Once you have created a new role, you must configure its management and its relationships to access groups.
Manage access groups to a role
Roles are related to a set of access groups with domains and owning groups optionally configured on these relationships. The relationships can be configured in a number of ways:
-
When creating the relationships through drag and drop (access group onto role) or updating it using Edit Relationships, select the Maintain Attributes link on the confirmation dialog box to display a form with the details shown below.
-
Use the Manage Access Groups command from the role.
This GUI allows for the assignment of access groups to the role and list editing of the relationship properties.
The following subsections describe what these options are used for and how best to configure them.
Roles manage other roles
A user can assign other users to roles that his role manages. For example, a user in a Project Manager role may be able to assign engineers to that project, but this role does not need to allow assignment of other project managers. You can use the Update command to view or edit the roles being managed by another role. Also, you can use the Update command view or edit the roles that manage other roles.
The examples below show the Manage role and Managed by role sections of the Update dialog box for the Engineer role. The role does not manage other roles because none are selected in the Manage role list. The role is managed by the roles selected in the Managed by role list.
Configure query domains for the role
The domains accessible for query are all the domains configured on the role-to-access group relationships for the user and all their dependent domains.
The typical way to do this is to relate the top-level domain to the role's VIEWONLY access group relationship. For example, the Document Controller's VIEWONLY access group has the SPFAUTHORING domain linked to it. The SPFAUTHORING domain is the top domain in the hierarchy for interactive SmartPlant Foundation users, as described in more detail in Domains. This means that this domain and all its dependent domains are accessible.
At least one domain must be configured on the role/access group relationships; otherwise,
the user cannot access any domain information.
Restrict method access by object ownership
You can restrict method access based on the ownership of an object.
The access granted by any access group in a role can be restricted to a set of owning groups by identifying them on the role/access group relationship. This enables the same access group to be used in different roles on different sets of data identified by their owning group.
The most typical use of this is to restrict access to documents and data by their department or discipline by using the owning groups to represent a department or discipline.
To restrict access to a method by owning group, you must set the "Filter by ownership"
property on the relevant method/access group relationships as described previously.