Controlling Access to Vault Content

Now reading version 16.0. For the latest, read: Controlling Access to Vault Content for version 17.1
 

Parent page: Vault Items

An Altium Vault provides secure handling of data with high integrity, while providing both Design Team and Supply Chain access to that data as needed. This latter aspect, of whom can access a vault, and more importantly what data they are allowed to access, is facilitated by the Altium Vault's user access control and sharing capabilities. These can be broken down into the following key areas:

This document takes a look at the sharing capabilities of the Altium Vault.

Folder-Level Sharing

An Altium Vault supports the ability to 'share' vault folders - facilitating connection to, and access of, vault content of a particular nature. By sharing vault folders, design content in a vault can be easily partitioned and shared with others.

A folder in a vault can be shared on a number of different levels, in effect defining both the level of visibility of that folder, and the level of security for access to it. This can range from being strictly private access by specified individuals or roles, through to levels for allowing anyone in the same organization to view or change content respectively.

Those with administrator-level privileges (members of the Administrators role) will be able to see and manage all folders. For a non-administrative user of the vault, only those folders that have been shared - i.e. the user has permissions to access - will be accessible when the user signs in to that vault. In addition, non-administrative users of the vault can only share a folder they have created.

Accessing Folder Sharing Controls

Folder-level sharing permissions can be configured from two locations:

  • The Vaults panel, when signed in to the Altium Vault through Altium Designer.
  • The Vault page when signed in to the Altium Vault through an external Web Browser (part of the vault's browser-based interface).

Levels of Sharing

A folder can be shared on a number of different levels. Choose the required level of access in the Sharing Level dialog/window, accessed by clicking the Change link at the top-right of the Permissions For Folder dialog (Vaults panel access) or Sharing Settings window (browser-based access).


Set the level of sharing for the folder. Roll over the image to compare access through Vaults panel, with access through
browser-based interface.

The following levels of sharing are supported:

  • Private - only users or roles explicitly granted permission can access or change according to their granted access rights.
  • Anyone in my organization can view - any user signed-in to the vault can view the folder (Read-only access rights).
  • Anyone in my organization can change - any user signed-in to the vault can view and change the folder and its content (Read/Write access rights).
Remember, Administrators for the vault will have full read/write access to the vault and all of its folders.

Sharing with Specific Users and Roles

When the sharing level of a folder is set to Private, use the Sharing With Specific Users And Roles region of the Permissions For Folder dialog/Sharing Settings window to determine exactly who is allowed to access and 'see' that folder. Simply use the Add User and/or Add Role controls to access dialogs/controls with which to add users and/or roles respectively - ultimately creating a specific access list for sharing folder content.

The owner of the folder (the user who created the folder) will always have full access to all content that the folder holds. As such, an entry for the Owner is added by default to the list of specific users and roles, and cannot be removed.


Example of adding a user and a role. Roll over the image to compare configuration in the Vaults panel, with configuration through
the browser-based interface.

The following image shows the result of adding a single user (Desmond Igner) and a single role (Procurement) to the permissions list for a folder. Note than when configuring permissions through the Vaults panel, added users and roles will appear listed under sections for Shared with Users and Shared with Roles respectively.

The result of adding a single user and role to the permissions list for both Vaults panel interface (top) and browser-based interface (bottom).
The result of adding a single user and role to the permissions list for both Vaults panel interface (top) and browser-based interface (bottom).

Permissions are controlled through the Can Edit option - either enabled (Read/Write access), or disabled (Read-only access). With the Vaults panel, status is further reflected textually:

  • Can Edit enabled - Collaborator [Added] (for a user), or All users in <RoleName> as Collaborators [Added] (for a role).
  • Can Edit disabled - Viewer [Added] (for a user), or All users in <RoleName> as Viewers [Added] (for a role).
In the Vaults panel, the Can Edit option defaults to enabled, giving users/roles Read/Write access. In the browser-based interface, the Can Edit option defaults to disabled, giving users/roles Read-only rights.
When configuring sharing through the Vaults panel, users and roles that are newly added have their status presented in red. These additions will not be finalized (saved) until either clicking Apply in the Permissions For Folder dialog, or clicking OK in both the Permissions For Folder dialog AND the Add Folder/Edit Folder dialog (if the Apply button is not used). When configuring sharing through the browser-based interface, these additions will not be finalized (saved) until the OK button is clicked in the Sharing Settings window.

Once the permissions are saved in the Vaults panel interface, the associated textual status will be presented in grey and without the [Added] suffix.

The appearance of the permissions list after the additions are finalized (saved), for the Vaults panel interface.
The appearance of the permissions list after the additions are finalized (saved), for the Vaults panel interface.

Editing Permissions

Make changes to the permissions list at any time. Through the Vaults panel interface, subsequent changes made to existing users/roles in the list will result in the applicable textual status entries being presented in blue, along with the addition of the suffix [Changed]. Once all changes have been made, apply them.

Example changes made to the permissions list for a folder, for the Vaults panel interface.
Example changes made to the permissions list for a folder, for the Vaults panel interface.

Descendant Permissions

Permissions defined for a folder can be applied to sub-folders and the Items (and revisions) they contain:

  • Vaults panel interface - enable the Apply to child folders and Items option, in the Permissions For Folder dialog.
  • Browser-based interface - enable the Apply To Children option, in the Sharing Settings window.

This allows a specified user (or role) to be able to see all content under the folder being shared. Conversely, by having this option disabled, a user will only be able to see the root folder - the content in any sub-folders will be unavailable, unless explicitly shared.

Removing a User or Role

To remove permission for a user or role to access a folder:

  • Vaults panel interface - select that user/role in the Permissions For Folder dialog, and click the Remove control. A confirmation dialog will appear, click Yes to proceed.
  • Browser-based interface - simply click the Remove control associated to that user/role, in the Sharing Settings window.

Once all required removals have been made, apply the changes.

The Owner of the folder - the person who created it - cannot be removed from the permissions list.

Specifying who can Change Permission Settings for a Folder

When configuring folder-level sharing through the Vaults panel, the owner of the folder, or an administrator for the vault, can specify the Sharing Control for that folder - who is allowed to change the permissions and sharing for that folder. This is performed from the Sharing Control dialog, accessed by clicking the Change link at the bottom-right of the Permissions For Folder dialog.

Specify sharing control for a folder.
Specify sharing control for a folder.

The following levels of control are supported:

  • Only the owner can change the permissions - editors cannot add or remove people, or change the visibility of the item.
  • Collaborators are allowed to add people and change permissions - editors have full control to add and remove people, and change the visibility of the item.

Item-Level Sharing

Sharing a folder within a vault is one thing, but sharing the data within that folder is another altogether. For example, a folder may be in use by two teams, with content from one team not intended for general consumption, while the other team's data is public-facing. Certain data - more specifically the Items and revisions thereof - is therefore required to be hidden, while still allowing applicable users to see the remaining content. In support of this, the Altium Vault supports the ability to 'share' Items within vault folders, offering a finer level of sharing when it comes to the actual data in a vault.

As with folders, an Item in a vault can be shared on a number of different levels, in effect defining both the level of visibility of that Item, and the level of security for access to it. This can range from being strictly private access by specified individuals or roles, through to levels for allowing anyone in the same organization to view or change that Item respectively.

Those with administrator-level privileges (members of the Administrators role) will be able to see and manage all Items. For a non-administrative user of the vault, only those Items that have been shared - i.e. the user has permissions to access - will be accessible when the user signs in to that vault. In addition, non-administrative users of the vault can only share an Item they have created.

As with folder-level sharing, Item-level sharing permissions can be configured from two locations:

  • The Vaults panel, when signed in to the Altium Vault through Altium Designer.
  • The Vault page when signed in to the Altium Vault through an external Web Browser (part of the vault's browser-based interface).

Controls for working with access and permissions at the Item-level are much the same as for defining access and permissions at the folder level. Sharing permissions for an Item can be set up at the time of creating the Item, or at any stage after its creation.

If an Item in a vault folder is shared with a given user, but the folder itself is not, then the user will not be able to 'see' that Item when browsing the vault's content.
If the same users/roles permitted to 'see' a folder are also required to 'see' the Items therein (and in each sub-folder as applicable), use the Apply to child folders and Items option in the Permissions For Folder dialog (Vaults panel interface), or Apply To Children option in the Sharing Settings window (browser-based interface), when defining the permissions for that parent folder. In this way, permissions are inherited quickly at the Item (and Item Revision) level. Adjustments can always be made for specific Items (or revisions) at those lower levels. At the end of the day, full control over who sees what, and where, is facilitated.

Item Revision-Level Sharing

As with folders and Items, an Item Revision in a vault can be shared on a number of different levels, in effect defining both the level of visibility of that Item Revision, and the level of security for access to it. This can range from being strictly private access by specified individuals or roles, through to levels for allowing anyone in the same organization to view or change that Item Revision respectively.

Item Revision-level sharing is only truly configurable through the Vaults panel. It is not fully supported using the vault's browser-based interface. The difference is that through the Vaults panel, you can specifically share individual revisions, whereas the browser interface simply supports Item-level sharing, and if an Item is shared, all of its revisions are also shared.

Those with administrator-level privileges (members of the Administrators role) will be able to see and manage all Item Revisions. For a non-administrative user of the vault, only those Item Revisions that have been shared – i.e. the user has permissions to access – will be accessible when the user signs in to that vault. In addition, non-administrative users of the vault can only share an Item Revision they have created.

Controls for working with access and permissions at the Item Revision-level are much the same as for defining access and permissions at the folder- or Item-level. Sharing permissions for an Item Revision can be set up at the time of creating the parent Item, or at any stage after its creation. Whether adding or creating, sharing controls are accessed from the Item's associated properties dialog. Simply click the Revision Sharing link (or  icon) beneath the Lifecycle Definition field. This will give access to the Permissions For Item Revision dialog - command-central for specifying just how the Item Revision can be shared.

If accessing the Item Properties dialog for the top-level parent Item, clicking the Revision Sharing control will access the permissions dialog for the latest revision of that Item. To configure sharing permissions for a previously released revision of the Item, make sure to access the Item Properties dialog for that specific revision.

Access the Permissions For Item Revision dialog, with which to control how the Item Revision is shared with others.
Access the Permissions For Item Revision dialog, with which to control how the Item Revision is shared with others.

If the same users/roles permitted to 'see' an Item are also required to 'see' its Item Revisions, use the Apply to revisions option in the Permissions For Item dialog when defining the permissions for that parent Item. In this way, permissions are inherited quickly at the Item Revision level. Adjustments can always be made for specific Item Revisions at those lower levels. At the end of the day, full control over who sees what, and where, is facilitated.

 

If you find an issue, select the text/image and pressCtrl + Enterto send us your feedback.
Note

The features available depend on your Altium product access level. Compare features included in the various levels of Altium Designer Software Subscription and functionality delivered through applications provided by the Altium 365 platform.

If you don’t see a discussed feature in your software, contact Altium Sales to find out more.

Content