Security

System administrators can use Cobra security features to grant or restrict users' access to data and processes.

Cobra security is maintained in the following locations:
Tool Description
EPM Security Administrator (EPM SA) Use this tool to set up users, groups, and roles that are shared across all Deltek PPM products, including Cobra. For more information, refer to the EPM SA Help System.
Access Control Tabs and Pages Each type of file in Cobra (project, calendar, resource, rate, code, report, and configuration) has a Properties dialog box and New File wizard, which contain Access Control. You use the Access Control of each file type to secure the file and assign access rights to either a user or a group of users. When you assign a group access to a file, the primary role of the user will be used to determine what type of access they have while in the file. For example, the primary role for each user in the group will determine if the user can edit the budget within the project.
Change Ownership and Access Rights Dialog Box You can change ownership and access control information of an object, if you are the owner of an object or a SYSADMIN user, using the Change Owner and Access Rights dialog box . This allows the owner or SYSADMIN to change ownership and access rights for multiple entities at once.
Configuration Security Dialog Box You use this dialog box set the security for saved configurations.

Users

The term user refers to an individual who has rights to log into Cobra.

Roles

The term role describes a position, such as Analyst, CAM, or Project Manager, and the type of operations a user in that position can perform, such as accessing menu items, tabs within a dialog box, or even elements of a view, such as actual costs.

A user has a primary role, which is defined on their record in the EPM SA and can be overridden if the user serves in a different capacity on another project. You can override a user's primary role by entering the user's user ID on the Access Control tab and providing an overriding role. For example, assume that Jack is primarily a CAM, but on one project he serves as Analyst. For that project, specify that Jack has an overriding role of Analyst.

Similarly, you can provide an overriding role for an entire group. For example, you can give the PMO the overriding role of SYSADMIN. An overriding role takes precedence over a user's primary role or any role assigned to a group to which the user belongs.

  • Default: This role gives users and group’s full rights to an entity. The SYSADMIN can modify details in this profile.
  • SYSADMIN: This role gives users and group’s full access rights to an entity. This role The user or group assigned this role has full access rights to a contract.
  • Owner_Delegate: This role provides a method to delegate ownership rights for individual files, allowing other users to act as the owner when the file owner is not available. Users in this group have the same access control to a file as the user assigned as the Owner. It also allows sharing of file backups across organizations without requiring users to be in the SYSADMIN group.

    The Owner_Delegate affects the following areas in Cobra:

    • Object Security: Owner delegates of an object have the same rights as the owner of the object and has the ability to update the access control information for an object, but do not have the ability to change the owner of the object.
    • Project Baseline Security: Owner delegates of a project may edit the access control information of the project baselines.
    • Restore Process: Owner Delegates have special rights that allow them to restore an object that they do not have rights to if they currently have the Owner_Delegate role on an existing object with the same name in the database. This allows the Owner_Delegate to restore backups from previous versions of the software, which do not support the Owner_Delegate role. The restore process also transfers any existing Owner_Delegate assignments on existing objects to the restored objects as part of the restore process.

Groups

The term group usually represents a major program or project in an organization, or represents a functional group, such as the project management office. You assign users to groups to provide quick access to data. Users can have different roles in a group.

In EPM SA, the SYSADMIN and GUEST groups are created automatically. You can find these groups in the Group list.

  • WORLD: All users that you define in EPM SA automatically become members of the WORLD group. This group, however, does not exist in the Group list in EPM SA. You cannot remove or add users or define security permissions for this group. When you assign the WORLD group on the Access Control tab, you give all users full access to an entity and to all demo data.
  • SYSADMIN: Users in this group have rights to all menus in PPM products, including the Access Control tab used to set access control to files. Members of this group also have access to the EPM SA.

Example of Security Settings

For example, assume that you have eight users. You add these eight users through the EPM SA, using Active Directory.

A user's primary role defines the operations that the user can perform (for example, update baselines, set budget equal to actual costs, and update data). You assign one of the following primary roles to each user:

  • Scheduler: This role is a super user of Open Plan, with limited access to baseline and cost information.
  • Analyst: This role is a super user of Cobra, with access to all areas of the application.
  • CAM: CAM stands for Control Account Manager, a technical person who has limited access to processes but is essential for providing status and details, such as explanations of variances.
  • Project Manager: This role is a user who has read access to all data, but has limited rights to modify the data.

For each of these primary roles, you define the menu options to which the user has access. For example, an Analyst may be allowed to perform processes such as Replan, where the actual cost is set as equal to the budget. A CAM may not be permitted to perform this process.

Assume that your company currently has two major projects. You create two groups, one for each project, and assign users to groups based on the projects on which they are working. To prevent users from project A from seeing data for project B, use the Access Control grid to specify the groups that have rights to access project B data.