This technote will discuss applying ProjectWise permissions to folders and documents, permission descriptions, the basics of how ProjectWise applies permissions, ProjectWise folder inheritance, along with Workflow and Object based permissions.
Permissions for a Datasource are set in the ProjectWise Administrator. When a datasource is first created, no access control settings are configured, therefore all users created will have access to all folders and documents in the datasource. Permissions for the folders and documents are set in ProjectWise Explorer. It is only when some users are explicitly given access permissions to certain items that other users become excluded from accessing those same items.
When creating security try to keep it simple. If your security model gets too complicated, performance can degrade and it may become difficult to know what is secure and what is not.
You must be a ProjectWise Administrator or have the appropriate administrative rights to change ownership of documents or assign permissions to users, groups, and datasources.
*Please note - While ProjectWise can handle complex security settings, it should be noted that the fewer security settings there are the better performance will be. In particular when creating new folders or changing security settings.
To set the security for an object; Open the Properties dialog on either the Folder or Document, click on the Security tab and add the user whose access permissions you want to configure.For example, to set the security permissions for a folder:
Figure 2 below provides the description of the individual permissions that can be given to a user for a folder. Figure 3 below provides the description of the Document permissions. Both of these tables can be found by doing a search for "access control security permissions" in the help section of ProjectWise Explorer.
Figure 2 - FOLDER PERMISSIONS
Figure 3 below provides a description of each permission that can be given to a user for documents in a folder.
Figure 3 - DOCUMENT PERMISSIONS
ProjectWise assigns cumulative permissions until rights collide then least permissions will be in effect.
ProjectWise does not have specific "Deny" access entries, except "NoAccess", that is treated as Deny All. All other specific access entries are only of "Allow" type. It is a common practice to apply cumulatively both Allow and Deny rights, and only when Allow & Deny collides on a specific right, the least permissions wins. However, whenever you have "NoAccess" in a set - "NoAccess" will be in effect.
For example designers may create documents and reviewers can edit those documents, and a user who belongs to both groups would be able to do both. In the Example-1 below the user is provided the cumulative permissions, not the least restrictive permissions.
UserA belongs to two groups - the "designer" group and the "reviewer" group and both groups are assigned to the folder named Folder_A.
However , if the Reviewer group had NO rights assigned to FOLDER_A, then UserA would have no access to the folder.
Note that future ProjectWise releases may implement specific Deny rights, combining inherited and directly applied rights.
Other noteworthy permission rules:
ProjectWise Folder Inheritance
Security permissions will need to be modified periodically to account for changes in the ProjectWise folder structure. When making changes to a folder you will be prompted with the window in Figure 4 below:
Figure 4 - Confirm Folder Security Changes
If a folder has sub folders, choosing "Apply changes to this folder only" affects the permissions of selected folder and its sub folders as follows:
Folders that inherit permissions will inherit from the closest folder in the hierarchy that has its own permissions defined. If a new folder gets created under an existing folder that has its own security defined then the new folder will inherit its security from the existing parent folder rather than the datasource because it is closer in the hierarchy.
The hierarchy works as shown in Figure 5 below:
When planning a security model it is generally best to set some default access rights at the top folder and apply those settings to all subfolders. Then start at the bottom of the folder structure to define specific access rights on just those folders that require it - keeping in mind that any subfolders will now inherit their access rights from the parent folder just changed.
Workflow Security is created in ProjectWise Administrator and applied to folders and projects in ProjectWise Explorer. Rights can be applied to the users assigned to each State within a Workflow, for both Folders and Documents. If an object has both Workflow and object security applied Workflow security will prevail. This is usually the case unless No Access is applied. No Access always takes precedence whether applied via Workflow or directly to the object.
As stated earlier, the concept is that the various objects in ProjectWise (Documents, Folders & Environments) will inherit their access rights from the nearest parent. Figure 6 below depicts this security hierarchy structure:
Product TechNotes and FAQs
Bentley Technical Support KnowledgeBase
Bentley LEARN Server
Bentley's Technical Support Group requests that you please confine any comments you have on this Wiki entry to this "Comments or Corrections?" section. THANK YOU!