In our first blog in this series, USING 3DX PEOPLE & ORG, COLLABORATIVE SPACE: Read-only Access to Released Data, we described how 3DEXPERIENCE People and Organization (P&O) is a powerful three-vector security concept (Organization, Collaborative Space, and Role). We shared use cases and scenarios for third-party read-only access.
In this blog, we review the transition between two approaches to security concepts and data access control, between a PDM-based security mechanism and the 3DEXPERIENCE organizational connected approach.
The information in this blog is most useful for companies migrating to the 3DEXPERIENCE from legacy systems such as SmarTeam, SOLIDWORKS PDM and MatrixOne.
Legacy Systems vs. 3DEXPERIENCE Security Concepts and History
Some legacy PDM systems such as SmarTeam and pre-platform era MatrixOne had granular security and access-control based concepts which allowed actions such as setting access rules by Class in SmarTeam or by Type in MatrixOne. This methodology was inherited from the Windows directories’ permission approach. For example, users could give permission to members of Group1 to edit documents and view projects and give permission to members of Group2 to create projects and release documents.
Although such granular access control systems allowed a very detailed and specific security control, they became tedious and difficult to manage. As users added more business cases and people, it became harder for the IT/system administrators to track, maintain and change access rules in the organization.
The 3DEXPERIENCE platform has shifted to the People and Organization (P&O) approach in an effort to simplify access control management. Instead of approaching PLM security by asking “what kind of access is needed per Object Type in MatrixOne or Class in SmarTeam?” the question that is asked in 3DEXPERIENCE is “who can access which data?” which normally does not correlate to the Type or Class of an object, at least not initially.
The access control vector in 3DEXPERIENCE is comprised of three parts:
- User’s association to a company (“organization”) or department, etc.
- Collaborative space, which is essentially a logical container of data that can often be perceived as a project workspace, for example.
- User role in context of the organization and collaborative space.
Although the 3DEXPERIENCE platform simplifies the management of the granular style of security on type or folder-based access control and fits better with the data driven collaborative methodologies and scenarios, this approach also imposes some hard transitions for users who come from the more granular legacy systems approach.
In addition, it cannot always adequately cover some of the very specific access control cases based on type, project or folder without extra effort. In one way, Dassault Systèmes looked to create very simple and easy-to-manage security/access control. However, when more detailed security requirements come up, finding solutions within 3DX for such requirements can turn into a more complicated implementation.
For example, some scenarios may not be as straightforward to cover, as shown in the security chart below because they cannot be easily translated. Note that the specific details such as organization, collaborative spaces and roles, whether restrictive or not, are not shown in the image.
What is needed is an easy way to support legacy methodology as well as transitioning to the new methodology. The solution is training and adopting a new philosophy when implementing the platform. At xLM, we are very familiar with the different access control approaches and can help guide customers in the right direction as they transition between the systems by providing training and guidance. It requires a different mindset from a business case standpoint.
Questions to Ask When Defining People & Organization (P&O) in 3DX
When we move customers from a legacy PDM/PLM system to 3DX, we start by asking the following questions in relation to data access control.
- Who can access which data with an emphasis on organizational association as well as project or product association? How do different disciplines collaborate with each other on project or product data? This includes parent organization to sub-organization implicit access to data.
- How restricted should the data be? It’s a best practice to start off with a wider common denominator for read-only access, authoring, leader and owner before defining collaborative spaces and roles.
- What are the data sharing needs when dealing with suppliers? Is it a co-design supplier (tight integration with likely access to more data in edit mode) or a manufacturing supplier who requires more of read-only access to the data?
- Should any of the data be considered hidden in certain cases (“secret”) and what is the percentage of this data?
- Is this an engineering/design smaller-scoped implementation or a large enterprise-wide implementation with multiple disciplines and or suppliers/external parties’ collaboration?
- Identify which is public data (viewed by all).
- Identify standard data libraries (i.e., standard parts, common spec, etc.) vs. data that needs to be controlled per organization and project/product basis.
- Consider different companies vs. subsidiaries or departments in a parent company business/access control case.
- Identify and document cases where explicit share to data is required.
- Assess users/groups or organization roles in context of project or product design. For example, who is a reader only, who edits the data, who participates in approval processes, etc.?
- Should certain members have implicit read-only access to data in certain cases or should it be limited to specific data. This may define regular vs. restrictive roles.
Answering these questions will help you determine the best access control mapping and topology.
3DEXPERIENCE has taken an approach to data access control that should simplify the more traditional PDM granular approach, which was based on types, classes, folder, etc. However, for customers who are migrating and transitioning from legacy systems, there are still some gaps and open questions. By asking and answering the right questions, users will gain a better understanding and a more intuitive look into 3DX access control.
At xLM Solutions we provide consulting around all Dassault Systemes’ PLM/PDM options, including the 3DEXPERIENCE platform, SmarTeam, SOLIDWORKS PDM and the old MatrixOne. We face these questions and challenges frequently with our customers who are migrating from legacy systems. We have built methodologies and tools to close some of the gaps and help our customers transition smoothly into the more data driven approach.
Contact us if you have any questions about 3DX P&O or IP Security and Export Control or other implementation, integration or data migration issues.