As a disclaimer, I must clarify that this information is based solely on my personal observation, understanding and experience and relates to version 2018x – you should test and validate your specific security use cases or contact us for assistance.
Security Features in 3DEXPERIENCE
The 3DEXPERIENCE platform delivers program-wide access control and security features that are both robust and flexible. Here I identify the following security features in 3DEXPERIENCE and describe specific use cases:
- Security Context
- Multiple Ownership
- Bookmark Workspaces
- IP Protection Classification
- Library Management and Classifications (Part and ENOVIA IP classification)
- How Security Works with Search
Following the description of these features, I have added my wish list for improvements I would like to see in the security features in 3DEXPERIENCE.
Security context is what drives the user credentials when logging in to the 3DEXPERIENCE platform and is applicable to all of the apps on the platform. It is comprised of the following triplets: organization, collaborative space and role – in essence, each unique combination drives different access control.
An Organization is defined on the company level and can be comprised of different Organization sub types, such as company, business unit, plant, etc. In addition, this can be grouped in hierarchical structure to similarly mimic a company’s organization structure.
Collaborative Space (set as “project” in MQL) is a common virtual working space where certain users can collaborate on data owned by the collaborative space. You can set up one or more Collaborative Spaces within 3DEXPERIENCE.
The following different types of Collaborative Spaces can be created in 3DEXPERIENCE:
- Private – users need explicit security context access to be able to access the data
- Protected – users need explicit security context access to be able to view data in “In Work” maturity state, but all users can view public (i.e., released or obsolete) data even without an explicit relevant security context access
- Public – everyone has view access to the data in any maturity state
- Standard – users can only view the data but not modify it; it is a special collaborative space for managing cases like a library of standard parts; it is also fit to work with CATIA integration practices.
Both the Collaborative Space and the Organization own the data. They drive which Role and how much access to data a user has. In addition, users can have different Roles belonging to different Collaborative Space / Organization combinations. Confusing? Yes. It basically means that different security contexts (combinations of the three components – Collaborative Space, Organization and Role – comprising it) have different access rights. For example, if User 1 has organization Org1, CS 1 and author role and User 2 has organization Org2, CS1, author role, User 2 would not be able to author (modify) an object owned by User 1. The data is not owned by the same organization in this case. However, the users would have visibility to see data created by either user. The same would be the case if User 1 had Org1, CS1 and author role and User 2 had Org1, CS2, author role. In this case, the data is owned by different Collaborative Spaces.
A user with more than one security context can only be actively logged in with one security context which would drive the authoring access control while the other security context provides “passive” read access to data. For example, if a user has a leader role in two different security contexts (either a different Organization or Collaborative Space or both), the user would be able to view data based on his passive credentials without the need to switch credentials.
As the Collaborative Space/Organization/Role provide a very flexible security solution, the only downfall is that a user would need to actively switch the security context for the “modify” type of access, which may be considered a usability issue by some users. However, this is not required for view-only cases.
Some use cases where the concept of Organization, Collaborative Space and Role can be useful are the following:
a) In the case of multiple departments in the company owning their own data content, but consuming (viewing) data generated by other departments: only limited and restricted access to the other discipline’s data is allowed.
b) In the case of external partners who share/consume only partial product data from the OEM: in this scenario, such data can be managed and owned by a partner-dedicated Collaborative Space and or a partner-dedicated Organization in the system (note that partners would be able to view public data in non-private collaborative spaces from other groups in this case).
c) Another example relates to using DELMIA for MBOM management: using a different Organization in the security context can allow the creation of plant specific MBOM data where a certain plant can modify the plant specific items while other plants can either view or have no access to it.
d) In the case of contract manufacturing (design in-house) a dedicated Supplier Organization and/or Collaborative Space can be assigned to the manufacturer (manufacturer/supplier security context) to specify restricted access to certain objects in the system, which the OEM would like to share with the contract manufacturer. (This will also be based on the multiple ownership concept which is described below). However, in this case, the supplier may see “In Work” states as well as any public data unless the dedicated manufacturer’s Collaborative Space is set as a private Collaborative Space.
There are more applicable scenarios, but I just wanted to give you a taste of what can be done with security contexts.
Note that the Collaborative Space Control app (available for admin_platform) has additional settings for read and modify under the access control area. For example, these include settings which extend special access rights (passive or active) for owners across different security contexts when the Organization or Collaborative Spaces are the same across those security context credentials.
Multiple Ownership of an object in 3DEXPERIENCE gives additional security rights to an object in the system. Ownership of objects can be transferred. An Admin, Owner or Leader can share data with restrictions.
- An Admin can share all data content in the system
- Owners who are a local Admin of a Collaborative Space can share all data in the Collaborative Space they own (including private)
- A Leader can also share all data specific to a Collaborative Space and Organization which own the data. In CATIA, this can be done using the share option.
Many types of objects can be configured to allow multiple ownership, and specific access controls. This multiple ownership on a respective 3DEXPERIENCE object enables the user to add people and or security contexts to an object selectively. One or more users or security contexts can be added to an object in this case. Some types, such as derived output in the case of SOLIDWORKS and Designer central carry the multiple ownership from the dependent object (i.e., the SOLIDWORKS Object in this case). This model allows you to provide flexible and selective ownership on target objects, which could be used for different cases, such as supplier access, where a supplier needs only access to specific models or drawings while the data content is owned by the engineering Collaborative Space and Organization.
The biggest issue is that the process of manually adding security per object in this case can be tedious and “clicky.” It would be useful if DS supported the ability to add groups in addition to individual and security role assignments only.
Bookmark Workspaces used to be called Workspaces (folders).
Bookmarks are used to organize data, but they also have the ability to set and inherit additive permission access. It is possible to add users and or security context access to a bookmark and allow access to an object in this bookmark (the object inherits the bookmark multiple ownership in this case) even if the current logged-in user is not a member of the current Collaborative Space and Organization which own this object. This is done by adding the user or its security context to the bookmark’s multiple ownership tab, and enabling the security inheritance in the bookmark settings. Any objects linked to the bookmark will then inherit the additive security on the bookmark.
Please note that some types of objects (for example SW Designer Central Integration) will not inherit the bookmark multiple ownership and so it does not apply to all types.
Applicable scenarios in this case would be the concept of folders per different disciplines in the organization or suppliers’ dedicated bookmarks where a supplier has no access to the same Organization or Collaborative Space which own the data.
IP Protection Classification
The IP Protection module and respective app require additional dedicated licenses to manage the IP libraries and classifications. It has modules for Intellectual Property protection to prevent unauthorized access to the company IP as well as control of IP export controls (i.e., for ITAR use cases, government work, etc.).
Because of the quantity of considerations for IP Protection classification, I will address this security topic in a separate blog post. One thing to take into consideration when working with IP Protection (data rights, ITAR, etc.) is the concept of restrictive vs. permissive access control.
Library Management and Classifications (Part and ENOVIA IP classification)
The Library Management and Classifications app for classification managers helps classify documents and components in an efficient way using libraries and families (classes). It allows users to classify documents and parts based on a predefined classification taxonomy in the Organization. A part of the functionality, in addition to the management of parts and documents, is to control access to those libraries using an additional access control mechanism on the library. However, this is still based on the users, their security context and their multiple Ownership levels, as described above.
Just as in the case of bookmarks, additional permission can be added onto libraries. For more details, review the documentation about the ENOVIA IP Classification App. Usually the app requires the CCM licenses, but please check with your reseller as CCM may be bundled with other license packaging. Contact us at email@example.com for additional ENOVIA/3DEXPERIENCE (or any other Dassault Systemes Product) license information as needed.
How Security Works with Search
How does security context work in the backend on search? In a nutshell, it is stored in the database in a dedicated table. Upon a search query, the system retrieves and filters results based on the current logged in user security context across the definition in the table.
My Wish List for Improvements
I believe the following two improvements would add to the security features of the 3DEXPERIENCE platform.
- As stated, I would like to see the way of assigning multiple object security on objects simplified along with additions of groups (not simply users and security context). It would also be nice to be able to manage the assignment of ownership per group of objects vs. individual ones.
- It would be useful to be able to assign type-specific roles. Current roles in the system (Author, Leader, etc.) are not type based.
The security features in 3DEXPERIENCE provide a comprehensive, flexible and robust access control to support a variety of cases across the platform. My wish list identifies areas where they could be improved or enhanced.
Need help with security features in 3DEXPERIENCE? Contact us.