User roles & permissions

Each PDXpert license has one or more user accounts.

Each user account is given to one person for their exclusive use. User accounts are personal, and cannot be shared.

Full-function and read-only user accounts §

A full-function user account lets a user make and edit item records, review and approve change forms, and manage collections based on the role given to the user.

A read-only user account does not let the user make or edit items, add file attachments, or approve change forms. A read-only user can search for and view items, run reports, view and copy file attachments, and export data. Viewing permissions are regulated in accordance with the user's role.

User account management §

A person record (that is, a member of the Persons collection with a Name and Email address) lets that person receive task and workflow emails. When the person is given a user account, they can view and manage items, and perhaps manage the software settings as an administrator.

A person can interact with the PDXpert client application only after an administrator adds a named user account that combines:

• An available full-function or read-only user account; and

• A Persons collection record (say, Pat Lee); and

• A named set of permissions as specified by a Roles collection member (like Analyst); and

• An account or "log-in" name (patlee); and

• An optional account password (mypa$$w0rd).

The named user account has two elements: an account (or "log-in") name and a password:

• Account names can be any string of characters, such as a mix of the user's first and/or last names or employee number. An account user name is not case-sensitive.
• Passwords are case-sensitive, and are managed by the account user. A temporary password is usually given when a log-in account is first added, and users are expected to change their passwords immediately. After the account is added, system administrators can never view a user's password; if a password is forgotten, a system administrator can only clear it or give a new one.

A named user account is given to one person for their exclusive use. When you delete a person's user account, the user's personal settings and search history are deleted. The Persons collection member for that user is normally made inactive (not deleted), so that the person's history as trustee, task worker, analyst, or change reviewer is always available. After the user account is deleted, you can give the available user account to a different person.

Roles §

PDXpert is installed with a standard set of security roles that allow users to view information related to their job. Access can be changed on existing roles, and new roles can be specified with their own set of permissions.

Administrator §

Administrators can add and delete user accounts, authorize group reviewers, manage collections, set system options and workflows, and make other changes to the system environment.

A role has administrator permissions when Collections/Rules: Manage is marked in the related member of the Roles collection.

An administrator can also modify selected item attributes if the role allows access to those items and when the Tools menu: Administrator Override command is marked.

Analyst §

Analysts have overall responsibility for managing changes while they're being processed. An analyst shown on a change can – depending on the current workflow state and system rules – edit fields, add and remove file attachments, modify any of the trustees' work, and process the change to another workflow lifecycle. Analysts who are not shown on the change form can move it to another lifecycle.

Analysts also can edit documents and parts with the item trustee's permissions, and are automatically members of all product teams.

• Document analyst: This role allows managing any document as its trustee.

• Part analyst: This role allows managing any part as its trustee.

A system analyst has been assigned a role where the Is an analyst permission is marked for both documents and parts.

Normal user §

Normal users have free access to make new items, as well as make and edit change forms that can then be submitted for approval.

If a normal user is an item trustee or an authorized reviewer, more permissions may be available.

• Trustee: The user who makes the item is given this role automatically. Trustees have certain rights to modify, release or delete items that they have made. A user who can create new items can also create a new iteration, and replaces the previous item trustee.
• Reviewer: A group's member examines and approves change forms and their related items.

Guest §

Guests can view any item for which they have appropriate permission, but cannot make any database additions, changes, or deletions. Guests do not have permissions to view collection members.

A guest role is specified by clearing all Create new and Manage checkboxes on the Roles collection member window.

Group reviewers §

A group identifies a specific responsibility in your change review procedure, and the users who are assigned that responsibility. One reviewer from each required group must approve a change form before it can be released; any reviewer who disapproves the change prevents it from being released.

Each reviewer in a group must have a full-function user account. To fully represent a group, a reviewer must have full access to the items affected by the change form. Therefore, reviewers typically will have broad permissions to view pending, released and canceled items, and must not be denied access by product family. Even so, a person in a change form's reviewing group has permission to view the change and its affected items, even if the person's role doesn't have viewing permissions (see the Groups collection: Group reviewer permission help topic).

Product Families §

While roles define broad categories of access, the Product Families collection denies, or allows more, access to selected users.

Product Team §

Users identified on a Product Families collection member's Product Team list can have:

• trustee permissions to modify selected groups of item attributes; and

• originator permissions to modify selected groups of change form attributes.

When several product families are assigned to an item, a user assigned to multiple product teams has the teams' combined permissions. A change form acquires the combined product families of its Affected items.

Denied Access §

You can exclude a person, group, or organization from viewing items belonging to a particular product family, even if a role generally allows the user to view or manage items. You can override this exclusion by explicitly adding the user to the Product Team. For instance, you can exclude the entire marketing team from viewing a new product design by listing that group on the Denied Access list, but then let the project's marketing manager work on the project by adding that user to the Product Team list.

File access permissions §

Access summary §

To summarize user file access rights:

• An item trustee, and product team members with Revision Files permission, may attach a revision file before the item is released.

• An item attachment or external link is managed by the trustee and, with the Item Files permission, by members of the product team.

As noted above, system, document and part analysts have trustee permissions for specified items.

File users §

In the descriptions following, different users have various access permissions:

• An analyst has been given a role with Is an analyst permission.
• The product team are shown on Product Family's Product Team list, as given above.
• All other users are those who are not excluded by the Product Family's Denied list.

Related topics

• User management
• Roles collection
• Groups collection
• Product families collection
• Unlock change form Files system rule
• Unlock change form Tasks system rule

1126