Implementing Role Based Security (Product Information Management)

Implementing Role Based Security

To implement role based security on a particular object, attach a role to the object and a person, group, company, or all users to the role on the object. For example, for each item catalog category, you can specify which people can create items by assigning them the Catalog Category User role on the item catalog category.

To implement role based security on a user-defined attribute group, assign people to an item role containing custom privileges for the attribute group.

Prerequisites

Create roles. See: Administering Roles
Optionally, create groups. See: Administering People, Groups, and Companies

To assign people to a catalog:

Depending on their assigned role, people can assign items to a catalog or view the catalog hierarchy. You can assign either of the following seeded roles to people in a catalog:

Catalog Manager

The Catalog Manager role enables users to view the catalog hierarchy and also enables them to assign items to this catalog.

Catalog Viewer

The Catalog Viewer role enables users to view the catalog hierarchy, but they cannot assign items to it.

On the Search: Item Catalog Categories page, click the Catalogs tab.
On the Search: Catalogs page, select the catalog to which you wish to assign people.
On the Basic Information page for the catalog, click the "People" link.
On the People page, click Update. After the page refreshes, click Add Another Row.
After the Update People page refreshes, select a role, the type of people to use the role, and the name of the company, group, or person given the role on the catalog. Specify a start date and, optionally, an end date.
Click Apply.

To delete people from a catalog

In the Update People page, select a row and click Remove.
Click Apply.

To assign people to a catalog category:

Note: There are no seeded roles for the catalog category object. You must create a role for the catalog category before you can assign people.

On the Search: Item Catalog Categories page, click the Catalogs tab.
On the Search: Catalogs page, select the catalog containing the category to which you wish to assign people.
On the catalog's Basic Information page, click the Categories link on the left side of the page.

The Categories page displays the valid categories for the selected catalog.
Click on the name link of the valid category to which you wish to assign people.
On the Category Details page, click the People link.
On the People page, under the Category People heading, click Update. After the page refreshes, click Add Another Row.
After the Category People page refreshes, select a role, the type of people to use the role, and the name of the company, group, or person given the role on the catalog. Specify a start date and, optionally, an end date.
Click Apply.

To delete people from a catalog category

In the Category People page, select a row and click Remove.
Click Apply.

To grant group roles to people:

You can grant a person, group or company a specific role for a group. You must have the Manage Groups privilege for the group in order to grant others a role on the group.

In the Applications tree menu, click People, Groups and Companies.
Click the Groups tab.
On the Groups page, click My Own Groups or search for a group for which you have the Manage Groups privilege.
Click on a group name.
In the Group Details page, under the Group People heading, click Update.
In the Update Group People page, click Add Another Row.
Select a role, the type of people to use the role, and the name of the company, group, or person given the role on the group. Specify a start date and, optionally, an end date.
Click Apply.

To assign people to an item:

You can assign roles for certain users directly to a single item or assign roles indirectly using roles inherited from the following objects that contain the item:

an alternate catalog
an alternate catalog category
an item catalog category
an organization

In the Applications tree menu, use either the "Simple Search" or "Advanced Search" links to search for the item to which you wish to add people.
Click the item's link in the search results.
On the item's Overview page, click People.
On the Item People page, click Update.

Note: You can only update the People page for an item from within the master organization.
On the Update Item People page, click Add Another Row. Provide the following information:

Role

Specify the role of the person you are adding.

Type

Specify the type of person you are adding (All Users, Company, Person, Group).

Name

Enter the name of the company, person, or group.

Start Date

Specify the date on which the person/group gains access to the item.

End Date

Optionally, specify the date on which the person/group no longer has access to the item.
Click Apply.

To assign people to an item catalog category:

You can grant roles to people by item catalog category for all organizations or by item catalog category in a particular organization. Item catalog categories at a lower level in the catalog hierarchy inherit roles granted to people at a higher level item catalog category. You cannot remove or edit inherited roles.

Navigate to the Setup Workbench. On the Item Catalog Categories page, search for and select an item catalog category.
On the Basic Information page, click the People link.

To assign people to an item catalog category for all organizations

On the People page, under the Item Catalog Category People heading, click Update.

This updates roles for the item catalog category across all organizations.
In the Edit People page, click Add Another Row. Provide the following information:

Role

Specify the role of the person you are adding.

Type

Specify the type of person you are adding (All Users, Company, Person, Group).

Name

Enter the name of the company, person, or group.

Start Date

Specify the date on which the person/group gains access to the item catalog category.

End Date

Optionally, specify the date on which the person/group no longer has access to the item catalog category.
Click Apply.

To assign people to an item catalog category for a particular organization

On the People page, under the Item People heading, search for and select an organization.
Under the Organization field, click Update.

This updates roles for the item catalog category only in the selected organization.
In the Edit Item People page, click Add Another Row. Provide the following information:

Role

Specify the role of the person you are adding.

Type

Specify the type of person you are adding (All Users, Company, Person, Group).

Name

Enter the name of the company, person, or group.

Start Date

Specify the date on which the person/group gains access to the item catalog category.

End Date

Optionally, specify the date on which the person/group no longer has access to the item catalog category.
Click Apply.

To assign people to all items in an organization:

You can grant a specific role to a certain person, group, company, or all users that applies to all items in an organization. This is useful when you want to grant one person access to many items.

Note: You can grant organization-level roles if you are assigned the Item Administration function through one of your responsibilities.

If you cannot grant organization-level roles, then contact your system administrator. For more information, see:

Creating and Updating Roles.
Excluding functions in the Menu Exclusions tab, Responsibilities Window.

In the Applications tree menu, click Setup Workbench.
On the Item Catalog Categories page, click the Security tab.
On the Organization Roles page, select an Organization to which to grant a role and click Go. The table returns all people, groups and companies who have been granted roles in the selected organization.
Click Update.
On the Update Organization Roles page, click Add Another Row. A new row appears in the table. Enter the following information:
- Role
  
  Select a role for this grant.
- Type
  
  Select the type of grant: a grant to a single person, a group, a company, or all users.
- Name
  
  Enter the name of the person, group, or company to which you are making this grant.
- Start Date
  
  Select a start date from which this grant is effective.
- End Date
  
  Select an end date on which the grant will no longer be effective.
Click Apply.

To revoke a specific role from a person for all items in the organization

On the Update Organization Roles page, select the person(s) or group(s) whose role you wish to delete, and click Remove.
Click Apply.

To edit a role grant of a person for all items in an organization

On the Update Organization Roles page, select the person or group whose role you wish to edit, and provide a new start date or end date.
Click Apply.

To implement attribute group security:

When implementing role-based item security, you can create custom privileges to control the view and edit permissions for specific item attribute groups. You can control which users can view and/or edit certain attribute groups for an item by assigning a role granting those specific privileges. By default, an item role's View Item and Edit Item privileges control whether or not you can view or edit item attributes that are not controlled specifically at the item attribute group level. In other words, when implementing item security you do not have to specify a view or edit privilege for each item attribute group.

Example: Attribute Group Security

Suppose your company is designing, along with your supplier, a new motherboard for its next generation of desktop computers. To improve design collaboration you would like to securely share item information about the motherboard - both internally between departments and externally with your suppliers and contract manufacturers. The Supplier Engineer should only be able to view specific item attribute groups such as the Technical Specifications. The Supplier Engineer should not be able to view the Market Research attributes. The Engineering Manager and Marketing Manager should be able to view and edit the Market Research attributes, while a Design Engineer should only view the Market Research attributes. There are three sets of Market Research attributes (attribute groups): Key Metrics, Target Markets, and Competitors.

Select the Application Developer responsibility, navigate to the Form Functions form, and create Form Functions for each privilege that controls view and edit permissions for the Market Research attribute groups. See: Creating Custom Privileges.
Select the Development Manager responsibility and navigate to the Setup Workbench. In the Attribute Group Details page for each Market Research-related attribute group (for example, Target Markets) specify the View Privilege (for example, View Target Markets) and Edit Privilege (for example, Edit Target Markets) in the Business Entities region.
On the Item Role Detail page for the Marketing Manager and Engineering Manager roles, grant the following privileges:
- View Target Markets
  - View Key Metrics
  - View Competitors
  - Edit Target Markets
  - Edit Key Metrics
  - Edit Competitors
For the Design Engineer role, grant the following privileges:
- View Target Markets
- View Key Metrics
- View Competitors
Do not grant any of the Market Research privileges to the Supplier Engineer role.