Questions about this article, topic, or product? Click here. 

Permissions in ProjectWise [TN]

   
  Applies To 
   
  Product(s): ProjectWise
  Version(s): All
  Environment:  N/A
  Area:  N/A
  Subarea:  N/A
  Original Author: Bentley Technical Support Group
   

 

 

 

 

 

 

 

 

Overview

This technote will discuss applying ProjectWise permissions to folders and documents, permission descriptions, the basics of how ProjectWise applies permissions, ProjectWise folder inheritance, along with Workflow and Object based permissions.

Permissions for a Datasource are set in the ProjectWise Administrator. When a datasource is first created, no access control settings are configured, therefore all users created will have access to all folders and documents in the datasource. Permissions for the folders and documents are set in ProjectWise Explorer. It is only when some users are explicitly given access permissions to certain items that other users become excluded from accessing those same items.

When creating security try to keep it simple. If your security model gets too complicated, performance can degrade and it may become difficult to know what is secure and what is not.

 

Pre-requisites \ Assumptions

You must be a ProjectWise Administrator or have the appropriate administrative rights to change ownership of documents or assign permissions to users, groups, and datasources.

*Please note - While ProjectWise can handle complex security settings, it should be noted that the fewer security settings there are the better performance will be. In particular when creating new folders or changing security settings.

Applying Permissions

To set the security for an object; Open the Properties dialog on either the Folder or Document, click on the Security tab and add the user whose access permissions you want to configure.
For example, to set the security permissions for a folder:  

  1. Start ProjectWise Explorer
  2. Log in as either the owner of the folder or as a user with administrative privileges
  3. Select a folder
  4. Right click on the Folder and choose Properties
  5. On the Folder Properties dialog, select the Project\Folder Security tab
  6. Set Security Type to Folder, see Figure 1.
    1. Note that you can also add Workflow permissions at the folder level by changing the Security Type to Workflow and following the same process.
  7. Click Add to add a user or group to the Name list
  8. Highlight either the user or the group that you selected and check the appropriate boxes of permissions you want this user or group to have
  9. Ensure that you provide rights to yourself (the user you are logged in as) otherwise you may lock yourself out. **As mentioned earlier, when some users are explicitly given access permissions to certain items then other users become excluded from accessing those same items
  10. Click OK

Figure 1

 

To set security permissions for individual documents in a folder:

  1. Start ProjectWise Explorer
  2. Log in as either a ProjectWise Administrator or as a user that has the appropriate administrative rights to change ownership of documents or assign permissions to users, groups and/or user lists.
  3. Select a document
  4. Right click on the Document and choose Properties
  5. On the Document Properties dialog, select the Security tab
  6. When the Security tab page opens, it displays the default inherited security settings. Documents can inherit security items from the Global Datasource, an Environment, a Parent folder and its own folder. You can modify the security settings to specific settings for this document; otherwise the document inherits the default settings. Note that a File or folder can inherit file and or folder permissions set at the Environment level once assigned.
    1. To set object security on a document, set Security Type to Document.
    2. To set workflow security on a document, set Security Type to Workflow
  7. Click Add to add a user to the Name list
  8. Select the user or group in the Name list, then set or clear permissions for that user in the Permissions list
  9. Click Apply, then OK or click Add to configure more users' permissions for the folder


To review a user's combined permissions for a folder

  1. Start ProjectWise Explorer
  2. Log in as either the owner of the folder or as a user with administrative privileges
  3. Select a folder
  4. Right click on the Folder and choose Properties
  5. On the Folder Properties dialog, select the Security tab
  6. Set Security Type to Real (Workflow & Folder)
  7. Select a user in the Name list. The aggregate of both the user's workflow security and folder security permissions are displayed in the Permissions list.

Permission Descriptions


Figure 2 below provides the description of the individual permissions that can be given to a user for a folder. Figure 3 below provides the description of the Document permissions. Both of these tables can be found by doing a search for "access control security permissions" in the help section of ProjectWise Explorer.

Figure 2 - FOLDER PERMISSIONS

Figure 3 below provides a description of each permission that can be given to a user for documents in a folder.

Figure 3 - DOCUMENT PERMISSIONS

How ProjectWise Assigns Permissions

  ProjectWise assigns cumulative permissions until rights collide then least permissions will be in effect.

ProjectWise does not have specific "Deny" access entries, except "NoAccess", that is treated as Deny All. All other specific access entries are only of "Allow" type.  It is a common practice to apply cumulatively both Allow and Deny rights, and only when Allow & Deny collides on a specific right, the least permissions wins.  However, whenever you have "NoAccess" in a set - "NoAccess" will be in effect.

For example designers may create documents and reviewers can edit those documents, and a user who belongs to both groups would be able to do both.  In the Example-1 below the user is provided the cumulative permissions, not the least restrictive permissions.

Example-1:

UserA belongs to two groups - the "designer" group and the "reviewer" group and both groups are assigned to the folder named Folder_A.

  • designer -has full rights to FOLDER_A
  • reviewer -has limited rights to FOLDER_A

However , if the Reviewer group had NO rights assigned to FOLDER_A, then UserA would have no access to the folder.

Note that future ProjectWise releases may implement specific Deny rights, combining inherited and directly applied rights.

Other noteworthy permission rules:

  • Except for No Access - each Owner has an implicit right you cannot take away.
  • The same procedure for folders applies to documents. Therefore, document owners, and the folder's owner can change permissions.
  • If user has NoAccess, he cannot see the object, thus cannot exercise any rights
  • The No Access permission takes priority over all others

ProjectWise Folder Inheritance

Security permissions will need to be modified periodically to account for changes in the ProjectWise folder structure. When making changes to a folder you will be prompted with the window in Figure 4 below:

Figure 4 - Confirm Folder Security Changes

If a folder has sub folders, choosing "Apply changes to this folder only" affects the permissions of selected folder and its sub folders as follows:

  1. No subfolders that have their own permissions will be affected by the change
  2. All subfolders that inherit their permissions from the changed folder will now reflect the changes made.

Folders that inherit permissions will inherit from the closest folder in the hierarchy that has its own permissions defined. If a new folder gets created under an existing folder that has its own security defined then the new folder will inherit its security from the existing parent folder rather than the datasource because it is closer in the hierarchy.

The hierarchy works as shown in Figure 5 below:

Figure 5

When planning a security model it is generally best to set some default access rights at the top folder and apply those settings to all subfolders. Then start at the bottom of the folder structure to define specific access rights on just those folders that require it - keeping in mind that any subfolders will now inherit their access rights from the parent folder just changed.

Workflow-based and Object-based Security

Workflow Security is created in ProjectWise Administrator and applied to folders and projects in ProjectWise Explorer. Rights can be applied to the users assigned to each State within a Workflow, for both Folders and Documents. If an object has both Workflow and object security applied Workflow security will prevail. This is usually the case unless No Access is applied. No Access always takes precedence whether applied via Workflow or directly to the object.

As stated earlier, the concept is that the various objects in ProjectWise (Documents, Folders & Environments) will inherit their access rights from the nearest parent. Figure 6 below depicts this security hierarchy structure:

Figure 6

 

See Also

Product TechNotes and FAQs

Bentley homepage

Bentley Technical Support KnowledgeBase

Bentley LEARN Server

Comments or Corrections?

Bentley's Technical Support Group requests that you please confine any comments you have on this Wiki entry to this "Comments or Corrections?" section. THANK YOU!

 

Recommended
Related
Communities
Support and Services
Training and Learning
Social Media