galderson - Friday, January 6, 2012 1:13 PM:
Hello,
I have a question surrounding configuration of Item Types, Life Cycles, and Relationships with Product Engineering in relation to security. I understand the general concepts apart from each other but I'm struggling with the correct way to design the data model based on Aras' capabilities (i.e. the most efficient design and easiest to maintain). I apologize in advance if I'm missing some easy way to do this as I'm new to Aras. I'm simply exploring the tool to evaluate potential future use at our company.
Our security requirements are across two general areas... One according to life cycle state and another according to product hierarchy. As an example, user A can discover and get Document 123 at a released state in Product X. But user A can only discover Document 123 at an In Review state in Product X. Also, user A can only discover Document 234 at any state because it is in Product Y.
So, if I have user A created as a member of group identity named "A Users". I know I can relate that group identity to the permissions built for the Product X and Product Y products. Thus all "A Users" will have discover and get for Product X and only discover for Product Y. I believe I can force the "Use Src Access" to extend that to all related items in both products (i.e. down through models to parts to bom parts, documents, etc.).
I'm struggling on how life cycle ties in properly. Because if I setup a life cycle for parts or documents and provide general get access for "All Employees" at released state, it adds get access to the Product Y parts and documents. So it makes me feel as if I have to create separate life cycles, documents, parts, etc. per product to properly control security. Am I missing a more efficient way to configure this?
Any feedback is appreciated. Thank you.
galderson - Monday, January 9, 2012 11:28 AM:
Just to add to this after reviewing documentation further, I have discovered that life cycle permissions override generic item type permissions when state change occurs throughout the life of the item instance. So, it seems that all permissions and security need designed through the life cycle itself. It's not a matter of how life cycle ties in, it's a matter of how the life cycle itself is configured.
So my question becomes: What is the best or most efficient way to configure a life cycle for any given item where I don't simply want blanket permissions set for all users. It seems to me that I may need to create an item type for each part by product and then create an appropriate life cycle with product-based permissions to apply to each of those parts. I would hope there would be a more efficient way to design this as all life cycles will be identical, so any change in life cycle or security may require a lot of overhead and work to maintain.
Again, any input or feedback is appreciated.
