Best Practices for Initial Configuration of Workspace Security and User Groups

This topic provides the recommended steps to set up user groups and permissions in your organization's workspace structure. Depending on how your organization is structured and how you plan to use Primavera Cloud, this guide might not be the best practices for you.

Primavera Cloud provides automatic sharing of workspace security settings to create permission sets and user groups at a high level. As an application administrator, you only have to create the necessary user groups and permission sets for users once at the root workspace. The user groups will become available to all child workspaces, enabling you to add the appropriate users to the correct user groups at each child workspace. This process is shown in the image below.

This diagram is a graphical representation of the text in this topic.

For example, you might have a group of users that propose projects in the application. All project proposers need to have the same permissions, but they need to work in different workspaces. At the root workspace, you can create the Project Proposer user group and assign it the Project Proposer permission set. The Project Proposer user group will become available to each child workspace. In each child workspace, you can then assign the users that belong to the Project Proposer user group for that workspace. You can complete this process for all of the necessary user groups in your instance of Primavera Cloud.

You can take the following steps for the initial workspaces security configuration in your instance of Primavera Cloud:

  1. Create Permission Sets at the Root Workspace

    Permission sets are collections of security privileges that can be assigned to users or user groups. When you create the permission sets required by your organization at the root workspace, they will be available to be assigned to user groups at the root workspace and all child workspaces. See Permission Sets Overview for information about the permission sets available to be created.

  2. Create Empty User Groups and Assign Permission Sets at the Root Workspace

    User groups are collections of users with the same security permissions. At the root workspace, create the user groups needed to suit your organization's needs and assign the appropriate permission sets. Adding user groups at the root workspace makes them available to all workspaces in your instance of Primavera Cloud. By keeping the user groups empty at the root workspace, you will be able to determine who is added to each user group at the child workspace. See Add a User Group at the Workspace Level for more information.

  3. Add and Assign Users to User Groups in Child Workspaces

    By assigning users to the correct user group at the child workspace level, the user is afforded the associated security permissions in the child workspace. Assign users to user groups as soon as they are added to Primavera Cloud to ensure that they are afforded the correct permissions when they receive their welcome email containing their login credentials. See Assign a User to a User Group at the Workspace Level for more information.