About File Permission

オフライン

As written in the document “File Handling”, the permissions of a File Item are dependent on the Item containing that File (File container item).
But I think there are some use-case for control the file item permission independent of the container item.

Ex) CAD Item

- Engineer : can upload and download the native files

- Sales staff : can download the viewer files (PDF) and are not allowed to download native files

- Restricted staff : can view just the data in Visual Collaboration, and are not allowed to download native files and viewer files.

 

I think Aras does not have capability for these use-case with standard permission framework, so I’m considering how to satisfy the requirement.
Please give me some advice.

 

Below are my ideas that prevent to download the files by who can access the File Container Item.

 1. If the file container item has the file as a property
I have two ideas.

- Clear the property of managing the file item at ‘On After Get’ event of File Container Item .
In search grid and form view, the value of the property for file item is cleared.

- Clear the id of the file item at ‘On After Get’ event of File Item .
In search grid and form view, the value of the property for File Item is showed normally but cannot download. (show the message “Failed to get the file.”)

 2. If the file container item has the file as Relationship Item
In this case I have four ideas.

- Clear the related id at ‘On After Get’ event of Relation Item
In the relation grid, it seems like null relationship, so I cannot download the file.
But in Structure Browser, I can see the file item and download the file.
So, this idea is not good.

- Clear the id of the file item at ‘On After Get’ event of File Item .
In the relation grid, it seems like null relationship, so I cannot download the file. (same as above)
And in Structure Browser, I can see the file item, but I cannot download the file.

- Set the permission of the relation item as “No permission”.
In the relation grid, I cannot see the relationship, so I cannot download the file.
And in Structure Browser, I cannot see the file item, so I cannot download the file.

- Set the permission of the relation item as “Discover only”.
In the relation grid, it seems like normally (I can see the file name), but I cannot download the file.
And in Structure Browser, I can see the file item, but I cannot download the file.

 If you have any idea to control the file permission, please let me know.

 

Parents
  • Hello,

    Could you let us know what version of Aras Innovator you are using? Aras has added additional options for access control in recent releases. We have a few blog posts I'd recommend checking out including a general overview of these new options and the individual blog posts for MAC Policies and DAC Policies. There's a particular feature that was added to MAC Policies in 12.0 SP6 that I think could handle this use case quite well.

    In addition to actually limiting access at a server level, it would also be beneficial to implement client-side changes to reflect this new access. Engineers should be able to see the default form for CAD, sales staff should see a more limited version of the CAD form that removes the native_file field entirely, and other users should see an even more limited view that removes both the native_file and viewable_file fields.

    Chris


    Christopher Gillis

    Aras Labs Software Engineer

Reply
  • Hello,

    Could you let us know what version of Aras Innovator you are using? Aras has added additional options for access control in recent releases. We have a few blog posts I'd recommend checking out including a general overview of these new options and the individual blog posts for MAC Policies and DAC Policies. There's a particular feature that was added to MAC Policies in 12.0 SP6 that I think could handle this use case quite well.

    In addition to actually limiting access at a server level, it would also be beneficial to implement client-side changes to reflect this new access. Engineers should be able to see the default form for CAD, sales staff should see a more limited version of the CAD form that removes the native_file field entirely, and other users should see an even more limited view that removes both the native_file and viewable_file fields.

    Chris


    Christopher Gillis

    Aras Labs Software Engineer

Children
  • Hello Chris,

    Thank you for your reply.

    My post is a general question, so you can think based on the latest version of Aras.

    MAC Policy and DAC Policy are very good function, but I think they does not work for File Item Type.
    Does MAC Policy or DAC Policy work for File Item?
    If so, I’ll check the actual behavior.

    About client side, it is good idea to switch the form by user role.
    Is there any way to switch the column of search grid and relation grid by user role?
    Engineer and Sales staff can see the viewable_file property in the grid,  but other user cannot set the property in the grid.

    Thanks,

    Kenzo