Project Level Security Solution
Requirement: provide item access based on the project that owns it. If an item is owned by Project X than only members of Project X with appropriate access privileges can access it.
The problem with handling this in the standard security model is that criteria cannot be defined with “variables” e.g. If item 1 is owned by Project ? and User is member of Project ? then grant access – You have to write a separate criteria for each individual project and add those criteria to all relevant privileges.
The requirement can be met with a PX at least to manage for Read access and higher. Discovery is more complicated to manage.
Has anyone implemented a similar solution? If so what was your approach?
Sure. Use user groups and a multi-list field of the user groups on the item called, “Access Control”. If the user is a member of any of the user groups in the “Access Control” field then allow them to discover the item. The criteria is:
Parts “Page Two.Access Control” Contains Any $USERGROUP
By using a variable you can create this once and have everyone (partners) use it in a role. That would be one role that all partners would use.
I have tried this and I went ahead and ran through the whole exercise again. When I get down to the criteria for the Page 2 attribute
1- Contains Any is not a “Match If” option although “in” is
2- The Value choice comes up with a Search box that is looking for specific values from the User Group list and $Usergroup is not accepted. There is no way to enter $Usergroup as the Value.
Is there some magic that gets around this? Or is this just something you would logically expect to do but can’t because of the Agile limitations?
The criteria is just as above and $USERGROUP is one of the choices to pick from. That you are not getting a “Contains Any” match if seems to indicate something is not right with the field or list. If you are only getting an “In” then that sounds like a single value list field–should still work. Are you using the out-of-box “User Groups” list?
Program manager of npi project team is tracked with users and usergroup, easy for reporting, using package objects, one can track changes and items associated with project.
i came across this bug related to displaying user not associated with user group in Agile 9.3.2. this required 9.3.2.44, 9.3.2.105 hotfix. later it also results in another bug as 105 breaks 44 patch. Oracle is working on fix.
This is a workable work around if ur using 9311 for your requirement. Let me know if it worked out. 1. Create a simple list. Add the project names as values. Add additional disabled values to the list( for future projects)
2. Create a multilist field on the item call it access control.
3. Assign the simple list to the multilist field.
4. Create criterias based on number of projects u r creating. Each item criteria should have |item.access control contains any ‘project drop down value’|
5. Create discovery item and read item privilege using this criteria.
6. Add the privilege to the role.
7. Add the role to user group.
In a nut shell, u ll have 30 roles 30 user groups 30 criterias 30 list values all mapped internally if u have 30 projects.
This will need some manual handling(sustaining from admin) when u on board a new project. Once done, business should be able to manage it themselves. Make sure few key users and admin have access to all the items.
The $USERGROUP variable is not available in vanilla 9.3.1 even though the documentation indicates it is, You need to either go to 9.3.2 and above or alternatively it becomes available in 9.3.1 with 3 hotfix patches.
What is the result of the criteria if the “Page2.Access Control” is blank? Will it be True and access granted to everyone or False and Access Granted to no one?
It will be false and those who are subject to this criteria will not have access.Typically this is the behavior you want when controlling partner access. You can tweek this by adding, “Or Access Control is null” or “Or Access Control Equal To Common” to the criteria. In the first tweek you have access if the field is blank or you are a member of a user group in the field. The last tweek everyone has access if “Common” is in the field without having to be a member of “Common”.