Community
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Property Based Security

Property Based Security

Would like the ability to set security on individual properties, so that I can control who has the right to modify them at any given lifecycle state... or at all.  Right now it's all or nothing on properties.

20 Comments
ihayesjr
Community Manager
Status changed to: Future Consideration
 
BG_one
Explorer

In our environment we are using a lot user defined properties for CAD-files, items and BOMs. Some of this properties should be locked for the user. This properties are kind of "system flags" or our own system properties to store information from backgroud processes or other systems.

 

The issue what we have is that there is no posibillity available to block users to change this properties. If the user has the right e.g. to change the item he is also alowed to change all properties.

Wish is to extend the property configuration. I want to decide which user or user group has the permission to change the property.

 

Tags (3)
Anonymous
Not applicable

I like this because we have  a similar circumstance.  We have clerical people handling some of the data for drawing files, but not the data that is mapped into the drawing.  That should only be editable by our engineering/design team.

TONELLAL
Collaborator

The "Workflow based" security is :

-the document is NOT in status validated --> Workgroup Engineers canNOT see it.

-the document IS in status Validated --> Workgroup Engineers CAN see it.

 

With "Property based" security :

-Regardless the status of the document, depending the value of the "Allow sharing" property, Workgroup Engineers can or cannot see the document.

ihayesjr
Community Manager

Why not have these as state in your lifecycle?

TONELLAL
Collaborator

The goal is to manage visibility independently from the status.

From example :

  • My file is Validated, but for any reason I don't want that usergroup Engineers can see it for the moment. I don't want to create another status  strictly identical but with a different visibility. I just set the property "Enable sharing" to False.
  • My file is in Work in progress, so by default Engineers cannot see it. For any reason, I need it to be seen by engineers. I don't need to modify the status, I only set "Enable sharing" to True.

I already can do that using Object security instead of Lifcycle security just for the concerned file. But this require Administrator access. With Property based security, any user could manage this without being administrator.

Anonymous
Not applicable

Implement access level for user defined attributes.

Example: When having own user roles e.g. Project Admin this group should able to set User defined project attributes. For non-project admin users, this Attributes should be read only.

 

Anonymous
Not applicable

Hi!

In my company we have a lifecycle similar to (I will simplify) : "work in progress" --> "to be verified" --> "validated".

I would like that for the state "to be verified", some people (user name or group) can't modify the file itself in Inventor, but can change some properties I choose.

 

 

Here is the reason :

- "WIP" : R&D design a file

- "to be verified" : the method department doesn't modify the design, but add some information linked to the manufacturing machines (bending machine, ...) and also add a number which will be used in our MRP software --> the group "methods" could change the property "MRP reference", but not the property "title"

- "validated" : we produce the part and no change is allowed

 

Thank you!

Anonymous
Not applicable

Hi All!

I would like to promote the idea of installing restrictions to edit specific properties. If a user is allowed to edit a document at the moment, he is also able to edit important parts like the part number. My idea to solve that problem is to authorize certain users or groups to edit that information. The same way it works for roles or lifecycles.  If they are not on the list, they simply cannot edit the file. Regarding the part number this would cause some issues, because this information is usually automatically generated when creating the file. Therefore we need an option to specify if this rule applies to empty values or not. The part number rule for example would not apply for empty ones. That way the user can create the file with the automatically generated part number without any restrictions. Nevertheless he wont be able to edit it afterwards. Only an administrator or someone who is eligible to edit this information can edit it after the creation process.

Anonymous
Not applicable

Just found this idea, while entering the same idea.

I would add the state of the object to the security concept.

Some properties should not be changed after the first release

Eli_Dexter
Advocate

Now everybody in Vault who has sufficient permissions can modify File properties. It would be beneficial to enforce limit on who can modify a particular property. I.e.: only manufacturing manager should be able change property "Mfg Approved By". This feature will make Vault more secure.

 

Thanks

Tags (5)
ihayesjr
Community Manager

Thank you for posting your idea. The properties are ones that exist in the file which Vault will not have control for who can modify the properties. How do you think this should be handled?

Eli_Dexter
Advocate

I do not know the neither Vault data nor the code structure and therefore cannot give advice how the feature to be implemented. However, I assume that in the database table there is a fields with the file properties and in the code somewhere there is a methods that modify those fields. If that is true, that method should be modified to check the user name and privileges. So if the user meet the criteria he should be able to modify the data in the field, otherwise, error message should come up...

I do some programming and as an Idea this sound easy. But as I said above I am not know the Vault's source code and cannot decide is it 15 minutes work (as it looks from outside), or re-write of the whole program... But even then, it should be considered for some future implementations and not dismissed just because it sounds too crazy.

 

Thanks 

ihayesjr
Community Manager

Sorry, let me ask my question in a different way as I was not asking for programming advice. How do you see this working in the product from a user perspective? If the user is not connected to Vault at the time they are working with the data, how do you expect Inventor to know what properties the user can edit?

Eli_Dexter
Advocate
Now, I don't understand the question. Do you mean if the user is modifying the properties of the file from inside of the File itself? Like working within AutoCAD, Inventor, or MS Word?

I am not sure if all the file (vault) properties are available within those programs... I was thinking modifying the properties within Vault.



In either case, at the end the data will be imported (synchronized) with Vault. Then (at the time of synchronization) the above mentioned algorithm should be implemented. If some of the properties were read-only for a particular user, the message like "you do not have sufficient privileges to update some of the properties. Those properties will not be updated...". The rest of the data could be updated.



Hope this help.


ihayesjr
Community Manager

Thanks that helps.

ThomasRambach
Advisor

It would be really helpful to restrict who can edit certain properties in Vault based on a ACL list, even if the user has the ability to edit a file. This would be needed in the Vault Explorer interface for editing properties. If the property is mapped to a CAD file, then ACL restrictions would not be able to be applied.

 

 

dominik.gleinser
Advocate

Are there any news regarding this idea?

We need to block some of the UDP's in the Vault -property-list for editing. Some user-groups should not have the permission to edit certain properties. For example item values, etc. should not be editable in the Vault property section or in Inventor IProperties only with ERP-connector dialogs.

ihayesjr
Community Manager

@dominik.gleinser 

 

Future Consideration: While we’re generally a fan of these ideas, the timing isn’t quite right for development consideration. As such, they are being put on the back burner to be re-visited at a later date. Please continue to comment and add your support.

How to Post to the Idea Boards – Collaborate! - Autodesk Community - Community Topics

 

I like the idea. However, if we were to implement it, I would like to set the correct expectation. Vault could control who could write to the property from the Vault Clients. However, once the file is removed from Vault, we can't prevent the CAD application, Inventor, from allowing users to edit the properties. 

For now, I recommend making sure that the properties are set so that the value is from Vault to File. This way, the ERP Connector writes the value to Vault, and Vault will push that value to the file. 

AxelJak
Explorer

I would like to see the option Permission: "File edit user defined property" it is now not possible to assign this permission to a role. For Links and Folders it is available but not for Files and Items.

 

AxelJak_0-1678702300619.png

 

Thanks,

 

Regards,

Axel Jak
Cadac Group

 

Can't find what you're looking for? Ask the community or share your knowledge.

Submit Idea  

Autodesk Design & Make Report