Rights, Roles and Rules for Users

Rights for using model elements are assigned to roles in the configuration editor or in the model editor. User role assignment is carried out in single sign-on using rules, primarily for user groups.

Assigning Rights to Roles

The model administrator can assign rights to roles defined in the model's user management in the configuration editor.

Roles with the Configure privilege can assign execution rights for create templates, verification routines, engineering actions and documentation commands in profiles using the configuration editor.

The execution right for roles for a create template is carried over to the created element as an access right for these roles.

The model administrator can restrict access and read permission (visibility) for user roles at package level.

Login rules determine availability of roles for users for managed models and independent models in single sign-on repositories.

Users, passwords and roles are managed in the configuration editor for independent models in non-single sign-on repositories.

Table: Role Rights and their Assignment in a Model
	Model Editor, Properties Tool Window	Model Editor, Model Content Tool Window, Access Rights View	Configuration Editor
Access Right	Assigned roles with access rights Model administrator	Model Administrator at Package Level	Create templates assign access rights to all roles with execution rights
Read Right (Visibility)		Model Administrator at Package Level
Execution Rights			Model administrator for roles (Execution Rights view)
Privileges			Model administrator for roles ( Model Administration/Manage Users dialog)

Access Rights for Single Elements

Access rights for one or more roles can be assigned for each individual element of a model.

A user can only modify an element if one of their roles has the access rights for the element. Certain processes also require corresponding privileges (see below).

The active role and its execution rights determine what is shown in the menus. This is why they may not fit to the element to be modified; it may also not be possible to create elements. Execution rights for all assigned roles can therefore be temporarily used (see below).

The following rules apply when granting or withdrawing access rights to elements.

The model administrator always has all privileges and access rights.
The model administrator can grant and revoke access rights for all elements.
Only the model administrator can revoke access rights.
If a user creates an element, then the execution rights for the create template are adopted as access rights to this element.
If a user has the access right to an element, then they can assign access rights for the element to any of their roles.

The Access Rights tool window view in the Model Contents tool window allows the model administrator to grant and withdraw the access right for user roles at the package level.

The existing access rights to a model element are displayed in the Properties and Info tool windows.

Restricting Read Rights in the Model

Read right (visibility) can be constrained at the package level for user roles to make it easier to roughly split models. It is easy to hide whole areas for certain roles for a clearer overview.

The model administrator can grant and withdraw read rights in the Access Rights tool window view in the Model Contents tool window.

The Guest standard user has read rights to intersections of read rights for all roles in the model, i.e. packages that all roles have a read right for. This might mean that a guest can only see the root node of the model.

Diagrams that contain hidden elements (e.g. diagrams, packages, components) are not shown. This message appears instead: "The existing read permissions are not sufficient to view the diagram!"

Note

A user in a role with the Align Models privilege can see all model elements, regardless of restricted read rights for roles.

Execution rights

Execution rights are managed in Innovator models. Execution rights for one or various roles can be assigned for create templates, verification routines, engineering actions and documentation commands. A role can execute the corresponding function if it has execution rights for the function.

Note

Role-based execution rights are a direct part of the model configuration and are only assigned in the configuration editor.

You must log-in as model administrator before you can grant and revoke execution rights.

Execution rights are managed based on roles in Innovator. This makes it possible to tailor menus (ribbon and context menu) to suit individual roles and design them in a clear way.

The execution right is also used when creating new elements in selection dialogs. Only the create templates which the user has execution rights for are offered.

A user can temporarily be given execution rights for all roles they are assigned to. This may make the menus not very clear.

Restriction

Whether a model element is really created using create templates or not is controlled by the access right to the individual packages. If a user's roles do not have access rights to at least one package which such elements can be created in, creation is refused.

Privileges

Various processes which require special privileges can be applied to a model's elements in Innovator. The following privileges can be assigned to the user via their role.

Table: Privileges
Privilege	Operation
Configure	Change the model configuration (profiles incl. verification routines and documentation)
Set Labels	Assigning labels
Use Model Fragments	Import elements or element groups from model fragments, export model fragments
Edit Annotations	Create, modify and delete annotations for diagram elements
View Change Logs	View log of model changes
Translate Model Elements	Translate model elements in display languages in the Translation tool window; create and import translation files
Configure Database Connections	Manage database connections (relevant only in Innovator for Information Architects)
Use Bulk Commands	Managing commands which can cause long runtimes in large models due to their high data traffic. Examples: searching without element constraint, editing section exclusively, adding content recursively to the result region and changing more than 1,000 elements in the Properties tool window at the same time.
Align Models	Comparing models (comparing and merging model elements) A user in a role with this privilege can see all model elements, regardless of restricted read rights for roles.
Use Dependency Editor	Using the Dependency Editor Using the dependency editor can lead to long runtimes in large models.
Export Models	Converting a repository model into a local model file and vice versa
Delete Change Sets	Delete change sets for model changes
Edit Model-Wide Configurations	Creating, changing and deleting model-wide application configurations
Edit Hyphenation	Editing hyphenation in dictionaries for models in the license server The environment right or login as license administrator may also be required in the administration program.

Each role can individually have privileges granted or withdrawn.

A user can only use the privileges of their currently used role.

A user can temporarily be given privileges for all roles they are assigned to. This may make the menus not very clear.

Note

The role-based privileges are granted or withdrawn In the configuration editor in the model's user management only (Configuration>Model Administration>Manage Users).

Model administrator rights are required.