Individual iModel permissions

By default project team members and their permissions defines the access level for all iModels in the same asset/project context. You can read how to set up global iModel permissions on the main page here.

If you need a more granular level for authorization, you can use the individual iModel permission level. An administrator can assign an RBAC role to be more or less powerful for specific iModel versus the full asset/project scope.  As a result, you can control individual iModel access.

Follow these steps to set iModel permissions:

  1. In the main iModel Manager website find required iModel and go to the context menu
  2. Select Set iModel access button
    NOTE: You need to have Manage permission per asset/project context. Manage per iModel doesn't override Manage per asset/project context in this case.
  3. Configure RBAC roles access to the iModel in the opened dialog. Be aware that all the dependent permissions for configured role are set/unset automatically (e.g. when setting Write, View and Read will be set automatically).
    NOTE: You can change only permissions which you have assigned in project level.
  4. Click Set
  5. After page refresh, you will see yellow indicator with a shield on iModel tile 

Note: If iModel access is configured, users that do not have View access to iModel will not be able to see it in iModels list (except users with Manage per asset/project context permission).

The complete configuration is essential because asset/project level permissions will be ignored when iModel has restricted access. For example, if you want to forbid user access to the iModel, set access only for the roles the user does not have.

Permissions resolve matrix

This matrix shows how asset/project context and iModel permissions are combined to resolve user permissions:

  • If the user has no permissions per asset/project context, no matter what permissions are set per iModel, the user won't be able to access iModel;
  • If permissions per iModel are not configured, permissions per asset/project context are used;
  • If the user has permissions per asset/project context and iModel, permissions per iModel overwrite permissions per asset/project context.
    • Note: Manage permission per iModel doesn't override Manage per asset/project context completely. It doesn't allow to configure iModel access.

Hide iModels on iModel Manager page

Individual iModel permission can be used to restrict what iModels show for users depending on their role and the rights given to that role.  When individual iModel permission is applied to an iModel, only the roles with assigned permission to that iModel will be able to view the iModel on the iModel Manager page. Other roles will not be able to see that iModel on the iModel Manager page.

Roles with the following permissions will view all iModels no matter if that role is added to the iModel or not. This is because the "Manage" right allows users to set iModel access for roles with less permission. Because of that feature it can view all iModels in the project so it can configure individual access per iModel.

  • View/Read/Write/Manage
  • View/Read/Write/Manage/Delete
Recommended
Related