Security

Access to data in Primavera Cloud is determined by assigning users with appropriate privileges to the workspace level or object to which they should have access. While P6 requires users be assigned to organization breakdown structure (OBS) elements and OBS elements be assigned to each EPS node, project, and WBS, Primavera Cloud provides a more streamlined approach. Users are assigned directly to the workspace level to which they should have access, with that access automatically inherited by all child workspaces, projects, portfolios, programs, and ideas in that workspace branch. Access is also pushed down to the custom logs, files, and reports within the workspace branch. If access to only specific objects is required, a user can be assigned directly to those objects.

Permission Sets

While user assignment to objects controls access, it is the permission sets assigned to the user that determine the user's ability to perform certain functions such as add, edit, and delete on the objects to which they have access. Permission sets are collections of related security privileges. There are two types of permission sets in Primavera Cloud:

You can create as many different global and object permission sets as necessary for your organization. All permission sets contain two preconfigured options: Administrator (System) and View Only (System). The Administrator (System) permission set has all privileges assigned. The View Only (System) permission set provides read-only access to objects and their data. During user configuration, you can define the default permission sets that a user will have when assigned to a new object. These can be changed at each assignment level.

When a user is assigned to a workspace, they are granted access to the workspace and the objects within the workspace according to the permission sets given to the user. If a permission set for an object is not assigned at the parent workspace level, it can be assigned at a lower workspace level or directly to the corresponding object within the workspace. You can create varying levels of access within the hierarchy by assigning a user different permission sets at each level. For example, assign a user to a workspace with a View Only (System) workspace permission set to grant them read-only access to all child workspaces within the workspace. If there are two immediate child workspaces, you can assign the user Administrator (System) permissions to one workspace while the other workspace remains View Only (System). This basic concept can be applied to multiple levels of a workspace hierarchy as well as object permission sets at multiple levels. Additional recommendations are provided in Best Practices and Recommendations.

User Groups

Primavera Cloud also supports bulk user security management through the implementation of user groups. User groups are collections of users that share similar responsibilities and are granted the same level of access to the objects to which the group is assigned. They are created at the workspace level and are automatically available to be assigned to the objects within the owning workspace's hierarchy. They can also be created at the project level and will only be available to be assigned to that project. A user group can be assigned to a workspace, project, portfolio, report, file, idea, custom log, or program. Access is only granted after the user group has been assigned to the workspace or child object. At the workspace level, assigning a user or group an object permission set will grant access to all instances of that object within the current workspace. Multiple user groups can be assigned to the same object. Just like individual users, object permission sets assigned to the group determine the users' level of access. Default permission sets can be defined for user groups and modified at each level where the group is assigned.

Users can be added to a user group at the workspace or project where they should have access. This can be before or after the user group has been assigned. As long as the user group has been given the proper object permission sets, the users that are added to a user group will gain access to those objects in the workspace that the user group is assigned to or if the user group is assigned directly to the object. A user can be part of multiple user groups, even if they are assigned to the same object. Permissions are additive, so users that belong to multiple user groups assigned to the same object will have access to that object with all permissions assigned by the user groups of which they are a member. You can create as many user groups as necessary to model the different user roles in your organization. For example, you might want to create separate user groups for executives, project managers, foreman, and tradespeople, each with a distinct set of permissions in accordance with their role.

Where Do I Configure User Security?

User security, including users, user groups, and their assigned permission sets, can be managed at the Global Admin, workspace, or project level. In Global Admin, users with the appropriate privileges can view and manage security for the objects that they have access to. At the workspace level, security is managed from the Summary & Settings pages. Project-level security is configured from the Project Team app in a project. At the workspace or project level, only user groups for that object and inherited user groups can be managed by administrators and by users with the User Groups privilege at that level.

Global and object permission sets can be configured at the Global Admin or workspace level. At the Global Admin level, administrators can select the owning workspace of each object permission set. Object permission sets are available to be assigned to users and user groups for objects within the owning workspace's hierarchy.


Last Published Tuesday, May 21, 2024