AX1304

Configuring plan file security for use with plan file processes

This section provides basic guidelines for setting user permissions when you intend to use a plan file process (process management) with the file group. There are many nuances to file group security settings and how they can interact with plan file processes, especially if you are using advanced security configurations such as multiple permission sets for plan files or the combine option for role inheritance. If you need assistance in determining the best configuration for your system, please contact Axiom Software Support.

NOTE: The same guidelines apply if you are using the legacy workflow feature instead of process management.

The Interacts with Process Management setting for plan files is the key security permission for use with plan file processes. Enabling this option for a plan file permission set has the following effects:

  • When the user is a step owner in an active plan file process, their plan file permissions will be "elevated" as needed to complete the current task. For example, the user will be elevated to Read/Write and Allow Save Data for an Edit Plan File step in a process.

  • If the ownership assignment is through a role, enabling this option tells the process to consider this permission set when evaluating which role members should be step owners. If this option is not enabled, then this permission set will be ignored by the process.

IMPORTANT: If an individual user is directly assigned as a step owner, but the user's plan file permission does not have Interacts with Process Management enabled, it is a known issue that Axiom Software will elevate the user's permission to include Allow Save Data but not Read/Write. For this reason, it is recommended to enable "interacts" on plan file permission sets for any user that you plan to directly assign as a step owner, if that user does not already have full permissions to the plan file. This does not apply when the assignment is through a role, because plan file permission sets without "interacts" enabled are not considered for step ownership in that case.

Example user permissions for use with a plan file process

The first step in configuring plan file permissions for use with a process is deciding what level of permissions that you want the user to have when the user is not a process step owner. This is the user's base level of security permissions that they will always have. As long as Interacts with Process Management is also enabled, the process will elevate the user's permissions to the appropriate level when the user is a step owner.

NOTE: All of the example permission sets below assume that the user's plan file filter includes the plan file where the user is assigned as a step owner. The user must have a configured or inherited permission set that includes this plan file. The plan file process cannot not grant permissions to plan files, they can only elevate existing permissions to those files.

No Access

If you want a user to have no access to the plan file when the user is not a process step owner, then set the permissions as follows:

  • File Access Level: No Access
  • Allow Save Data: Unchecked
  • Interacts with Process Management: Checked

When the user is a step owner, the process will elevate the user's permissions as appropriate.

Read-Only Access

If you want a user to have read-only access to the plan file when the user is not a process step owner, then set the permissions as follows:

  • File Access Level: Read-Only
  • Allow Save Data: Unchecked
  • Interacts with Process Management: Checked

When the user is a step owner, the process will elevate the user's permissions as appropriate.

Full Access

If you want a user to have full edit rights to the plan file when the user is not a process step owner, then set the permissions as follows:

  • File Access Level: Read/Write
  • Allow Save Data: Checked
  • Interacts with Process Management: Checked (if ownership comes via role assignment)

If the user will be directly assigned as a step owner, then it is not required to enable Interacts with Process Management because the user already has the full permissions that could be granted by the process. However, if the user's ownership comes through a role assignment, then you must enable Interacts with Process Management to signal that this user should be made one of the step owners.

These permissions can be set at the user level, or at the role level, or at some combination of the two (if using Combine role inheritance). All other plan file permissions can be enabled or not as appropriate for the user. In some cases those other permissions will only be relevant when the user's access level has been elevated by the process. For example, if the user has No Access plus Allow Calc Method Insert, then the ability to insert calc methods is only relevant when the user is a step owner (because otherwise they will be unable to see or open the plan file).

Enabling Interacts with Process Management

When creating new permission sets for users, Interacts with Process Management is enabled by default. It is recommended to leave this option enabled for users. Generally speaking, you should only disable the option if both of the following apply:

  • The user already has the necessary permissions for process step ownership.

    AND

  • The user does not need to be granted ownership via a role.

When creating new permission sets for roles, Interacts with Process Management is disabled by default. You should consider whether to enable the option or leave it disabled, based on how you are granting permissions to users and how you are assigning step owners. Keep in mind the following:

  • If ownership assignments are made through a role, then users who belong to the role must have permission to the plan file and Interacts with Process Management enabled in order to be a step owner. However, these permissions can come from any permission set for the user; they do not need to be granted through the role used as the ownership assignment.

  • If these plan file permissions are granted at the user level (or inherited by the user through a different role) then there is no need to enable Interacts with Process Management for the role that will be used as the assignment.

  • However, if the role being used as the assignment is also the primary means by which users are granted plan file permissions, then Interacts with Process Management should be enabled for the role so that users inherit that setting as well.

Generally speaking, if the only purpose of the role is to define a pool of users for process ownership assignments, then you should leave the option disabled and instead rely on the individual user permissions to determine the ultimate step ownership.

NOTE: It is not required to enable this permission for a role in order to assign the role as a step owner in a plan file process. The assigned role simply defines the pool of users that are available to become step owners; the role itself is not required to have any particular permissions.

For more information and examples, see How plan file processes and security interact.

See also