Clarity PPM

Expand all | Collapse all

How are Automatic Rights Assigned?

  • 1.  How are Automatic Rights Assigned?

    Posted 04-02-2015 08:19 AM

    Originally published on the CA Clarity PPM Cookbook on Flipboard


    Also available in the CA Clarity PPM On Premise DocOps Platform


    Document ID: TEC468721

     

    Contributed by: CA Technologies Support and edited by Sunder Rosy, Information Services Engineer

     

    CA PPM allows some rights to be automatically granted to users when their role changes. For example, if a user is assigned as the Project Manager, that user is automatically granted the Project Edit rights for that project. This eliminates the need for an administrator to have to grant that individual instance rights. Without these implied rights, the administrative overhead of constantly managing specific rights as users change assignments becomes overly burdensome, time-consuming, and cost-ineffective.

     

    The next question is how to monitor and control user license counts if users can grant rights that will move users up to a higher license class (for example, from viewer to participant or creator) without administrative review?

     

    There are several means within the product to monitor and control user license counts. A combination of internal processes and application functionality is necessary to manage license compliance according to your company’s individual needs.


    The License Information portlets allow administrators to monitor the user license count. The administrator can track the number of users licensed as Full, Restricted, or View Only. They can drill down deeper to see how individual users are classified, and even further to see which rights caused the users to be classified. If a user is found to have rights that they should not have, the administrator can remove that right, or have the user unassigned as a project, program, or department manager which removes the automatic (or implied) rights. If the user needs those rights, you can increase the license count.


    For example, a user with only view rights (and therefore classified as a Viewer) is assigned as Project Manager to a project. They will be granted project edit rights automatically based on the assignment and will be re-classified as a Full User. To manage a project, a user must be a Full User and have edit rights.


    The following query identifies all resources that have automatic security access rights:


    SELECT u.user_name, u.last_name, u.first_name, lu.user_id, g.group_name Access_Right, g.LIC_RIGHT_TYPE FROM

    cmn_lic_users_v lu,

    cmn_sec_users u,

    cmn_sec_groups_v g

    WHERE

    u.id = lu.user_id AND

    u.user_status_id = 200 AND

    lu.right_id = g.ID AND

    g.language_code = 'en' AND

    g.group_name like '%Auto%' AND

    --add right types to exclude

    g.LIC_RIGHT_TYPE NOT in ('viewer')

    ORDER BY u.user_name


    If you want more control and are willing to assume the administrative overhead associated with this control, here are some ways to prevent assigning rights automatically:


    • Do not use the fields (such as project manager, department manager, program manager, resource manager) that assign edit rights automatically.
    • Hide the fields and substitute a custom field that associates the user as the manager without granting rights.
    • Administrators need to explicitly grant rights in these cases.


  • 2.  Re: How are Automatic Rights Assigned?

    Posted 04-02-2015 09:16 AM

    Thanks for sharing this, John

     

    NJ



  • 3.  Re: How are Automatic Rights Assigned?

    Posted 04-02-2015 11:00 AM

    Good details thanks.

    More specifically the administrative overhead means that your administrators will have to create all new instances of those in


    • Do not use the fields (such as project manager, department manager, program manager, resource manager) that assign edit rights automatically.

    before

    • Hide the fields and substitute a custom field that associates the user as the manager without granting rights.

    gets you out of trouble and more overhead in

    Administrators need to explicitly grant rights in these cases.

    .When creating the custom fields and entering users in them.

    The rights I take can be added with a process.

     

    The query is nice. Thanks agian.



  • 4.  Re: How are Automatic Rights Assigned?

    Posted 04-03-2015 11:48 AM

    Great Info! Thanks john!

    JOHN George wrote:

     

    Originally published on the CA Clarity PPM Cookbook on Flipboard


    Also available in the CA Clarity PPM On Premise DocOps Platform


    Document ID: TEC468721

     

    Contributed by: CA Technologies Support and edited by Sunder Rosy, Information Services Engineer

     

    CA PPM allows some rights to be automatically granted to users when their role changes. For example, if a user is assigned as the Project Manager, that user is automatically granted the Project Edit rights for that project. This eliminates the need for an administrator to have to grant that individual instance rights. Without these implied rights, the administrative overhead of constantly managing specific rights as users change assignments becomes overly burdensome, time-consuming, and cost-ineffective.

     

    The next question is how to monitor and control user license counts if users can grant rights that will move users up to a higher license class (for example, from viewer to participant or creator) without administrative review?

     

    There are several means within the product to monitor and control user license counts. A combination of internal processes and application functionality is necessary to manage license compliance according to your company’s individual needs.


    The License Information portlets allow administrators to monitor the user license count. The administrator can track the number of users licensed as Full, Restricted, or View Only. They can drill down deeper to see how individual users are classified, and even further to see which rights caused the users to be classified. If a user is found to have rights that they should not have, the administrator can remove that right, or have the user unassigned as a project, program, or department manager which removes the automatic (or implied) rights. If the user needs those rights, you can increase the license count.


    For example, a user with only view rights (and therefore classified as a Viewer) is assigned as Project Manager to a project. They will be granted project edit rights automatically based on the assignment and will be re-classified as a Full User. To manage a project, a user must be a Full User and have edit rights.


    The following query identifies all resources that have automatic security access rights:


    SELECT u.user_name, u.last_name, u.first_name, lu.user_id, g.group_name Access_Right, g.LIC_RIGHT_TYPE FROM

    cmn_lic_users_v lu,

    cmn_sec_users u,

    cmn_sec_groups_v g

    WHERE

    u.id = lu.user_id AND

    u.user_status_id = 200 AND

    lu.right_id = g.ID AND

    g.language_code = 'en' AND

    g.group_name like '%Auto%' AND

    --add right types to exclude

    g.LIC_RIGHT_TYPE NOT in ('viewer')

    ORDER BY u.user_name


    If you want more control and are willing to assume the administrative overhead associated with this control, here are some ways to prevent assigning rights automatically:


    • Do not use the fields (such as project manager, department manager, program manager, resource manager) that assign edit rights automatically.
    • Hide the fields and substitute a custom field that associates the user as the manager without granting rights.
    • Administrators need to explicitly grant rights in these cases.


  • 5.  Re: How are Automatic Rights Assigned?

    Posted 04-03-2015 01:44 PM

    While the direction to not use the fields associated with inherited rights is technically true, consider the impact...  remember all of the existing reports / portlets / dashboards that use those fields.



  • 6.  Re: How are Automatic Rights Assigned?

    Posted 03-08-2019 08:18 AM

    Hello team,

     

    I have requirement that we need to add Proxy PM in project who can see the Timesheet Submitted for that Project How much hours etc, not all Timesheet details like resource manager can see.. only those project they are PM or Proxy PM.

     

    Any idea at the backend what rights is hidden when we select Project manager of project to see timesheet of resource for his project.. ?



  • 7.  Re: How are Automatic Rights Assigned?

    Posted 03-08-2019 08:41 AM

    Hi Awadhesh,

    There is a recent thread on this matter.

    Hope options on the new thread help:

    Temporary backups for Resource Managers or PM's in CA PPM