Roles and Authorizations

Understanding Roles in Models

Roles in Work-Sharing Processes

Analyzing and designing structures and flows using models is a work-sharing process carried out by experts in various specialist areas. Roles can be used to make sure that the various different people are working in a defined environment. The respective user can use a role so that they have privileges in a modeling tool; this role provides the user with functions and model views tailored towards their needs.

Roles ensure that a user has certain basic rights, e.g. the right to configure a model. Assigning a role to special functions allows for execution rights and differentiations between roles. Assigning access rights justifies using certain model views.

The Role Concept in Innovator

Each user can be assigned either no, one or multiple roles in Innovator. The model administrator sets a user's role assignment in the user administration.

Note:

Apart from the standard users, model administrator and model guest, all other users in Innovator must be assigned a role to be able to log-in to a model.

A user can modify an element in Innovator if the role they are assigned to has access rights to this element. A user can execute a menu item which is based on a create template, verification routine, an engineering action or a documentation command if the role they are logged in as has the execution right for this menu item.

Privileges, Access Rights, Execution Rights and Administrator Rights in Innovator

Privileges

Various processes which require special privileges can be applied to a model's elements in Innovator. The following privileges can be assigned to a user via one of their roles.

Label privilege

Assigning labels
Version privilege

Import elements or element groups from versioned model parts, import and export version files
Config privilege

Changing the configuration profiles, including verification routines and documentation)
Annotation privilege

Create, modify and delete annotations for diagram elements
ChangeSet privilege

View change log with change sets for model changes

Each role can individually have privileges granted or withdrawn.

Note:

If any one of a user's roles has a privilege, it is also possible to use this privilege in their other roles.

Only the model administrator can grant or withdraw privileges.

Access Rights for Single Elements

Access rights for one or various roles can be assigned for each individual model element.

A user can only change an element if one of their roles has the access right to that element. For certain operations, a corresponding privilege must exist (see above).

The following rules apply when granting or withdrawing access rights to elements.

The model administrator always has all privileges and access rights.
The model administrator can grant and withdraw access rights for all elements.
Only the model administrator can withdraw access rights.
If a user creates an element, the role which the user is logged-in as gets the access right to this element.
If a user has the access right to an element in any one of their roles, they can assign their access right for the element to any of their other roles.

Execution Rights

Execution rights are managed in Innovator models. Execution rights for one or various roles can be assigned for create templates, verification routines, engineering actions and documentation commands. A role can only carry out the corresponding function if it has the execution right for the element.

A user can only use the execution rights of the role they are currently logged-in as.

Note:

Role-related execution rights are direct parts of the model configuration and are only granted in the configuration editor.

You require the Config privilege to be able to grant execution rights (see above).You must be logged-in as the model administrator to be able to withdraw an existing execution right (i.e. have the Config privilege).

Execution rights are managed based on roles in Innovator. This makes it possible to tailor menus (ribbon and context menu) to suit individual roles and design them in a clear way.

The execution right is also used when creating new elements in selection dialogs. Only the create templates which the user has execution rights for in the current role are offered.

Administrator Rights

You need administrator rights for the model to

Create, rename, assign or delete users or roles.
Delete models

You can get access rights for the model by logging-in as model administrator and entering the model administrator password.

You need administrator rights for the repository to

Create, rename, copy, export or delete models
Stop logins to the repository's models

This right is only assigned and required in the administration program.

Assigning Rights as Model Administrator

If your network's user management uses the Lightweight Directory Access Protocol (LDAP) then you can load the user names you require from this source.

If users and roles already exist then you, as model administrator, can assign roles in any order.

In contrast, if no information is available or this information is incomplete, proceed in this order:

Log-in to the model with the model administrator password.
Create roles.
Grant the roles their required privileges.
Create user names.
Assign one or more roles to the user names.

Transferring Users, Roles and Rights to Other Models

You can back-up user and role information and their privileges in the administration program (Administration>Manage Model>Manage Users menu item, Extended, Group Configuration File tab). This file also contains passwords for the users (apart from the administrator) and roles. You can reload the file in any other model so that it can also be made available in a new model.