Understanding information access - SmartPlant Foundation - IM Update 46 - Help - Hexagon

SmartPlant Foundation Web Client Help
Language
English
Product
SmartPlant Foundation
Search by Category
Help
SmartPlant Foundation / SDx Version
10

What you see and can do in the Web Client depends on how your administrator configures your system and your security permissions. Administrators use the security model to do the following:

  • Create users, access groups, and role assignments

  • Assign users to roles and associate roles with access groups, which determine the access to features, commands, plants and projects

  • Create plant or project scopes, known as configurations, which determine what data you can view, create, and modify

    Configurations are used to manage controlled change to data. The top-level configurations are usually plants with projects underneath

  • Create and enforce security rules

What are the rules for configuring access?

Roles

  • Existing access groups cannot be removed.

  • Existing roles can be extended with custom access groups.

  • New roles can be created and configured with existing or new access groups.

Command and relationship access

  • Method, API Entry Point, and relationship access is granted by access groups, which can be removed or replaced.

  • Each role has a role-specific access group to allow commands to be specifically exposed to each role.

  • You can remove a method from an access group that is on many roles and add it to a role-specific access group to limit its availability.

  • The conditions used on the methods cannot be changed, as they can appear in many different locations.

  • You can create new access groups to expose new methods, API Entry Points, and relationships.

Security rules

  • Security rules provide conditional access to data items by access group. These rules can be freely edited. For example, you can change a rule's conditional filter or access group.

How do I know which roles and configurations I can use?

You can see which roles and configurations you can use two different ways:

  • You can see which roles and configurations are currently being used in the upper right corner of the Web Client. Select Query, Create, and Role to view the options available to you.

  • Select Settings , and then Scope to view your configurations, or select Roles to view which roles are available to you.

I can create an object in Plant A, but not in Plant B. Why?

You can only create objects in a single configuration at a time – this is called the create scope. If Plant A was selected as your create scope, it is the only configuration in which you can create objects. You can query objects in Plant B, but you won’t be able to create objects in that plant (unless you switch your create scope to Plant B).

Which security features determine what I can see or do in the system?

What you can see or do is determined by which objects you need to see and which actions you need to perform to do your job.

Your administrator can use many different components of the security model to control what you can do or see in the system.

Security model feature

What it does

Role and role assignment

Determines your level of access to data and functionality in a specific plant or project configuration. You can belong to more than one role per configuration. Roles are associated with related access groups, domains, and owning groups.

Access group

Determines what actions you can perform in the system and which functional components you can access in your system. Users are related to roles, which are related to access groups.

Security rule

Limits the types of data that you can query in the system. Your associated access groups are used to determine which security rules are relevant.

Owning group

Sets up ownership of data, typically by department or discipline, as well as controls your access to an object or parts of an object based on its ownership. Objects can be owned by a user or by an owning group. Owning groups are associated to roles. The default owning group is engineering to which everyone has access.

Configuration

You can be assigned different roles in different plants and projects.

You can create and manipulate data in a single plant or projects. This is also known as the create scope. Objects created in projects are not visible from parallel projects and its parent plant.

You can query across multiple plants and projects. This is also known as the query scope.

Why do I get a restriction exception when I query certain data types?

What you can query for, or how you can navigate to certain data types in the database, is controlled by restrictions related to various user and role types. If you receive a restriction exception message and believe you should have access to the data you're querying, contact your system administrator. For more information, your system administrator should see Restriction exception error on query or navigation.