Access Control Lists for Structures

You can use access control list for structures to control which users can create, view, manage, or delete item structures.

You can define access by creating conditions based on the Item Structure Name attribute, associating those conditions with permission sets on structures, and assigning the permission sets to teams. You can grant access to roles, individual users, or users in filtered lists.

Access control lists enable you to grant selected users access to specific structures within your organization. For example:
  • Product Engineers can create and view a primary structure
  • Manufacturing Engineers can view a specific alternate structure

Before you secure structures, here’s what you must know:

  • You must have access to the item before you can access its structures.
  • It isn’t necessary to enable the Enable Access Control List for Item Structure profile if your company doesn’t have a need to limit access based on structures.
  • The user must be granted Access To = Structures in the relevant item access control list permission to access the item’s structure types
  • When a new structure type is created, it's automatically added to the list of secured structures for the user. Similarly, when an existing structure type is deleted, it's automatically removed from that list. This ensures that the user’s existing structure security remains unchanged and unaffected.
  • If you opt in to the access control list for structures without opting in to the access control list for items, then the access control list for structure isn't enforced and the structures continue to follow the existing structure security.

  • Users with the Manage Item Structure functional privilege also need the Manage permission on the structure type in structure access control list to modify structure header and component attributes.
  • Product Development users who work with engineered items, which have only primary structures must be granted the necessary permission to access it.

Enable Access Control Lists for Item Structures

You must enable the profile option Enable Access Control List for Item Structure to use criteria-based access control for item structures. By default, the profile option is set to No.

When you enable the profile option, the structures continue to honor any existing security settings until you create a team that includes permission set for structures.

Remember to enable the profile option only if your organization needs to limit access by structure type.

You can add the following members (or users) in your team.
  • Roles: These are users assigned to roles created in the Security Console.
  • Users: These are individual users created in the Security Console.
  • Filtered Lists: These are workers added to a group using a condition on the worker attribute.
Note: Once you enable the profile option and create a permission for a structure, all the structures in the application will become private, regardless of their current public or private settings. You must manually assign user permissions to these structures.

Permission Sets for Item Structures

Permission sets enable you to define access on item structures. In each of the permission sets you can add multiple permissions on item structures granting access to the team members.

You can provide conditional access using permissions such as create, view, delete, or manage. These permissions will also control redline, compare structures, and other actions.

  • Create permission: allows the user to create a structure for an item when using the following options:
    • Create New: The user must have Create permission for the structure type being created on the item.
    • Create from Copy or Create from Common: The user must have Create permission for the structure type being created on the item, and must have View or Manage permission for the source structures being copied or referenced as common.
  • View permission: allows users to view the item structures and structure-related redlines in the workflow summary report in a read-only format.
  • Manage permission: allows users to edit the structures, including updating structure details, adding or removing components, modifying component-related attributes, view structure-related redlines in the workflow summary report, and compare two structures .
  • Delete permission: allows the users to assign a structure to a delete group.
Note: With either the View or Manage permissions on the structure types, you can compare any two Structures you want to compare.

How Security is Applied on Item Structures

You must first have access to the item to access its structures. The permissions for structures are evaluated only when the access control list on the item grants the user the View or Manage access to the structures.

The following table lists the actions you can perform with permissions on items and item structures:

Permission on the Item (with Access to Structure) Permission on the Structure What Users Can Do or Can't Do on the Structure
View Create
  • Can’t create a structure
  • Can’t view the available structure
View Delete
  • Can’t create a structure
  • Can’t view the available structure
View View Can only view the available structure
View Manage Can only view the available structure
Manage Create
  • Can create a structure
  • Can’t view the available structure
Manage Delete
  • Can’t create a structure
  • Can’t view the available structure
Manage View Can only view the structure
Manage Manage Can view and edit the available structure

An Example of the Security Applied Using Structure Access Control List

Here's an example to understand the security applied on an item structure using Access Control List for Structures.

Consider an item which has multiple item structures for various reasons like - functionality, manufacturing, cost, and so on. Here, you can grant a set of users specific permission on the structure to control what actions they could perform on the structures - Create, Delete, View, and Manage.

The table lists the item structure names associated with the item

Item Name Item Structure Name
Laptop Primary
Alternate
Engineering Specs

In the example, you could make the Engineering Specs structure private by granting access to the engineering team members, thus ensuring that the rest of the company can't access the structure.

Item Structures in Workflows

  • To redline structure details or components in a workflow, users need the Manage permission on the relevant structure type, Manage access to the item, and workflow access.
  • To view structure-related redlines in the Workflow Summary report, users must be granted View or Manage permission for the relevant structure type.

Structure access control list security applies to the user interface, REST services, SOAP services, and import processes. A user can create or update a structure through import only when the user has the Create or Manage permission for the relevant structure type on the item.