Permissions
A permission is a right or authorization granted to a user or group of users to perform certain actions on a system or content. Permissions determine what a user can do with specific content, such as read, modify, create, delete or manage. Permissions can be defined in detail for each user or group, to control access to resources and guarantee data security.
Site permissions
The first step is to define site permissions. As standard, the sites reflect the different states of the product, allowing you to assign different permissions depending on the product's state. Within each site, members and their roles can be defined by clicking on “site members”. Members can be added individually or via groups.
A permission is a rule defined by :
- A user group or a user (to search for a user or a group, type the first 3 letters of the name)
- A role :
- Consumer: Can view content.
- Contributor: Can view and modify all content, create new content.
- Collaborator: Has permission to view, modify, create and delete all content.
- Manager: Authorized to view, modify, create and delete all content. Can invite people and manage site permissions.
- Version Manager: Can store a branch/version to this site and view content. (e.g.: to move a branch to its validated version, the user must be a version manager on the validated site).
| Rôle | Read Content | Edit Content | Add Content | Delete Content | Add User | Merge branch |
|---|---|---|---|---|---|---|
| Consumer | Oui | Non | Non | Non | Non | Non |
| Contributor | Oui | Oui | Oui | Non | Non | Oui |
| Collaborator | Oui | Oui | Oui | Oui | Non | Oui |
| Manager | Oui | Oui | Oui | Oui | Oui | Oui |
| Version Manager | Oui | Non | Non | Non | Non | Oui |
In the event of conflict, the most permissive access applies.
Note: We recommend that you manage permissions via groups, in order to apply rules and permissions collectively, rather than individually, which simplifies administration and access control.
Permissions in the Repository
Folder Permissions
The parent's permissions are inherited by the content, and it is also possible to add local permissions for each piece of content (e.g. a folder or document) via the “Manage permissions” button. This makes it possible to fine-tune user rights for specific folders:
Permission is the association of:
- A user group or a user (to search for a user or a group, type the first 3 letters of the name) ;
- A role:
- Consumer: Has read access to content.
- Editor: Can view and modify existing content, but cannot create new content. Contributor: Can view, modify and create new content. Collaborator: Can view, modify, delete and create content.
- Coordinator: Has permission to view, modify, create and delete all content and manage permissions.
There is also a special role called Owner, which is assigned to the creator of a piece of content. The Owner has full access to the content he or she has created. The owner role is disabled in beCPG, except for external users, and if specifically indicated on a node with the Ownable aspect. A supplier, for example, even if only a contributor, has full permissions on the content he or she has created.
| Role | Read Content | Edit Content | Add Content | Delete Content | Full Control |
|---|---|---|---|---|---|
| Consumer | Yes | No | No | No | No |
| Editor | Yes | Yes | No | No | No |
| Contributor | Yes | Yes | Yes | No | No |
| Collaborator | Yes | Yes | Yes | Yes | No |
| Coordinator | Yes | Yes | Yes | Yes | Yes |
| Owner | Yes | Yes | Yes | Yes | Yes |
In case of conflict, the most permissive access applies.
ex: 1. a user has the role of “Reader” on the site, and “Coordinator” on the folder, then he/she will have the role of “Coordinator” for all contents of the folder. 2. a user has the role of “Coordinator” on the site, and “Reader” on the folder, then the most permissive rule applies. 2. a user has the role of “Coordinator” on the site, and “Reader” on the folder, then the most permissive rule wins. He will have the role of “Coordinator” for all the contents of the folder* .
Turn off Permission Inheritance
By default, parent permissions are inherited, but it is also possible to disable permission inheritance. This means that only local permissions will be applied to this document/folder. Via the “Manage permissions” button, click on “Inherit Permissions” to disable them.
ex: 1 A user has the “Consumer” role on the site, but no authorization on the folder. Permissions inheritance is disabled. He will therefore have no role for all folder contents and will not see the folder . 2. a user has the “Coordinator” role on the site, and “Consumer” on the folder. Authorization inheritance is disabled. He will have the “Consumer” role for all folder contents .
ACL permissions
Before creating security rules, we advise you to ask beCPG.
beCPG allows you to restrict access to certain fields and/or restrict/extend access to certain lists of a type by group of users. The type can be an entity type (finished product, raw material, semi-finished ...) or a list (Composition, Cost, Nutrient...). To do this, go to the “Security” System folder in the administration and create a folder. This folder corresponds to a group of permissions (ACL permissions) applied to a type in beCPG.
Once the folder has been created, it becomes a ACL permissions, edit its properties and choose the type for which the permission is activated:
ex: Here we choose to create permissions on the “Finished product ” type.
Permissions
In the “Permissions” list, define access rights for each property. Three access rights can be set:
- Read - No access for others: Only read rights, other groups have no access to fields.
- Read and write - Read for others: Read and write rights, other groups will only have read rights.
- Read and write - No access for others: Read and write rights, other groups have no access to fields.
Application of rules
ACL permissions are immediately applied in the beCPG interface on the site.
Permission on fields
Add new permissions to the data list using the “Add” button. Select the access right, property name and group:
Reminder: Access rights restrict inherited permissions, not extend them (ex: restrict a read-write right). It is not possible to extend rights on a field (ex: open a read/write right* ).
List permissions
In the properties, an entity's lists are also available. You can therefore define specific access rights (ex: hide cost list). It is also possible to extend access to lists. In this case, beCPG needs to make changes to “enable security rule”.
Local Permissions
It is also possible to implement local permissions to specifically target certain products.
To do this, proceed through editing the properties of the security rule and click on the "Local Permission" button.
For the application of the rule to the products of your choice, two methods are available:
- Manually add the rule to products: This approach allows you to individually select the products that require permissions. Simply access the product in question in beCPG and directly apply the permission rule to it. First, verify that the security aspect is among the currently selected aspects. If not, add the aspect , Click here Adding this aspect conditions the appearance of the "Security Rule" field in the product properties. Then manually add the rules created at the administration level.
- Add the rule automatically via a SPEL formula which defines the conditions of application. This formula, based on criteria specific to each case, can be applied to a product model to enable more efficient management on a large scale. example: you can create a formula to apply the security rule to all finished products with a specific model. This method ensures that permissions are correctly assigned without the need for repetitive manual intervention.
Read only by default
By checking the “Read only by default” parameter, all lists and fields of the type are considered read-only by default if no permissions exist on them.
Supplier portal permissions
When an entity is assigned to a supplier, it is moved to the supplier's folder in the supplier portal site. In this folder, all accounts linked to the supplier are set to “Coordinator”.
An external user must not be a member of any site.
Permissions on reports
It’s possible to define rights on technical sheets so that their consultation and/or their edition is rigorously managed.
For that purpose :
- Go to: Repository> System> Reports> Product reports;
- Select the folder corresponding to the type of products of which you want to manage the technical sheets (finished product, raw material …);
- Place the cursor on the line corresponding to the concerned technical sheet and click on « More » and then on « Manage permissions »;
- If the default configuration doesn’t suit you, which means that you don’t want everybody to have the right to consult the technical sheet as a « Consumer », click on « Inherit permissions ». Thus, the logo turns from « Check » sign to « No entry » sign so that you can administrate your own rights.
- Click on « Add a user/group » to give rights only to some users or groups on this technical sheet. Once the user or the group selected, give it a rôle (consumer, collaborator etc.);
- Click on « Save »;
- Finally, place the cursor on the line corresponding to the technical sheet and click on « More » and then on « Update permissions ».
Permissions on projects
beCPG enables to define rights on projects:
Either on folders which specifically contain projects. For that purpose, consult the documentation concerning the permissions on folders, available here
Either on individual projects. For this matter:
Place the cursor on the line corresponding to the project and click on « More » and then on « Manage permissions »;
- If the default configuration doesn’t suit you, which means that you don’t want everybody to have the right to consult the project as a « Consumer », click on « Inherit permissions ». Thus, the logo turns from « Check » sign to « No entry » sign so that you can administrate your own rights ;
- Click on « Add a user/group » to give rights only to some users or groups on this project. Once the user or the group selected, give it a rôle (consumer, collaborator etc.);
- Click on « Save » ;
N.B : a user or a group of users defined as « Consumer » on a project won’t have the right to add new tasks neither to modify or delete tasksUNLESS they are assigned to these tasks !
Depending of their rights, users won't have the same access. For example, a consumer won't have the right to modify a task if the task is not assigned to him.
However, the user can modified tasks which are assigned to him.
Permissions on folders in the document list
It is possible to define rights on folders contained in the Documents list of entities (e.g. deleting the inheritance of permissions on a folder and then creating specific permissions). Permissions are defined at template level and apply to all entities associated with the template.
Permissions are applied when entities are created, or to existing entities when they are formulated, or when models are synchronized.
When synchronizing templates, folder rights for existing entities are synchronized:
Either folders do not exist: they are created with the associated permissions.
Either the folders exist: if the spelling of the folders is identical, the permissions are updated.
If the entities contain folders different from those present in the model:
either folders are empty: they are simply deleted
or folders are full: they are retained, but automatically inherit the permissions of the parent folder. If bridging rights had been previously determined, they will be deleted.
N.B.: Subfolders inherit the permissions of the folder in which they are contained.
Permissions on change orders
If you want to create a change order, you need to have the right permissions.
There are 2 different permissions :
- beCPG Change orders creators (CreateChangeOrder) : you can create a change order but you can not apply one.
- beCPG Change orders managers (ApplyChangeOrder) : you can apply a change order.
beCPG Change orders managers and the administrator are the only ones able to apply a change order.
How to change users permission: see here