AX2199
User access to plan files in a file group is controlled by Axiom Security. Plan file processes in process management can also impact the level of access that a user has to a plan file at a particular point in time. This topic summarizes how plan file access works using these factors.
Plan file access
In order for a user to be able to see and open plan files in a file group, they must have plan file permissions defined in Security, on the File Groups tab.
For each file group, a user can be assigned an access level (No Access, Read Only or Read/Write) and a filter that determines which files the access level applies to (including an option for All Plan Files). Both the access level and the filter can be configured at the user level and/or inherited from a role. Users can also have multiple permission sets for a file group, with different access levels applying to different sets of plan files. Additional permissions can be set that determine what a user can do within the plan files that the user has access to (such as whether the user can save data or insert a calc method).
When a user opens the Open Plan Files dialog for the file group, the list of plan files is limited to only show the files that the user can open with either read-only or read/write permission. When the user selects a plan file to open, it is opened according to the user's access level to that particular plan file. The No Access permission is effectively ignored in this context; plan files set to this level of permission do not display in Open Plan Files. No Access is only used in conjunction with process management (see below) or when using "combine" role inheritance (with the intent of the combined permission resulting in a higher level of access).
Generally speaking, if a user does not have access to any plan files in a file group, then the user will not see that file group in ribbon tabs, task panes, and other areas of Axiom Software. Even if the file group displays to the user (such as by using Show Restricted Item in a task pane), the user will not be able to open any plan files in that file group.
Ownership in process management
The second level of control is ownership of the plan file via process management (or via the legacy workflow feature). Process management is an optional feature that allows you to define sequential planning steps for a plan file process. For each step in the process, an owner is assigned to each plan file, to carry out the task of either editing or reviewing the file.
If a user is the assigned owner of a plan file for a current task, then Axiom Software will "elevate" the user's permissions as necessary to allow the user to complete the task. This elevation only occurs if the user has a plan file permission set with both of the following:
- The plan file is included in the filter for the permission set (or the permission set covers all plan files)
- The Interacts with Process Management permission is enabled for the permission set
Using this approach, it is possible to configure a setup where a user has no access to a plan file unless they are the current owner of the file in a plan file process. If the user has a permission set with No Access and Interacts with Process Management, then under normal circumstances that user cannot see or open the plan file. However when the user is the current owner, the user's permissions will be temporarily elevated as appropriate so that the user can complete the task (for example, the permission would be elevated to Read/Write and Allow Save Data for an edit task). While the task is active, the user can open and edit the plan file, and save data from it. When the user completes the task, then the user is no longer the owner and the user's permissions would revert back to no access.
IMPORTANT: If an individual user is directly assigned as a step owner, but the user's plan file permission does not have Interacts with Process Management enabled, it is a known issue that Axiom Software will elevate the user's permission to include Allow Save Data but not Read/Write. For this reason, it is recommended to enable "interacts" on plan file permission sets for any user that you plan to directly assign as a step owner, if that user does not already have full permissions to the plan file. This does not apply when the assignment is through a role, because plan file permission sets without "interacts" enabled are not considered for step ownership in that case.
Process management only elevates existing user permissions, it do not reduce or remove user permissions. If a user has been granted read/write permission to a plan file in security, then that user will always have that permission, regardless of whether they are an assigned owner in process management. For more information, see How plan file processes and security interact.
