Controlling Access to Workspace Content

Now reading version 1.1. For the latest, read: Controlling Access to Workspace Content for version 5
Applies to NEXUS Client version: 1.1

This documentation page references Altium NEXUS/NEXUS Client (part of the deployed NEXUS solution), which has been discontinued. All your PCB design, data management and collaboration needs can now be delivered by Altium Designer and a connected Altium 365 Workspace. Check out the FAQs page for more information.

 

Parent page: Server Items

A managed content server provides secure handling of data with high integrity, while providing both Design Team and Supply Chain access to that data as needed. This latter aspect, of whom can access a Server, and more importantly what data they are allowed to access, is facilitated by the Server's user access control and sharing capabilities. These can be broken down into the following key areas:

This document takes a look at the sharing capabilities of a managed content server.

Altium NEXUS can work with the following types of managed content server:
  • Altium NEXUS Server - an on-premise local server for all your managed content.
  • Altium Vault - an on-premise local server for all your managed content (now considered legacy).
While you can continue to use your existing Altium Vault with Altium NEXUS, in what is sometimes referred to as 'compatibility mode', bear in mind that the Altium Vault, as a product, is no longer developed. Altium Vault 3.0 was the last release, beyond which only maintenance updates would be made. To ensure you have access to the latest features and functionality, you are encouraged to switch to using an Altium NEXUS Server.

Folder-Level Sharing

A managed content server supports the ability to 'share' Server folders - facilitating connection to, and access of, Server content of a particular nature. By sharing folders, design content in a Server can be easily partitioned and shared with others.

A folder in a Server can be shared on a number of different levels, in effect defining both the level of visibility of that folder, and the level of security for access to it. This can range from being strictly private access by specified individuals or roles, through to levels for allowing anyone in the same organization to view or change content respectively.

Those with administrator-level privileges (members of the Administrators role) will be able to see and manage all folders. For a non-administrative user of the Server, only those folders that have been shared - i.e. the user has permissions to access - will be accessible when the user signs in to that Server. In addition, non-administrative users of the Server can only share a folder they have created.

Accessing Folder Sharing Controls

Folder-level sharing permissions can be configured from two locations:

  • The Explorer panel, when signed in to the managed content server through Altium NEXUS.
  • The Explorer page when signed in to the managed content server through an external Web Browser (part of the Server's browser-based interface).

Sharing with Specific Users and Roles

Use the Permissions For Folder dialog/Manage Permissions window to determine exactly who is allowed to access and 'see' that folder. Use the Add User and/or Add Role controls to access dialogs/controls with which to add users and/or roles respectively - ultimately creating a specific access list for sharing folder content.

The owner of the folder (the user who created the folder) will always have full access to all content that the folder holds. As such, an entry for the Owner is added by default to the list of specific users and roles, and cannot be removed.


Example of adding a user and a role. Roll over the image to compare configuration in the Explorer panel, with configuration through
the browser-based interface.

The following image shows the result of adding a single user (Neal Geneare) and a single role (Procurement) to the permissions list for a folder.

The result of adding a single user and role to the permissions list for both Explorer panel interface (background) and browser-based interface (foreground).
The result of adding a single user and role to the permissions list for both Explorer panel interface (background) and browser-based interface (foreground).

Things to be aware of:

  • In terms of permissions, a user/role has Read/Write access when the Can Write option is enabled. If this option is disabled, they have Read access only.
  • To remove an existing user/role from having access to the folder:
    • Explorer panel interface - select the user/role in the Permissions for Folder dialog, then click the  button.
    • Browser interface - click the associated Remove control ().
  • If you want all users of the managed content server to have access to the folder, add the Public entity, by using the Add Public control.
In the Permissions for Folder dialog, the Can Edit option defaults to enabled, giving users/roles Read/Write access when they are added. In the browser-based interface, you have the opportunity to set the permission level at the time of searching for a user/role, using the Permission field. Use the drop-down to choose betwen Read access, or Read/Write access.
When configuring sharing through the Explorer panel, users and roles that are newly added will not be finalized (saved) until clicking OK in both the Permissions For Folder dialog AND the Add Folder/Edit Folder dialog. When configuring sharing through the browser-based interface, these additions will not be finalized (saved) until the  button is clicked in the Manage Permissions window.

Descendant Permissions

Permissions defined for a folder can be applied to sub-folders and the Items (and revisions) they contain, by enabling the Apply to Children option - in the Permissions for Folder dialog (Explorer panel interface), or Manage Permissions window (browser-based interface).

Enable the Apply to Children option to pass permissions defined for the folder to descendant child folders, and Items (and revisions) therein.Enable the Apply to Children option to pass permissions defined for the folder to descendant child folders, and Items (and revisions) therein.

This allows a specified user (or role) to be able to see all content under the folder being shared. Conversely, by having this option disabled, a user will only be able to see the root folder - the content in any sub-folders will be unavailable, unless explicitly shared.

Specifying who can Change Permission Settings for a Folder

When configuring folder-level sharing through the Explorer panel, the owner of the folder, or an administrator for the Server, can specify the Sharing Control for that folder - who is allowed to change the permissions for that folder. This is performed from the Permissions For Folder dialog, using the Permissions can be modified by field.

Specify sharing control for a folder.
Specify sharing control for a folder.

The following levels of control are supported:

  • Owner - only the owner of the folder can change the permissions. Editors cannot change access permissions.
  • Collaborators - editors have full control to manage access permissions for the folder.

Item-Level Sharing

Sharing a folder within a managed content server is one thing, but sharing the data within that folder is another altogether. For example, a folder may be in use by two teams, with content from one team not intended for general consumption, while the other team's data is public-facing. Certain data - more specifically the Items and revisions thereof - is therefore required to be hidden, while still allowing applicable users to see the remaining content. In support of this, a managed content server supports the ability to 'share' Items within Server folders, offering a finer level of sharing when it comes to the actual data in a Server..

Those with administrator-level privileges (members of the Administrators role) will be able to see and manage all Items. For a non-administrative user of the Server, only those Items that have been shared - i.e. the user has permissions to access - will be accessible when the user signs in to that Server. In addition, non-administrative users of the Server can only share an Item they have created.

As with folder-level sharing, Item-level sharing permissions can be configured from two locations:

  • The Explorer panel, when signed in to the managed content server through Altium NEXUS.
  • The Explorer page when signed in to the managed content server through an external Web Browser (part of the Server's browser-based interface).

Controls for working with permissions at the Item-level are much the same as for defining permissions at the folder level. Sharing permissions for an Item can be set up at the time of creating the Item, or at any stage after its creation.

If an Item in a Server folder is shared with a given user, but the folder itself is not, then the user will not be able to 'see' that Item when browsing the Server's content.
If the same users/roles permitted to 'see' a folder are also required to 'see' the Items therein (and in each sub-folder as applicable), use the Apply to Children option - in the Permissions for Folder dialog (Explorer panel interface), or Manage Permissions window (browser-based interface) - when defining the permissions for that parent folder. In this way, permissions are inherited quickly at the Item (and Item Revision) level. Adjustments can always be made for specific Items (or revisions) at those lower levels. At the end of the day, full control over who sees what, and where, is facilitated.

Item Revision-Level Sharing

As with folders and Items, an Item Revision in a managed content server can also be shared with permitted users/roles. Item Revision-level sharing is only truly configurable through the Explorer panel. It is not fully supported using the Server's browser-based interface. The difference is that through the Explorer panel, you can specifically share individual revisions, whereas the browser interface simply supports Item-level sharing, and if an Item is shared, all of its revisions are shared too.

Those with administrator-level privileges (members of the Administrators role) will be able to see and manage all Item Revisions. For a non-administrative user of the Server, only those Item Revisions that have been shared – i.e. the user has permissions to access – will be accessible when the user signs in to that Server. In addition, non-administrative users of the Server can only share an Item Revision they have created.

Controls for working with permissions at the Item Revision-level are much the same as for defining permissions at the folder- or Item-level. Sharing permissions for an Item Revision can be set up at the time of creating the parent Item, or at any stage after its creation. Sharing controls are accessed from the Item's associated properties dialog. Click the Advanced control to expand the dialog to see the Item's advanced properties, then click the  link, located below the Lifecycle Definition field. This will give access to the Permissions For Item Revision dialog - command-central for specifying just how the Item Revision can be shared.

If accessing the Item Properties dialog for the top-level parent Item, clicking the Revision Sharing control will access the permissions dialog for the latest revision of that Item. To configure sharing permissions for a previously released revision of the Item, make sure to access the Item Properties dialog for that specific revision.

Access the Permissions For Item Revision dialog, with which to control how the Item Revision is shared with others.
Access the Permissions For Item Revision dialog, with which to control how the Item Revision is shared with others.

If the same users/roles permitted to 'see' an Item are also required to 'see' its Item Revisions, use the Apply to Children option - in the Permissions for Item dialog (Explorer panel interface), or Manage Permissions window (browser-based interface) - when defining the permissions for that parent Item. In this way, permissions are inherited quickly at the Item Revision level. Adjustments can always be made for specific Item Revisions at those lower levels. At the end of the day, full control over who sees what, and where, is facilitated.

 

Content