In my case I am trying to restrict part models but allow to read idws. So, I categorize ipt & idw differently, then from your approach, they both will be in different lifecycles. I think they always will be in same lifecycle and both will be in released state also. When they are released, there should be a way to restrict viewing part files. Do you have this differently?

Like you said, if I add a flag " Read by Shop : Yes or No" and capture this info as Yes for ALL  idws. How can I show only file s those have "Yes". May be I am missing to understand something from your response.

If you don't want the shop to ever see the part files but always see the idw's, but you want them both to follow the 'same' lifecycle then you need to do the following:

Set up your lifecycle release process how you want it to be (you probably already have one)

Then copy it and name it Part Lifecycle release process (or something similar), then edit it and go to the Released state and modify the security settings for that state. Hopefully you have a specific group set up for your shop guys, then you can deny them to right to view the part files in this released state. If you don't have a group (not advised, you should always have groups set up) then you can add the individual users to the security group and deny them the right to view them. 

Please note, that not allowing them is the same as denying them. However, you may have everyone set as Read allow on the released state security, simply by adding the 'Shop' group (or username) but then not ticking any boxes based on my previous statement you would think it denies them access, but it doesn't, because they haven't been explicitly denied, whereas they have been allowed via the everyone security rule.

My point here is that if you have a user that is a member of two groups, say Design & Scheduling, then you give design explicit access to read a file in the released state, but at the same time explicitly deny the scheduling group read access. Then the result will be that user won't have read access, because Vault (& windows networking security) will prioritise a Deny over an allow. As a result you are better of 'Not allowing' to deny a group (by not ticking anything) than to explicitly 'Deny' a group from something.

So its likely that if you have a default out of the box lifecycle in use for your parts & drawings, that the Released state will have a security setting of Everyone: Read 'Allow', Modify 'Deny', Delete 'Deny'. If this is the case you will want to remove the Everyone 'group' and then add just the users/groups you want to have Read permissions and Allow them but don't deny modify or delete. This woudl give you the settings you need for the 'Parts' lifecycle release process.

Now if you want to add this process to all your part files automatically you will need to create a category specifically for parts, and use a rule like, file ends with ipt. Then as soon as a new part is added to the vault it will get categorised to the part category which has the default lifecycle you have just created.

I hope this helps.

Scott,

Thanks for explaining this so in-detail. So far I follow it fine & dont have questions. I will try this first thing in the morning. Cheers ! Have a great day.