AX130

Configure plan file security for use with plan file processes

This section provides basic guidelines for setting user permissions when you intend to use a plan file process with the file group. There are many nuances to file group security settings and how they can interact with plan file processes especially if you are using advanced security configurations, such as multiple permission sets for plan files or the Combine option for role inheritance.

Generally speaking, you should configure security permissions for plan files to reflect the baseline permissions that you want users to have when they are not process step-owners. When users are step-owners, their permissions will be temporarily elevated as needed so that they can complete a process task. For example, a user may have read-only access to a plan file configured in security - this is their baseline permission. Yet, when the user is the step-owner of an edit step, their permission will be elevated to read/write and Allow Save Data so that they can edit and save the plan file.

Additionally, use the Interacts with Process Management setting for plan file permissions as follows:

  • If you want a user to only have access to the plan file when they are the step-owner, you can configure a permission set to the plan file with No Access and Interacts with Process Management enabled. This causes the permission set to be considered for step-ownership of a plan file even though the access level is No Access. The user must still have a plan file filter that includes the plan file.

  • If the ownership assignment is through a role, enabling Interacts with Process Management informs the process to consider this permission set when evaluating which role members should be step-owners. If interacts is not enabled when using a role assignment, then this permission set will be ignored by the process.

User permissions for use with a plan file process - example

The first step in configuring plan file permissions to use with a plan file process is deciding what level of permissions you want the user to have when the user is not a process step-owner. This becomes the user's perpetual baseline level of security permissions.

NOTE: All the following permission set examples assume that the user's plan file filter includes the plan file where the user is assigned as a step-owner. The user must have a configured or inherited permission set that includes this plan file. The plan file process cannot grant permissions to plan files; they can only elevate existing permissions to those files.

No Access

If you want a user to have no access to the plan file when the user is not a process step-owner, then set the permissions as follows:

  • File Access Level: No Access
  • Allow Save Data: Unchecked
  • Interacts with Process Management: Checked

When the user is a step-owner, the process elevates the user's permissions, as appropriate.
Read-only Access

If you want a user to have read-only access to the plan file when the user is not a process step-owner, then set the permissions as follows:

  • File Access Level: Read-Only
  • Allow Save Data: Unchecked
  • Interacts with Process Management: Checked if the ownership assignment comes through a role (can be left unchecked if the user is assigned directly)

When the user is a step-owner, the process elevates the user's permissions, as appropriate.
Full Access

If you want a user to have full edit rights to the plan file when the user is not a process step-owner, then set the permissions as follows:

  • File Access Level: Read/Write
  • Allow Save Data: Checked
  • Interacts with Process Management: Checked if the ownership assignment comes through a role (can be left unchecked if the user is assigned directly).

You can set these permissions at the user level, at a role level, or with some combination of the two (if using Combine role inheritance). You can enable all other plan file permissions, as appropriate, for the user. In some cases, the other permissions are only relevant when the user's access level has been elevated by the process. For example, if the user has No Access and Allow Calc Method Insert, the ability to insert calc methods is only relevant when the user is a step-owner (because otherwise they will be unable to see or open the plan file).

Enable Interacts with Process Management

When creating new permission sets for users, Interacts with Process Management is enabled by default. You can disable this permission for the user if the permission set:

  • Grants read-only access or higher.

    AND

  • Does not need to be considered when using role ownership assignments.

When creating new permission sets for roles, Interacts with Process Management is disabled by default. You should consider whether to enable the option or leave it disabled based on how you are granting permissions to users and how you are assigning step-owners. Note the following:

  • If ownership assignments are made through a role, users who belong to the role must have permission to the plan file and Interacts with Process Management enabled to be a step-owner.

  • If the role assignment is configured to consider All permissions, it is not necessary to enable Interacts with Process Management on the role to be used as the assignment. In this case, the role simply defines the pool of eligible users. If a user has any permission set with access to the plan file and Interacts enabled, they will be a step-owner.

  • If the role assignment is configured for Only permissions associated with the assigned role you must either enable Interacts with Process Management on the role so that users in the role inherit it, or the users must have an individual permission set with the Interacts permission also configured to combine with the role.

For more information and examples, see How plan file processes and security interact.

See also