannot be shared.

Full-function and read-only user accounts§

A full-function user account lets a user make and edit item records, review and approve change forms, and manage collections based on the role given to the user.

A read-only user account does not let the user make or edit items, add file attachments, or approve change forms. A read-only user can search for and view items, run reports, view and copy file attachments, and export data. Viewing permissions are regulated in accordance with the user's role.

User account management§

Adding a person record (that is, a new member of the Persons collection) records their activity on an item, lets them receive email notices, and lets them to have a user account.

For example, a person only needs an email address in the Persons collection record to receive change workflow emails. They must have a user account to open PDXpert for viewing the change form.

A person can interact with the PDXpert client application only after an administrator adds a user account that combines:

  • An available full-function or read-only user account; and
  • A Persons collection record (say, Pat Lee); and
  • A named set of permissions as specified by a Roles collection member (like Analyst); and
  • An account or "log-in" name (patlee); and
  • An optional account password (mypa$$w0rd).

The user account has two elements: an account (or "log-in") name and a password:

  • Account names can be any string of characters, such as a mix of the user's first and/or last names or employee number. An account user name is not case-sensitive.
  • Passwords are case-sensitive, and are managed by the account user. A temporary password is usually given when a log-in account is first added, and users are expected to change their passwords immediately. After the account is added, system administrators can never view a user's password; if a password is forgotten, a system administrator can only clear it or give a new one.

A user account is given to one person for their exclusive use. When you delete a person's user account, the user's personal settings and search history are deleted. After the user account is deleted, you can give the available user account to a different person.

Roles§

PDXpert is installed with a standard set of security roles that allow users to view information related to their job. Access can be changed on existing roles, and new roles can be specified with their own set of permissions.

Administrator§

Administrators can add and delete user accounts, authorize group reviewers, manage collections, set system options and workflows, and make other changes to the system environment.

A role has administrator permissions when Collections/Rules: Manage is marked in the related member of the Roles collection.

An administrator can also modify selected item attributes if the role allows access to those items and when the Tools menu: Administrator Override command is marked.

Analyst§

Analysts have overall responsibility for working on changes after they've been submitted. An analyst shown on a change can edit fields, add and remove file attachments, modify any of the trustees' work, and route the change to the reviewing groups. Analysts who are not shown on the change form can move it to another lifecycle.

In addition to a system analyst, who can manage all item classes, there can be class-specific analysts.

  • Document analyst: This role is limited to documents.
  • Part analyst: This role is limited to parts.

Normal user§

Normal users have free access to make new items, as well as make and edit change forms that can then be submitted for approval.

If a normal user is an item trustee or an authorized reviewer, more permissions may be available.

  • Trustee: The user who makes the item is given this role automatically. A trustee has certain rights to modify, release or delete items that she has made.
  • Reviewer: A group's member examines and approves change forms and their related items.

Guest§

Guests can view any item for which they have appropriate permission, but cannot make any database additions, changes, or deletions. Guests do not have permissions to view collection members.

A guest role is specified by clearing all Create new and Manage checkboxes on the Roles collection member window.

Group reviewers§

A group identifies a specific responsibility in your change review procedure, and the users who are assigned that responsibility. One reviewer from each required group must approve a change form before it can be released; any reviewer who disapproves the change prevents it from being released.

Each reviewer in a group must have a full-function user account. To fully represent a group, a reviewer must have full access to the items affected by the change form. Therefore, reviewers typically will have broad permissions to view pending, released and canceled items, and must not be denied access by product family. Even so, a person in a change form's reviewing group has permission to view the change and its affected items, even if the person's role doesn't have viewing permissions (see the Groups collection: Group reviewer permission help topic).

Product Families§

While roles define broad categories of access, the Product Families collection lets you tailor access much more narrowly.

Product Team§

Users identified on a Product Families collection member's Product Team list have permissions to modify specified item attributes even after an item has been released.

Denied Access§

You can exclude a person, group, or organization from viewing items belonging to a particular product family, even if a role generally allows the user to view or manage items. You can override this exclusion by explicitly adding the user to the Product Team. For instance, you can exclude the entire marketing team from viewing a new product design by listing that group on the Denied Access list, but then let the project's marketing manager work on the project by adding that user to the Product Team list.

File access permissions§

Access summary§

To summarize user file access rights:

  • Any user may contribute a revision file before the item is released, letting the trustee accept files from most other users.
  • An item attachment or external link is managed by the trustee and members of the product team.

As noted above, system, document and part analysts have trustee permissions for the related items.

File users§

In the descriptions following, different users have various access permissions:

  • The file manager is the user named as the item's trustee (the item trustee), or the user who added the file (the file trustee).
  • An analyst has been given a role with Is an analyst permission.
  • The product team are shown on Product Family's Product Team list, as given above.
  • All other users are those who are not excluded by the Product Family's Denied list.

Revision file access permissions§

Add§

If user is not a read-only account.

  • When iteration is not attached to a change or is attached to an Originated change
    • Item trustee
    • Analysts
    • Other users
  • When iteration is attached to a Submitted change
    • Analysts

Set permissions§

If user is not a read-only account.

  • When iteration is not attached to a change or is attached to an Originated change
    • File manager
    • Analysts
  • When iteration is attached to a Submitted change
    • Analysts

Check-out/delete§

If user is not a read-only account.

  • When iteration is not attached to a change or is attached to an Originated change
    • File manager
    • Analysts
    • Product team (if file access settings allow—see Note below)
    • Other users (if file access settings allow)
  • When iteration is attached to a Submitted change
    • Analysts

View/copy§

  • File manager
  • Analysts
  • Product team (if file access settings allow)
  • Other users (if file access settings allow)

Item file access permissions§

Add§

If user is not a read-only account, and iteration is not attached to a Routed change.

  • Item trustee
  • Analysts
  • Product team

Set permissions§

If user is not a read-only account, and iteration is not attached to a Routed change.

  • File manager (if file trustee is member of Product team)
  • Analysts

Check-out/delete§

If user is not a read-only account, and iteration is not attached to a Routed change.

  • File manager (if file trustee is member of Product team)
  • Analysts
  • Product team (if file access settings allow)
  • Other users (if file access settings allow)

View/copy§

  • File manager
  • Analysts
  • Product team (if file access settings allow)
  • Other users (if file access settings allow)

The Default File Access system rules are applied as each file is attached. These settings can be edited in the file list Permissions dialog—see Step 4 of Attach a revision file or Attach an item file.

Related topics

1126

Help Guide Contents [as PDF]