Show TOC

Controlling Repository AccessLocate this document in the navigation structure

The repository administrator is responsible for controlling access to the documents stored in the repository by creating users and groups and assigning them rights, permissions, and profiles. PowerDesigner can manage users itself and also supports LDAP and X.509 certificate-based authentication.

Context

Repository rights give users access to general repository features, while permissions give them access to particular locations in the repository. The following rights and permissions are available:
Rights (Entire Repository) Permissions (Per Folder or Item)
  • Connect - Connect to the repository and view diagrams in PowerDesigner Web.
  • Edit on Web - Create and edit diagrams in PowerDesigner Web.
  • Edit Extensions on Web - Create and edit custom properties in PowerDesigner Web. Gives access to the Administration/Extensions tile.
  • Freeze Versions - (only used with the desktop PowerDesigner client).
  • Lock Versions - (only used with the desktop PowerDesigner client).
  • Manage Branches - (only used with the desktop PowerDesigner client).
  • Manage Configurations - (only used with the desktop PowerDesigner client).
  • Manage All Documents - Perform any action on any document version. Implicitly includes Full permission on all repository documents.
  • Manage Users - Create, modify, and delete repository users and groups, grant them rights, and add them to groups. Gives access to the Administration/Users and Groups tiles.
  • Manage Repository - Create, upgrade, and delete the repository database. Gives access to the Administration/Settings tile.
  • List - View the document or folder in the repository browser and in search results. Without this permission, the folder or document is hidden from the user.

  • Read - Also open and compare documents.

  • Submit - Also propose changes to the document for review by a user with Write permission.

  • Write - Also review changes by other users and publish changes directly.

  • Full - Also manage permissions granted to users and groups.
    Note Administrators, who have implicit Full permission on all repository objects will only receive diagrams for review if they have been granted explicit Write permission on them.

Procedure

  1. [recommended] Connect the repository to an SMTP server to enable the automatic sending of emails for passwords, changelist submissions, and other notifications (see Connecting to an SMTP Server for Notifications).
  2. Determine how you will manage user authentication. You can choose one or more of:
    Note LDAP or X.509 certificates are only used for authentication. Rights and permissions on repository folders and documents are controlled in the repository.
  3. [optional] Create high-level functional groups (see Creating Repository Groups) to organize users by type and assign appropriate rights to them to govern general actions that they can perform in the repository (see Granting Rights to Users and Groups).
    For example:

    Groups

    Rights

    Administrators Connect, Manage All Documents, Manage Users, Manage Repository
    Senior Architects [use the PowerDesigner desktop client] Connect, Edit on Web, Freeze Versions, Lock Versions, Manage Branches, Manage Configurations
    Architects [use the PowerDesigner desktop client] Connect, Edit on Web, Freeze Versions, Lock Versions
    Business Analysts Connect, Edit on Web
    Process Owners Connect, Edit on Web, Edit Extensions on Web
    Stakeholders Connect (to provide read-only access to PowerDesigner Web).
    Note There is no requirement to create groups - you can assign rights and permissions to individual users - but we recommend that in all but the smallest deployments, you do create groups to simplify the process.
  4. [optional] Apply profiles to your groups as necessary to filter the PowerDesigner interface to hide or render read-only types of models, objects, and properties, and to specify defaults for interface elements, options and preferences for different kinds of users . User profiles are developed and deployed only using the PowerDesigner desktop client but are applied to both the desktop client and PowerDesigner Web (see Core Features Guide > Administering PowerDesigner > Customizing the PowerDesigner Interface > Using Profiles to Control the PowerDesigner Interface).
  5. Create an appropriate folder structure in the repository (see The Repository) to enable you to group documents by project or in any other appropriate way, and to simplify the granting of permissions.
    In this example, we imagine the following simple folder structure in which processes are organized at a high-level by line of business:
    • Library
    • Process Map
    • Process Diagrams
      • HR
      • Sales
  6. Determine your review policy either at a global or project by project level. PowerDesigner supports the following kinds of policy:
    • Simple review - Change lists submitted by users with the Submit permission are reviewed by a single user with the Write or Full permission.
    • Peer review - Users with the Write or Full permission voluntarily submit change lists for review.
    • Direct check in - The Submit permission and change lists are not used, and users all check in changes without review.
  7. Create development groups and implement your review policies by assigning appropriate permissions to control what actions users and groups can perform on particular repository documents and folders.
    In this example, we propose a simple group structure with permissions based on role and line of business:
    • Enterprise Architects - Have full control over all documents.
    • Process Analysts - Maintain the process map and review business process diagrams for publication in the repository.
    • Process Owners - May submit business process diagrams for their domain.
    • Stakeholders - Have read access to all documents by default.
    Group Library Process Map Process Diagrams/HR Process Diagrams/Sales
    Enterprise Architects Full Full Full Full
    Process Analysts Write Write Write Write
    Process Owners - HR Submit Read Submit Read
    Process Owners - Sales Submit Read Read Submit
    Stakeholders Read Read Read Read
  8. Create as many users as necessary either manually (see Creating Repository Users) or via LDAP (see Creating Externally-Authenticated Repository Users) and assign them to appropriate groups (see Adding Users and Groups to a Group) according to their roles and project responsibilities.
    There is no limit to the number of groups to which a user or group can be assigned, and users benefit from the cumulative total of all the rights and permissions they receive.