Security
System administrators can use Cobra security features to grant or restrict users' access to data and processes.
This table provides information on the locations where Cobra security is maintained.
| Tool | Description |
|---|---|
| EPM Security Administrator (EPM SA) | Use this tool to set up users, groups, and roles that are shared across all Deltek PPM products, including Cobra. Attention: For more information, see the EPM SA Help System.
|
| Access Control Tabs and Pages | Each file type in Cobra—such as project, calendar, resource, rate, code, report, and configuration—includes a Properties dialog box and a New File Wizard, both featuring Access Control. This Access Control allows you to secure files and assign access rights to individual users or groups. When a group is granted access to a file, the primary role of each user in the group determines their level of access within the file, unless an overriding role is specified. For instance, a user’s primary role will dictate whether they can edit the budget in a project. |
| Change Ownership and Access Rights Dialog Box | You can change the ownership and access control information of an object using the Change Owner and Access Rights dialog box if you are the owner of the object or a member of the SYSADMIN group. This allows the owner or system administrator to modify ownership and access rights for multiple entities at once. |
| Configuration Security Dialog Box | Use this dialog box to edit or modify the access control for saved configurations. |
Users
The term "user" refers to an individual. You can assign users to a Cobra license to grant them the rights to log into Cobra.
Roles
The role defines the type of operations a user in that position can perform, such as accessing menu items, tabs within a dialog box, or elements of a view, like actual costs. Roles often describe a position, such as Analyst, CAM, or Project Manager.
A user’s primary role, defined on their record in the EPM SA, can be overridden in a file's Access Control by specifying a different role for a user or group. For example, if Jack is primarily a CAM but serves as an Analyst on one project, you can specify that Jack has an overriding role of Analyst for that project. This will change his access within the project to those defined by the Analyst role.
Similarly, you can assign an overriding role to an entire group. For instance, you can give the PMO the overriding role of SYSADMIN. An overriding role takes precedence over a user's primary role if both the user and a group they belong to are defined on the access control. If both are defined, whichever role grants more access to the file takes precedence.
To help you get started, Cobra is installed with these two roles:
- Default: This sample role defaults to providing full rights. You can modify this role or create new roles.
- SYSADMIN: This sample role also defaults to providing full rights. You can modify this role or create new roles.
There is a special role that does not appear in the EPM SA but is an option on the Access Control tab. The Owner_Delegate role affects the following areas in Cobra:
- Delegate: Provides a method to delegate ownership rights for individual files, allowing other users to act as the owner when the file owner is not available.
- Object Security: Owner delegates of an object have the same rights as the owner and can update the access control information for the object but cannot change the owner.
- Restore Process: Owner Delegates have special rights that allow them to restore an object they do not have rights to if they currently have the Owner_Delegate role on an existing object with the same name in the database. This enables the Owner_Delegate to restore backups from previous software versions that do not support the Owner_Delegate role. The restore process also transfers any existing Owner_Delegate assignments on existing objects to the restored objects.
Groups
The term "group" usually represents a major program or project in an organization, or a functional group, such as the project management office. You assign users to groups to provide quick access to data. Users can have different primary roles within a group.
In EPM SA, the SYSADMIN and GUEST groups are created automatically and can be found in the Group list.
There are two special groups in Cobra that cannot be deleted:
- WORLD: All users defined in EPM SA automatically become members of the WORLD group. This group does not appear in the Group list in EPM SA. Assigning the WORLD group in the file's Access Control grants all users access to a file.
- SYSADMIN: Users in this group have rights to all menus and all data in PPM products, including the Access Control tab used to set access control for files. Members of this group also have access to EPM SA.
Example of Security Settings
Assume you have eight users, added through the EPM SA using Active Directory. A user's primary role defines the operations they can perform, such as updating baselines, setting the budget equal to actual costs, and updating data. You assign one of the following primary roles to each user:
- Scheduler: A super user of Open Plan with limited access to processes like Recalc in Cobra.
- Analyst: A super user of Cobra with access to all areas of the application.
- CAM (Control Account Manager): A technical person with limited access to processes in Cobra, but who is essential for providing status and explanations of variances on the Analyze form.
- Project Manager: A user with read access to all data but limited rights to processes and data modification within a project.
For each of these primary roles, you define the menu options to which the user has access. For example, an Analyst may be allowed to perform processes such as Replan, where the actual cost is set equal to the budget, while a CAM may not be permitted to perform this process.
Assume your company has two major projects. You create two groups, one for each project, and assign users to the groups based on the projects on which they are working. To prevent users from Project A from seeing data for Project B, use the Access Control tab on Project A to assign Group A, and the Access Control tab on Project B to assign Group B.