AX1304

Configuring plan file security for use with plan file processes

This section provides basic guidelines for setting user permissions when you intend to use a plan file process with the file group. There are many nuances to file group security settings and how they can interact with plan file processes, especially if you are using advanced security configurations such as multiple permission sets for plan files or the combine option for role inheritance.

Generally speaking, you should configure security permissions for plan files to reflect the "baseline" permissions that you want the users to have when they are not process step owners. When the users are step owners, their permissions will be temporarily "elevated" as needed so that they can complete the process task. For example, a user may have Read-Only access to a plan file configured in security, so this is their baseline permission. But when the user is the step owner of an edit step, their permission will be elevated to Read/Write and Allow Save Data so that they can edit and save the plan file.

Additionally, the Interacts with Process Management setting for plan file permissions can be used as follows:

  • If you want a user to only have access to the plan file when they are the step owner, you can configure a permission set to the plan file with No Access and Interacts with Process Management enabled. This causes the permission set to be considered for step ownership of a plan file even though the access level is No Access. The user must still have a plan file filter that includes the plan file.

  • If the ownership assignment is through a role, enabling Interacts with Process Management tells the process to consider this permission set when evaluating which role members should be step owners. If "interacts" is not enabled when using a role assignment, then this permission set will be ignored by the process.

Example user permissions for use with a plan file process

The first step in configuring plan file permissions for use with a plan file process is deciding what level of permissions that you want the user to have when the user is not a process step owner. This is the user's baseline level of security permissions that they will always have.

NOTE: All of the example permission sets below assume that the user's plan file filter includes the plan file where the user is assigned as a step owner. The user must have a configured or inherited permission set that includes this plan file. The plan file process cannot not grant permissions to plan files, they can only elevate existing permissions to those files.

No Access

If you want a user to have no access to the plan file when the user is not a process step owner, then set the permissions as follows:

  • File Access Level: No Access
  • Allow Save Data: Unchecked
  • Interacts with Process Management: Checked

When the user is a step owner, the process will elevate the user's permissions as appropriate.

Read-Only Access

If you want a user to have read-only access to the plan file when the user is not a process step owner, then set the permissions as follows:

  • File Access Level: Read-Only
  • Allow Save Data: Unchecked
  • Interacts with Process Management: Checked if the ownership assignment comes through a role (can be left unchecked if the user will be assigned directly)

When the user is a step owner, the process will elevate the user's permissions as appropriate.

Full Access

If you want a user to have full edit rights to the plan file when the user is not a process step owner, then set the permissions as follows:

  • File Access Level: Read/Write
  • Allow Save Data: Checked
  • Interacts with Process Management: Checked if the ownership assignment comes through a role (can be left unchecked if the user will be assigned directly)

These permissions can be set at the user level, or at a role level, or at some combination of the two (if using Combine role inheritance). All other plan file permissions can be enabled or not as appropriate for the user. In some cases, the other permissions will only be relevant when the user's access level has been elevated by the process. For example, if the user has No Access plus Allow Calc Method Insert, then the ability to insert calc methods is only relevant when the user is a step owner (because otherwise they will be unable to see or open the plan file).

Enabling Interacts with Process Management

When creating new permission sets for users, Interacts with Process Management is enabled by default. You can disable this permission for the user if:

  • The permission set grants Read-Only access or higher.

    AND

  • The permission set does not need to be considered when using role ownership assignments.

When creating new permission sets for roles, Interacts with Process Management is disabled by default. You should consider whether to enable the option or leave it disabled, based on how you are granting permissions to users and how you are assigning step owners. Keep in mind the following:

  • If ownership assignments are made through a role, then users who belong to the role must have permission to the plan file and Interacts with Process Management enabled in order to be a step owner.

  • If the role assignment is configured to consider All permissions, then it is not necessary to enable Interacts with Process Management on the role that will be used as the assignment. In this case, the role simply defines the pool of eligible users. If a user has any permission set with access to the plan file and "interacts" enabled, then they will be a step owner.

  • If the role assignment is configured to consider Only permissions associated with the assigned role, then either Interacts with Process Management must be enabled on the role so that users in the role inherit it, or the users must have an individual permission set with the "interacts" permission that is also configured to combine with the role.

For more information and examples, see How plan file processes and security interact.

See also