The EPM Live security model utilizes the SharePoint security model. All of EPM Live's customizations use SharePoint’s security model to extract data from various lists throughout the environment; this ensures that the security set within SharePoint also translates to the security within the EPM Live solution. Each site and list contains security groups that are either unique to the site or inherited by the parent site. Site Collection Administrators are defined separately and are set at the highest level of permissions and access.
1. Security Terms and Definitions
- Permissions: Permissions (also called individual permissions or base permissions) grant a user the ability to perform specific actions, such as viewing pages, opening items, and modifying items.
- Permission Levels: A Permission Level is a collection of individual permissions that are bundled together to allow users to perform a set of related tasks. One or more permission levels can be assigned to a user or group.
- Permission Inheritance: Permissions that inherent from the parent object to child object(s) (sites – lists – items – fields).
- Unique Permissions: When the Permission Inheritance is broken – in order to create new/different permission levels and permissions for specific objects.
- Groups: A group is a collection of users that can share the same permissions on a specific site or content. When you create a group, you always bundle a specific permission level to it. Afterwards, when you want to assign someone that specific permission level, simply add the user to the group.
2. Levels and Types of Security Available
There are many features and options for managing the Security and Permissions in EPM Live. Some of these are SharePoint's standard Security capabilities, while some are EPM Live's additional security capabilities that extend beyond SharePoint's Security. The following levels/types of Security are available in the EPM Live system:
- Site Permissions: The Permissions for users to access the site. These are set by adding each user to a Permissions Group in the Resource Pool.
- List/Library Permissions: The Permissions for users to access a List App or Library. These are set in the List Settings Permission Settings for each List App.
- View Permissions: The permissions for groups to have access to certain views in a List App, and to have a specified default view in the List App. These are configured in the List Settings View Permissions Settings in each List App.
- Item Permissions: The Build Team Security feature allows for users added to an item's team to have access to it. Unique Permission Groups are created for each item when enabled. These are configure in the List Settings General Settings for each List App.
- Associated Item Inherited Permissions: When using the Item Permissions Build Team Security feature, this feature allows for associated items to inherit the permissions of their parent item. These are set in the Lookup Settings of the child List App. Child Items can inherit permissions from multiple associated parent items.
- Field Permissions: The Manage Editable Fields settings allow for fields to be visible and/or editable based on the User's security group. These are configured on the List Settings page for each List App.
- PortfolioEngine Permission Levels: The PortfolioEngine Permission Levels are configured on the PortfolioEngine Permissions page. The Group names match the Site Permission Group Names. These are applicable if using the Portfolio Tools for Cost Management and Resource Management.
- PortfolioEngine Permissions - Portfolio Tools: The Permissions for users to access the Portfolio Tools (Cost Planner, Cost Analyzer, Cost Modeler, Resource Planner, and Resource Analyzer). These are set by adding each user to a Permissions Group in the Resource Pool.
- PortfolioEngine Permissions - Cost Types: The Permissions that allow access for groups to read and/or edit the Cost Types in the Portfolio Tools. These are configured in the Cost Types page.
- PortfolioEngine Permissions - Cost Model Versions: The Permissions that allow access for groups to read and/or edit the versions within the Cost Models for the Cost Modeler. These are set in the Cost Models page.