Skip to main content
Skip table of contents

Roles and Permissions

Process360 Live consists of a server instance which can contain one or more repositories. Within each repository there are repository items consisting of diagrams, enterprise objects (e.g. Resources, Strategies, etc.), non-iGrafx files (e.g. Office Word documents) and folders to help organize the content. Access to the server, repositories, and items is controlled with licenses, roles, and permissions. This document focuses on roles and permissions and item role assignments. The diagram below gives an overview of the relationships between users, groups of users, permissions, roles, and components controlled. As you can see in the diagram a role is a set of permissions which can be assigned to a group or individual user. Each item, repository, and server role has a set of permissions that can be granted, vetoed or left unspecified.

 

Controlling Access to a Repository Item

After deploying iGrafx, and before assigning roles to repository content, administrators must follow the instructions in Assigning Security Roles to provide users access to the Platform server and repositories. The Assigning Security Roles topic also describes how to define the permissions for each role.

Access to repository items is controlled on the item's Permissions tab.  A repository item can be an iGrafx file, a non-iGrafx file, a Web Diagram, a Folder, or an Enterprise Object. Within the Permissions tab of the item, control access by granting users or groups an applicable role for an item.  For example, to give the "Marketing" group the Author role on a repository item:

  1. Select an item in the repository for which the permissions need to change

  2. Click the PERMISSIONS tab (right hand side)

  3. Click ASSIGN ROLE TO USER/GROUP 

    If you do not see the ASSIGN ROLE TO USER/GROUP button then you do not have adequate permissions to perform the command on this item.


  4. Search and select the name of the specific individual or group for which the required permission needs to be set (e.g. "Marketing").  Once selected, click CONTINUE.

  5. Search and select the applicable Role (e.g. "Author") that you want to grant to the selected user or group, as it relates to the item selected in step 1

  6. Click FINISH and expand the Marketing row

    In this example, the screenshot shows that "Marketing" has the "Author" role for the selected item.  

Inherited Role Assignments

  1. Select a repository item (e.g. a Folder) that contains one or more child items

  2. Perform steps 1 through 6 in the above topic

  3. Select one of the child items and choose the PERMISSIONS tab (if not currently displayed)

  4. Expand the Marketing assignment as shown below

    In this example, the screenshot shows that "Marketing" has the "Author" role based on an inherited role assignment on a parent object. Clicking the arrow will display the parent where the role assignment was made. 

View Effective Permissions

After performing the above steps, if Jane Smith is a member of the "Marketing" group, she should now have Author permissions for the item and its children. This can be confirmed by following these steps:

  1. If not already visible, display the item PERMISSIONS tab

  2. Click VIEW EFFECTIVE PERMISSIONS

  3. In the edit field, type a user name (e.g. "Jane") and then choose that user from the list

  4. Click SHOW WHY

All available item permissions are displayed. In our example, Jane will probably have all permissions granted by the Author role assignment. However, other item role assignments (e.g. to other Groups Jane is a member of) may override the Author role assignment. The next topic discusses combined permissions. See the Item Permissions and their Definitions topic to understand the meaning of each permission.

During an Approval Cycle, an exception is made to the permission rules. If a user without "See Unapproved" item permission is asked to approve a non-approved item then they will be allowed to do so. By including a user in the Approval Cycle Group, they are granted temporary permission to view unapproved versions.


Evaluating Combined Item Permissions

A user’s effective permissions for an item are primarily determined by role assignments for the user (or groups the user belongs to) on an item or the item’s parents. This allows needed control over repository content. For example, an organization could give a group of ‘Authors’ access to a repository folder, but restrict that group’s access to other repository content. Imagine a company with authors in the Accounting and Marketing groups. Each group can add and edit iGrafx diagrams in their assigned repository folder but are not allowed to view repository content outside their dedicated folders. To implement this configuration, the administrator assigns the “None” item role to both the Accounting and Marketing groups on the repository root object.

Further down the hierarchy, on the “Accounting Processes” folder, the Accounting group is assigned the Author role. On the “Marketing Processes” folder, the Marketing group is assigned the Author role. Now, members of each group can only author in their folder (and its sub-folders) while not seeing other repository content. Assigning roles in the Platform typically gives intuitive results like the example above where group role assignments on an item override group role assignments of an items parent.

Be aware, however, that permissions are calculated separately for the user and each group the user belongs to and then combined to determine the final effective permissions for an item. Therefore, it may be necessary to understand the details for setting effective permissions documented below. This procedure is supplemented with a flowchart and permissions table on the following pages.

Determining Item Permissions  

Main procedure:

  1. If the user is the “Administrative Owner” of the item, then the user has every permission on the item (shape #1 on Permissions Flowchart). Otherwise proceed to the next bullet.

  2. Follow the "Bubble Up" procedure (the large shape #2) described below for the user and, separately, for every group (shape #3) the user belongs to. This determines a permission-set for the specific user and a permission-set for each group the user belongs to.

  3. Combine the permission-sets (shape #4) as specified by the Permissions Table (displayed after the flowchart): a specific permission is granted if any of the permission-sets grant it and none deny it.

  4. If the user has the special "Set Any Item Permission" repository-level permission, then also grant the user (if not already granted) “View”, “View unapproved”, and “Administer” permissions (shape #5).

“Bubble Up” procedure:

Work your way up the repository tree from the item to the root, and stop when you find an item with any role assignments for the user or group the user belongs to:

  1. Does the user or group have one or more role assignments on the item? If yes, then use the role permissions (shape #2a) or combine multiple role permissions (shape #2b) as determined by the Permissions Table and return the result. If not, continue to the next bullet.

  2. Does the item have a parent? If not, return an empty (no grants and no denies) permission-set (shape #2c).

  3. Change the item to inspect to the item's parent (shape #2d).

Permissions Flowchart

 

 

Permissions Table

For any permission (e.g. Modify, Create, etc.), this table displays the user’s effective permission when multiple permission sets are combined (shapes #2b and #4 in Permissions Flowchart) for a repository item:

Given these permission combinations:


The resulting combined permission:



(tick) Grant

=

(tick) Grant



(error) Veto

=

(error) Veto



Unspecified

=

(error) Veto


(tick) Grant

(error) Veto

=

(error) Veto


(tick) Grant

Unspecified

=

(tick) Grant


(error) Veto

Unspecified

=

(error) Veto


(tick) Grant

(tick) Grant

=

(tick) Grant


(error) Veto

(error) Veto

=

(error) Veto


Unspecified

Unspecified

=

(error) Veto

(error) Veto

Unspecified

(tick) Grant

=

(error) Veto

Examples of Combined and Hierarchical Permissions

These examples give the results of various combinations of item role assignments in a repository hierarchy. For all the examples, assume the following:

  • The “Order Entry” diagram is in the “Marketing Processes” folder

  • Jane belongs to the “Marketing” group

  • The default permissions are defined for the roles shown

Group role assignment:

Item

Roles for Jane

Roles for “Marketing” group

Root folder


None

“Marketing Processes” folder



“Order Entry” diagram



Result: Jane has no effective permissions on the “Order Entry” diagram. 

Group role assignments:

Item

Roles for Jane

Roles for “Marketing” group

Root folder


None

“Marketing Processes” folder


Author

“Order Entry” diagram



Result: Jane’s effective permissions on the “Order Entry” diagram are equivalent to Author permissions. 

User and Group role assignments:

Item

Roles for Jane

Roles for “Marketing” group

Root folder


None

“Marketing Processes” folder

Author


“Order Entry” diagram



 Result: Jane’s effective permissions on the “Order Entry” diagram are equivalent to Author permissions. 

User role assignments:

Item

Roles for Jane

Roles for “Marketing” group

Root folder



“Marketing Processes” folder

Author


“Order Entry” diagram



Result: Jane’s effective permissions on the “Order Entry” diagram are equivalent to Author permissions. 

Combined user and group role assignments:

Item

Roles for Jane

Roles for “Marketing” group

Root folder


Deny all

“Marketing Processes” folder

Administrator


“Order Entry” diagram



Result: Jane has no effective permissions on the “Order Entry” diagram. Her effective permissions are a combination of the Administrator and Deny all roles. Because the Deny all role vetoes all permissions, Jane has no effective permissions.

Combined group role assignments:

In this example, Jane is a member of both the “Marketing Admin” and “Marketing” groups and there are no user role assignments.

Item

Roles for “Marketing Admin” group

Roles for “Marketing” group

Root folder


Deny all

“Marketing Processes” folder

Administrator


“Order Entry” diagram



Result: Jane has no effective permissions on the “Order Entry” diagram for the same reasons given in the previous example. 

Group role assignments:

Item

Roles for Jane

Roles for “Marketing” group

Root folder


Deny all

“Marketing Processes” folder


Administrator

“Order Entry” diagram



Result: Jane’s effective permissions on the “Order Entry” diagram are equivalent to Administrator permissions.   

Jane is denied:

Item

Roles for Jane

Roles for “Marketing” group

Root folder


Administrator

“Marketing Processes” folder


None

“Order Entry” diagram

Deny all


Result: Jane has no effective permissions on the “Order Entry” diagram. Her effective permissions are a combination of the Deny all, and None roles. Because the Deny all role vetoes all permissions, Jane has no effective permissions. 

Jane is administrator:

Item

Roles for Jane

Roles for “Marketing” group

Root folder


Viewer, Author

“Marketing Processes” folder

Deny all


“Order Entry” diagram

Administrator


 Result: Jane has administrator permissions on the “Order Entry” diagram. Her effective permissions are a combination of the Administrator, Viewer, and Author roles. The Deny all role assignment is ignored.

Jane is denied with "Everybody" role assignment:

A special group which always exist is the Everybody group, which contains all users created in or imported to the iGrafx platform. The Everybody group can't be removed but you don't have to use it.


Item

Roles for Jane

Roles for “Everybody” group

Root folder


Author

“Marketing Processes” folder


None

“Order Entry” diagram



Result: Jane has no effective permissions on the “Order Entry” diagram. Her effective permissions are the result of the None role assignment on "Marketing Processes."  Because the role assignments are on the same group, "Everybody", the two assignments are not combined and the role assignment on the Root folder is ignored. 

Server Permissions and their Definitions

These permissions are available for the iGrafx Platform server instance.

Permission

Definition

Use Application

Required to log in.

Manage Licenses

Access and use the Administration Area / License page which includes License Management (e.g. Activate New License) and License Assignment tabs. Access the License Management tabs even if no license is activated or user licenses are over allocated.

Create and Manage Repositories

Create repositories, register repositories and view repository settings.

Delete Repository

Delete repositories, unregister repositories and view repository settings.

Manage User Directories

Access the Administration Area / User Management page / Directories tab which includes the “Add New Directory” command.

View Users and Groups

Access the Administration Area / User Management page to view existing Users and Groups. If a user has “Manage Users and Groups” Permission then they can view Users and Groups regardless of this permission.

Manage Users and Groups

Access the Administration Area / User Management page / Users tab (Create, Edit, Disable and Delete User) and Groups tab (Create, Rename, and Delete Group).

Manage Password Policies

Access the Administration Area / User Management page / Password Policies tab where these password complexity settings are made:

  • Minimum number of characters

  • Minimum number of capital letters

  • Minimum number of special characters

  • Minimum number of number characters

Assign Server Roles

Access the Access the Administration Area / Security Roles / Server Role Assignments tab where Users are assigned Server Roles.

Edit Server Settings

Access the Administration / Server Setting pages where server configuration, email settings, database settings, video providers, early access and check for software updates is performed.

Manage Server Roles

Access the Administration Area / Security Roles / Server Roles tab (permissions are Granted, Unset, or Vetoed on Server Roles) and Server Role Assignments tab (Users assigned Server Roles).

Manage Repository Roles

Access the Administration Area / Security Roles / Repository Roles tab (permissions are Granted, Unset, or Vetoed on Repository Roles) and Repository Role Assignments tab (Users assigned Repository Roles).

Manage Item Roles

Access the Administration Area / Security Roles / Item Roles tab where permissions are Granted, Unset, or Vetoed on Item Roles.

Can Customize

Access the Administration Area with commands for these topics:

  • Email Templates

  • Early Access

  • Customization

Access Support Features

Access the Administration Area / Support page with commands for these topics:

  • System information

  • Performance Log

  • System Cache

  • System Logs

  • Logging Settings

  • API Documentation

Can Report Issues

Access the "Contact Support" link in the main navigation bar.

Access REST API

Access the REST API tab in the Administration Area, Support page.


Repository Permissions and their Definitions

Each of these Permissions is specific to one or more repositories.

Permission

Definition

Use Repository

Required to view or edit the repository in the Model area.

View Repository Tree

Access a hierarchical tree view of repository content. Without this permission, it is still possible to view /edit content via object lists, search, breadcrumbs, links, etc.

Manage Repository

Access these pages in the Configuration Area:

  • Policies

  • Email Notifications

  • Cycle Groups

  • Resources

  • Customization

  • Item Properties

  • Languages

  • Advanced

Manage Cycle Groups

Access the "Cycle Groups" page in the Configuration Area.

Manage Custom Properties

Access the "Custom Properties" page in the Configuration Area.

Manage Risk Configuration

Access the "Risks" page in the Configuration Area.

Manage Opportunity Configuration

Access the "Opportunities" page in the Configuration Area.

Manage Control Configuration

Access the "Controls" page in the Configuration Area.

Manage Performance Indicator Configuration

Access the "Performance Indicators" page in the Configuration Area.

Manage Journey Configuration

Access the "Journey" page in the Configuration Area.

Manage Capability Configuration

Access the "Capability" page in the Configuration Area.

Add Performance Indicator Data

Required to add new data entries on Performance Indicator objects.

Modify Performance Indicator Data

Required to edit or delete data entries on Performance Indicator objects.

Assign Repository Roles

Access the Access the Administration Area / Security Roles / Repository Role Assignments tab where Users are assigned Repository Roles.

Set Any Item Permissions

For repository items, the “Assign Role to User / Group” command is available on the Permissions tab.

Allow Bulk Approvals

Users with this role can select multiple approval items in their To-do list and approve them together.

View All Deleted Objects

When enabled allows users to see objects that are deleted by others users in the Recycle Bin. Also enables permission to empty the recycle bin for all items for all users.

Item Permissions and their Definitions

The table below gives detailed descriptions of the provided repository Item permissions.

Permission

Definition

View

See items in the repository tree and search and query results. Users who do not have View permissions on a folder in the tree cannot see the folder, even if they have view permissions for some items within the folder.

View Diagram Comments

View diagram comments made by you or a colleague.

Add Diagram Comments

Add comments to repository diagram.

Modify Own Diagram Comments

Edit your comments on a repository diagram.

Delete Own Diagram Comments

Delete your comments on a repository diagram.

Move Any Diagram Comments

Within a diagram, move the location of any comment.

Delete Any Diagram Comments

Delete any comments on a repository diagram.

Print

Publish or print an item.

See Unapproved

See and retrieve unapproved versions of an item. If a user does not have this permission, they cannot see items that do not have any approved versions. If they have “See History” permission, they can only see previously approved versions.

See History

See (and retrieve from) the history of an item. Depending on the See Unapproved permission, the history shows only approved versions, or all versions. This permission also enables the View Labeled Version command.

Modify

Check out and check in documents, diagrams, and components. Does not apply to folders. The user can modify project status for items owned by them. If their modify rights are revoked while an item is checked out, they can choose the Undo Check Out command, but cannot check in the item.

Move

Move an object to a different folder. Create permission is required on the destination folder. Delete permission is not required on the source folder or object.

Create

Add new items to a folder.

Delete

Delete an item from the repository.

Rename

Rename an item in the repository.

Review

In a Review Cycle, permission to review an item.

Approve

In an Approve Cycle, permission to vote to approve an item.

Endorse

In an Endorse Cycle, permission to endorse an item.

Add Risk Data

Add values to a risk or risk instances.

Modify Risk Data

Modify or delete existing values on a risk or risk instance.

Modify Project Status

Change project status parameters in the client Repository Item Properties dialog box, Repository Properties page, Project Status tab for an item you do not own.

Set Reviewers

Add, change, or delete users in review cycles. This permission does not provide the ability to start review cycles.

Set Approvers

Add, change, or delete users in approval cycles. This permission does not provide the ability to start approval cycles.

Set Endorsers

Add, change, or delete users in endorsement cycles. This permission does not provide the ability to start endorsement cycles.

Manage Review Cycle

Schedule review cycles. Start review cycles.

Manage Approval Cycle

Schedule approval cycles. Start approval cycles.

Manage Endorsement Cycle

Schedule endorsement cycles. Start endorsement cycles.

Manage Elective Watchers

Enable the ADD ELECTIVE WATCHER(S) command for an object and the ability to remove elective watchers.

Manage Required Watchers

Enable the ADD REQUIRED WATCHER(S) command for an object and the ability to remove required watchers.

Administer

  • Assign and remove role assignments

  • Transfer item ownership

  • Cancel pending approval applications

  • Undo check out for items not checked out by the user.


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.