Setting Access Control on a Shared Object
The sharing operation creates a set of ad hoc access control rules on the object that allows users from the
context to which the object is shared to have limited access to the object. In some cases, you can specify permissions during the sharing operation and, in other cases, default permissions are set for you. After an object has been shared, you can separately manage the access control permissions that were set during the sharing process and the permissions set on the object in the context that it resides. Shared objects maintain their administrative lock if one is applied.
|
If security labels are enabled at your site, the security labels set on the object remain in force when the object is shared.
|
For information on how to share objects, see
Three Types of Shared Access. If an object is being shared, one of the following icons appears in front of the object name when you are viewing the object from the
Folders page:
• The shared from glyph
indicates that the object is being shared from another context.
• The shared to glyph
indicates that the object is being shared to another context.
Managing Access Permissions on Objects that are Shared
Keep in mind the following factors for managing permissions on shared objects:
• You can determine the origin of an access control rule by referring to the
Source column in the
Access Rules table on the
Access Information page.
Source column value | Access control rule origination |
Access Control | Ad hoc access control rule set in the source context from which the object is shared. |
Policy | Policy access control rule set in the source context from which the object is shared or one of its ancestor contexts. |
Share | Ad hoc access control rule set in the target context to which the object is shared. |
• Only those ad hoc access control permissions granted in the current context can be modified with the Edit Access Control action. For example, an ad hoc access control rule with the Share designation can only be modified from the target context.
• If a permission has not yet been modified by an ad hoc access control rule in the source or target contexts, or by other means, then that permission can usually be granted in either context, provided the user granting access has the appropriate permissions. For additional information, see
Understanding When You Can Modify Permissions.
• When the share is removed, the ad hoc access control permissions granted in the target context are removed.
• The permissions that are displayed and editable in the Edit Access Control window can be different for each context.
• The participants displayed in the Team Access view on the Access table are different for each context.
| The Detailed Participant Identification preference in the Security section of the Preference Management utility can be enabled to display additional details about a participant. The All Defined Access view of the Access Control table in the Edit Access Control window may display system groups associated with team membership for both the source and target contexts. The additional details for these system groups include the context name, so enabling the preference helps you to distinguish between groups in the source and target contexts that have the same name. |
• Ad hoc access control rules for system groups associated with team membership can only be managed from the context in which that team resides. However, you can still define rules for specific users, user-defined groups, and organizations that are members of a system group associated with team membership in another context.
• The default permissions for a shared object are the intersection of the initial set of share permissions (Read, Download, and Change Permissions) and the ad hoc permissions granted to the participant for the target folder. Only those permissions for the folder that have the source designation of Access Control are factored into the default permission determination. When sharing from one project to another, you can specify permissions other than the default on the Modify Access step of the Paste window if you have been granted permission to change the default settings. However, only Read, Download, and Change Permissions can be granted for parts.
For example, suppose that Paula is granted Read, Download and Modify permissions on a folder in the Bicycle Project by an ad hoc access control rule with the source designation of Access Control. A document is shared from the Wagon Project to the Bicycle Project folder. On the
Modify Access step, the default permissions granted to Paula are Read and Download, which is the intersection of the initial set of permissions for a share (Read, Download, and Change Permissions) and Paula’s ad hoc permissions on the folder. The Modify and Change Permissions permissions are not included in Paula’s default permissions because they were not matched in the initial share and ad hoc set of permissions. Because this is a Project to Project share, Paula’s permissions can be edited on the
Modify Access step, with the limitations described by
Understanding When You Can Modify Permissions.
• When sharing from a product or library to a project, you cannot specify permissions. The default permissions are set when the share is created.
Modifying permissions from the target context:
Ad hoc access control rules created during the share operation and subsequently defined for the shared object from the target context have the source designation Share. These rules are managed from the target context.
• From the
Folders page in the target context, select
Edit Access Control from the right-click actions list of a shared object’s row in the table or from the table’s
Actions list. The
Edit Access Control window that opens allows you to view and change the access control permissions on the object in relation to the target context.
Modifying permissions from the source context:
Ad hoc access control rules defined for the shared object from the source context have the source designation Access Control. These rules are managed from the source context.
• From the Folders page in the source context, select Edit Access Control from the right-click actions list of a shared object’s row in the table or from the table’s Actions list. The Edit Access Control window that opens allows you to view and change the access control permissions on the object in relation to the source context.
• From the object information page, accessed by clicking the information icon
for the shared object from the target context or the source context, the
Edit Access Control window allows you to view and change the access control permissions on the object in relation to the source context. The object information page for an object is always relative to the context from which the object was shared (source), even if the information page was accessed from the target context. The
Edit Access Control action on the object information page cannot be used to edit ad hoc permissions associated with the target context.
Propagating Permissions on Shared Objects
Propagating permissions from folders within the target context to shared objects within the folder is similar to propagating permissions to objects that are not shared, with two exceptions:
• The source designation for permissions that have been propagated to objects shared to the folder is Share. Permissions that are propagated to objects that originate in the folder have the source designation Access Control
• The permissions that can be propagated to objects shared from a product or library, and to parts shared from another project, are limited to Read, Download, and Change Permissions.
Default Share Permissions after PDM Checkin
Ad hoc access control permissions set on shared objects resulting from the Send to PDM action with the PDM Checkin option are the intersection of:
• The initial set of share permissions (Read, Download, Change Permissions).
• The permissions with the source designation Access Control set on the version of the object that was sent to PDM. This includes any permission modifications made directly to the object from the project or the project folder, before the object was PDM checked in.
Default Share Permissions after Undo PDM Checkout
Ad hoc access control permissions are set on shared objects resulting from an Undo PDM Checkout based on how the object was originally checked out from PDM.
• For objects that were checked out with Convert To PDM Check Out, access control permissions revert to the permissions that are set on the original shared object version that have the Share source designation. This includes any changes to permissions made to that version while it was hidden, so long as those changes have the Share source designation.
| The original shared object version is hidden in the project and a project-specific version with the status PDM Checked out is created from the Convert To PDM Check Out action. While the original share object version is hidden from the project, access controls with the source designation Share can still be modified on it. For example, permissions can be propagated from the project folder to the hidden shared object. When the project-specific version, along with changes made to it, are discarded with Undo PDM Checkout, the original shared object version is visible in the project again and retains any permission changes made while it was hidden. |
• For objects that were checked out directly from PDM to the Project using PDM Check-out on the Add Objects to a Project window, access controls are set based on the defaults for a new share, as described in Managing Access Permissions on Objects that are Shared.
• For objects that were checked out directly from PDM to the project, and whose checkouts are discarded using Undo PDM Checkout after being initially retained using the Keep Checked Out action on the Send to PDM window, access controls are set based on the defaults for a new share.
Related Topics