For more information about configuring security features such as access groups and domains, see How to Configure the Security Model.
Security is configured to ensure users see only the items to which they should have access. This access differs for internal and external organizations. Two access groups are used to define these rules:
-
SDACompanyFilter – This is used on internal company roles.
-
SDAContractorFilter – This is used on external contractor roles.
The central security rules are configured to access documents and comments. The SDACompanyFilter is used on rules that allow the users to see the documents from any organization as long as their security level permits it. The SDAContractorFilter is used on rules that allow the users to see the documents from their organization as long as their security level permits it.
The relationship between methods and access group conditions govern who can edit what and when.
-
The majority of roles have a relationship to the FDWDocEditByOrg access group. This is used in most of the conditions on updating methods; for example:
-
It is only possible to edit documents originating from their organization.
-
-
The global document control role also has the SDADocEditANYOrg access group.
-
The conditions on the updating methods also include a test of: OR Instr(Env.ACCESSGROUPSFORUSERINCREATECONFIG, 'SDADocEditANYOrg')>0.
-
This means that if the user is in a role that is related to the SDADocEditANYOrg access group, they can edit documents from other organizations.
-
-
The document, tag, work package, and communication forms have access control configured by access group with sections configured for different roles.
-
The majority of roles have a relationship to the SDAByMyOrgOnlyFormAccess access group that is related to sections in which the originating organization display items are read-only. This access control ensures that the users can create items only from their own organization.
-
The global document control role also has a relationship to the SDAProjComsEditANYOrg access group.
-
This gives access to editable display items for originating organizations on documents and tags.
-
This also gives access to editable display items for the From User on project communications. However, the From Organization is still read-only, because the role cannot create project communication items that come from other organizations. The only exception is an internal transmittal, which can be used to record the receipt of documentation when submittals are not used.
-
-
-
Markup access is governed in a different way. The LimitViewMarkup method has conditional access so the users can see only markup layers that are created by users of their organization.