Access Control Overview
When an entity (for example, a program or project) is created, the owner and members of the SYSADMIN group automatically have full access to the data. In order for other users and groups to see it, you need to grant them full or read only access using the Access Control tab.
A user or group can view an entity if one of the following is true:
- They are the owner
- They are a member of the SYSADMIN group.
- They are listed on the Access Control tab
- They are a member of a group listed on the Access Control tab
- The WORLD group has been selected on the Access Control tab.
The level of access depends on whether you have given them full or read only access.
Full vs. Read Only Access
- Read only access allows them to view but not edit.
- Full access allows them to edit / delete data, and delete the entity.
Editing Data on the Access Control Tab
You can edit data on the Access Control tab if you are one of the following:
- The owner
- A member of the SYSADMIN group
- A member of a group or a user who has been assigned the OWNER-DELEGATE role
Owner Field
When you create a new entity (for example, a new program or project), the Owner field is populated with your logged in ID. Only you or a member of the SYSADMIN group can edit this field on the Access Control tab.
You can see the Owner field in the Program's and Project's List views and on the Program's and Project's Access Control tabs. It is read-only in the List views.
When you copy an entity (for example, a program or project), the Owner field changes to your logged in ID (that is, you become the owner).
SYSADMIN Group
When you are assigned to the SYSADMIN group, you have full access to the entity, including the Access Control tab. You are also able to modify the entity Owner field.
Users in the SYSADMIN group with a valid named license always have access to everything and do not need to be added to an Access Control list.
WORLD Group
All users that you define in EPM Security Administrator (EPM SA) automatically become members of the WORLD group. In Touchstone, this does not include users with a Submitter license. The WORLD group does not exist in the Group list in EPM SA, thus you can neither remove nor add users and you cannot define security permissions for this group.
Selecting the WORLD group does not allow users to edit the Access Control tab. Use of the WORLD group on the Access Control tab is like any other group, allowing for a Role and the use of the Read Only flag.
Adding the WORLD group to a Project Access Control list does not allow users with a Submitter license to access the project in the Submittals hub. A user with a Submitter license must be added to the Projects Access Control tab in order to upload a schedule to the project.
OWNER-DELEGATE Role
The OWNER_DELEGATE role gives a user or a member of a group the same rights as the owner, including the ability to edit the data on the Access Control tab. It does not allow the user or group member to change the Owner. This role is automatically added to the Role drop-down on the Access Control tabs.When you assign a user or group to the OWNER-DELEGATE role, they automatically get full access. You cannot give them Read Only access.
Access to Associated Projects
When a user is granted access to a program, they can see the selected program but they cannot automatically see any of the associated projects. If you want them to have access to one or more of the associated projects, you must add them to the project Access Control tab.
More Permissive Role Wins
If a group in an Access Control List is given an OWNER_DELEGATE role, and a named license user who is part of that group is added to the Submitter grid, that user will have all of the access and rights of the OWNER_DELEGATE role because it has more privileges than a Submitter.