Security
System administrators can use Cobra security features to grant or restrict users' access to data and processes.
- EPM Security Administrator (EPM SA) — Use this tool to set up users, groups, and roles that are shared across all Deltek PPM products, including Cobra.
- Access Control tabs in properties dialog boxes — Each file, such as a project, rate, or code file, has a properties dialog box that contains the Access Control tab, which is used to secure the file. Use the Access Control tab to assign access rights to projects, calendars, resources, codes, rates files, and reports. Typically, you give access to a file by group.
In addition, you can also use the Change Ownership and Access Rights dialog box and the Configuration Security dialog box.
Users
The term user refers to an individual who has rights to log into Cobra.
Roles
The term role describes a position, such as Analyst, CAM, or Project Manager, and the type of operations a user in that position can perform, such as accessing menu items, tabs within a dialog box, or even elements of a view, such as actual costs.
A user has a primary role, which can be overridden if the user serves in a different capacity on another project. You can override a user's primary role by entering the user's user ID on the Access Control tab and providing an overriding role. For example, assume that Jack is primarily a CAM, but on one project he serves as Analyst. For that project, specify that Jack has an overriding role of Analyst.
Similarly, you can provide an overriding role for an entire group. For example, you can give the PMO the overriding role of SYSADMIN. An overriding role takes precedence over a user's primary role or any role assigned to a group to which the user belongs.
- Default — This role gives users and group’s full rights to an entity. The SYSADMIN can modify details in this profile.
- SYSADMIN — This role gives users and group’s full access rights to an entity. This role The user or group assigned this role has full access rights to a contract.
- Owner_Delegate — This group provides a method to delegate ownership rights for individual files, allowing other users to act as the owner when the file owner is not available. Users in this group have the same access control to a file as the user assigned as the Owner. It also allows sharing of file backups across organizations without requiring users to be in the SYSADMIN group.
The Owner_Delegate affects the following areas in Cobra:
- Object Security — Owner delegates of an object have the same rights as the owner of the object and has the ability to update the access control information for an object, but do not have the ability to change the owner of the object.
- Project Baseline Security — Owner delegates of a project may edit the access control information of the project baselines.
- Restore Process — Owner Delegates have special rights that allow them to restore an object that they do not have rights to if they currently have the Owner_Delegate role on an existing object with the same name in the database. This allows the Owner_Delegate to restore backups from previous versions of the software, which do not support the Owner_Delegate role. The restore process also transfers any existing Owner_Delegate assignments on existing objects to the restored objects as part of the restore process.
Groups
The term group usually represents a major program or project in an organization, or represents a functional group, such as the project management office. You assign users to groups to provide quick access to data. Users can have different roles in a group.
In EPM SA, the SYSADMIN and GUEST groups are created automatically. You can find these groups in the Group list.
- WORLD — All users that you define in EPM SA automatically become members of the WORLD group. This group, however, does not exist in the Group list in EPM SA. You cannot remove or add users or define security permissions for this group. When you assign the WORLD group on the Access Control tab, you give all users full access to an entity and to all demo data.
- SYSADMIN — Users in this group have rights to all menus in PPM products, including the Access Control tab used to set access control to files. Members of this group also have access to the EPM SA.
Example of Security Settings
For example, assume that you have eight users. You add these eight users through the EPM SA, using Active Directory.
A user's primary role defines the operations that the user can perform (for example, update baselines, set budget equal to actual costs, and update data). You assign one of the following primary roles to each user:
- Scheduler — This role is a super user of Open Plan, with limited access to baseline and cost information.
- Analyst — This role is a super user of Cobra, with access to all areas of the application.
- CAM — CAM stands for Control Account Manager, a technical person who has limited access to processes but is essential for providing status and details, such as explanations of variances.
- Project Manager — This role is a user who has read access to all data, but has limited rights to modify the data.
For each of these primary roles, you define the menu options to which the user has access. For example, an Analyst may be allowed to perform processes such as Replan, where the actual cost is set as equal to the budget. A CAM may not be permitted to perform this process.
Assume that your company currently has two major projects. You create two groups, one for each project, and assign users to groups based on the projects on which they are working. To prevent users from project A from seeing data for project B, use the Access Control grid to specify the groups that have rights to access project B data.
- Related Topics:
- EPM Security Administrator Functions
The Deltek EPM Security Administrator (EPM SA) is installed when you perform the Administrator Workstation installation of Cobra, or as part of the PM Compass implementation. The EPM SA allows you to share users, groups, and product license information across the entire Deltek PPM product suite. - Change Ownership and Access Rights
You can change ownership and access control information of an object, if you are the owner of an object or a SYSADMIN user, using the Change Owner and Access Rights dialog box . - Access Control Tabs
Once basic security setup is performed in EPM SA, access control to data is defined in Cobra. Each file, such as a project, rate, or code file, has a properties dialog box that contains the Access Control tab, which is used to secure the file. - Windows Authentication
When turned on, Cobra implements Windows authentication on the selected data source during initial login to the application. This is also implemented when switching to a different data source during re-login to the application.