AX2199
User access to plan files in a file group is controlled by Axiom Security. Step ownership in a plan file process can also impact the level of access that a user has to a plan file at a particular point in time. This topic summarizes how plan file access is controlled by security and plan file processes.
Plan file access
For a user to be able to see and open plan files in a file group, they must have plan file permissions defined in Security, on the File Groups tab.
For each file group, a user can be assigned an access level (No Access, Read Only or Read/Write) and a filter that determines which files the access level applies to. Both the access level and the filter can be configured at the user level and/or inherited from a role. Users can also have multiple permission sets for a file group, with different access levels applying to different sets of plan files. Additional options within the permission set determine what a user can do within the plan files, such as whether the user can save data or insert a calc method.
When a user opens the Open Plan Files dialog for the file group, the list of plan files is limited to only show the files that the user can open with either read-only or read/write permission. When the user selects a plan file to open, it is opened according to the user's access level to that particular plan file. The No Access permission is effectively ignored in this context; plan files set to this level of permission do not display in Open Plan Files. No Access is only used in conjunction with plan file processes (see below) or when using "combine" role inheritance (with the intent of the combined permission resulting in a higher level of access).
Generally speaking, if a user does not have access to any plan files in a file group, then the user will not see that file group in ribbon tabs, task panes, and other areas of Axiom Platform. Even if the file group displays to the user (such as by using Show Restricted Item in a task pane), the user will not be able to open any plan files in that file group.
Ownership in a plan file process
The second level of control is ownership of the plan file in a plan file process. A plan file process is an optional feature of process management that allows you to define sequential planning steps for plan files. For each step in the process, an owner is assigned to each plan file, to carry out the task of either editing or reviewing the file. If a user is the owner of a plan file for a current process task, then Axiom Platform will "elevate" the user's permissions as necessary to allow the user to complete the task.
Using this approach, it is possible to configure a setup where a user has no access to a plan file unless they are the current owner of the file in a plan file process. If the user has a permission set with No Access and Interacts with Process Management, then under normal circumstances that user cannot see or open the plan file. However, when the user is the current owner, the user's permissions will be temporarily elevated as appropriate so that the user can complete the task (for example, the permission would be elevated to Read/Write and Allow Save Data for an edit task). While the task is active, the user can open and edit the plan file, and save data from it. When the user completes the task, then the user is no longer the owner and the user's permissions would revert back to no access.
Ownership in a plan file process can only elevate existing user permissions, it cannot reduce or remove user permissions. If a user has been granted read/write permission to a plan file in security, then that user will always have that permission, regardless of whether they are an assigned owner in a plan file process. For more information, see How plan file processes and security interact.
