Integrations (PTC products, 3rd party products and code) > 3rd party product integrations (CM, DOORS, Rose, Simulink and XML) > Configuration management tool integration > Typical lifecycle of a model stored in a CM tool (CM tool integration) > Controlling access in the Modeler and CM tool environments (CM tool integration)
  
Controlling access in the Modeler and CM tool environments (CM tool integration)
If you are not using a CM tool, you control access permissions to Packages through:
Server set up.
Database options set up in SQL Server Management Studio.
Database and Model access permissions set up in Model Explorer.
Package access permissions set up in Modeler.
For more information about Modeler access permissions, see Overview of Modeler access permissions.
The access permissions set for a Package can be enforced because the Package belongs to a specific Model, which in turn belongs to a specific Repository, which in turn resides on a specific Server. When a Model is stored within a CM tool, the access permissions set for a Package are more difficult to enforce, because the Package can be checked out to any Model, in any repository, on any server.
If you are using a CM tool, you must use the access control of the CM tool to determine which users can check out (and therefore change) the Models and Packages being stored in it. The Modeler access permissions set for Packages are maintained when checked out, which means after checking out a Package to Modeler, only users with Write access permissions to the Package can change it.
* 
Warning: If write access to a Package is granted in the CM tool, it is not possible to revoke that write access through Package access permissions in Modeler. This is because if a user is an owner or administrator of a database and they check out a Package to their repository, that user can change the Package because of their repository administrator/owner status, even if they have no access permissions set for the Package itself.
Single or multi-user access in Modeler
If you are not using a CM tool, the Modeler repository manages multi-user access at item level through transaction locks, and at diagram level through diagram locks. Many users can work with a Package at the same time, but rights can be used to limit this.
When you store a Model in a CM tool, you can choose to either use or not use the Modeler multi-user support:
Single user use of Modeler: Each user works with a local repository. After checking out a Package, no other users can check out that Package from the CM tool. The Modeler repository and Model are set up so that only the user that checked out the Package can change that Package in the Modeler environment. The user that checked out the Package makes the changes in their local repository, and then checks in the Package when they are finished.
Team use of Modeler: The team works with a shared repository. After a user checks out a Package (Owner access permissions required), no other users can check out that Package from the CM tool. Access control of the Modeler repository, Model and Packages is set up so that only the team members can change the Package in the Modeler environment. The team makes the changes in the shared repository, and then the user that checked out the Package, checks in the Package when the team's work is finished.
CM tool and Modeler rights required for performing CM tool integration tasks
To create a replica of a CM tool Model (you typically do this the first time you work with a CM tool Model), you require:
In the CM tool - read access to the Model and its Packages. Note that it does not matter whether the Packages are checked in or checked out.
In Modeler - write access to the database in which the replica is going to be created.
To get a Package, you require:
In the CM tool - write access to the Package. Packages can be either checked in or checked out.
In Modeler - Owner access permissions to the Package.
In Modeler - Database Write access permissions to get any associated published Tag Definitions that are not present in the Model.
* 
If you check out an item without having the database access permissions required to get its associated published Tag Definitions, you will not be able to view the tagged values set for those Tag Definitions. If Modeler cannot get a published Tag Definition, it is reported in the Output pane.
To check out a Package, you require:
In the CM tool - write access to the Package and the Package must be checked in.
In Modeler - Owner access permissions to the Package.
In Modeler - Database Write access permissions to check out any associated published Tag Definitions that are not present in the Model.
* 
Warning: If you check out an item without having the database access properties required to check out its associated published Tag Definitions, the checking in of that item will result in the tagged values set for those Tag Definitions being lost. If Modeler cannot check out a published Tag Definition, it is reported in the Output pane.
To check in a Package, you require:
In the CM tool - write access to the Package. If the Package is checked out, the Package must be checked out to you. If the Package is being checked in the first time, you must have rights to create new files in the CM tool project for the Model.
In Modeler - Owner access permissions to the Package.
* 
If a user checks out a Package to a Model, then that Package can be checked in only from that Model and only by that user.
You cannot change the access permissions of a Package (or Model) that is checked in to a CM tool.
Apply CM tool access rights to the MDF and PKF files created in the CM tool. You do not have to apply access rights to IDF files. For more information about the files created in the CM tool, see Files created in the CM tool.