Controlling Access to Content in an Altium Vault Server

Frozen Content
Modified by Admin on Sep 13, 2017
Contents
This page contains information regarding control of access to content in a legacy Altium Vault Server. For information on controlling access to content in the latest Altium Vault, see Controlling Access to Vault Content.

An Altium Vault Server provides secure handling of data with high integrity, while providing both Design Team and Supply Chain access to that data as needed. This latter aspect, of who can access a vault, and more importantly what data they are allowed to access, is facilitated by the Altium Vault Server's user access control and sharing capabilities. These can be broken down into three key areas:

  • User Management – which people are able to connect to the Altium Vault Server (through Altium Designer or an external browser). Management of users, as well as defined groups of users, is performed using the vault's browser-based interface. This can be done either from an external browser or via the relevant views under Altium Designer's Home page. For detailed information, see Browser-based Management of an Altium Vault Server.
  • Folder-level Sharing – providing the ability to control who is able to see what content in the vault by sharing vault folders. This allows control over whether other users can simply view a folder and its content, or also edit it (effectively releasing design data into it). A single vault can be partitioned into various effective 'zones' of content, but with controlled folder-level permissions, the content can be made selectively visible, or hidden, as required – giving the right people, the right access, to the right data.
  • Item-level Sharing – providing the ability to control who is able to see what Items in a shared folder. Think of this as a finer level of sharing, in contrast to the coarser level of sharing provided through folder access control. Provided a user has access to the folder itself, they will then be able to view/edit (as permitted) Items within that folder that are shared with them.

This article takes a look at the sharing capabilities of the Altium Vault Server.

Folder-Level Sharing

An Altium Vault Server supports the ability to 'share' vault folders – facilitating connection to, and access of, vault content of a particular nature. By sharing vault folders, design content in a vault can be easily partitioned and shared with others.

A folder in a vault can be shared on a number of different levels, in effect defining both the level of visibility of that folder, and the level of security for access to it. This can range from being strictly private access by specified individuals or groups, through to levels for allowing anyone in the same organization to view or change content respectively.

Those with administrator-level privileges will be able to see and manage all folders. For a non-administrative user of the vault, only those folders that have been shared – i.e. the user has permissions to access – will be accessible when the user connects to that vault. In addition, non-administrative users of the vault can only share a folder they have created.

Accessing Folder Sharing Controls

Folder-level sharing permissions can be configured from various locations:

  • The Vaults panel, when connected to the Altium Vault Server through Altium Designer.
  • The Vault page when connected to the Altium Vault Server through an external web browser.
  • The Vaults view, under the Home page, when connected to the Altium Vault Server through Altium Designer.

The last two take advantage of the vault's browser-based interface. Controls are therefore the same between these two access methods.

Configuring Sharing using the Vaults Panel

From the Vaults panel, sharing permissions for a folder can be set up at the time of adding the folder, or at any stage after its creation. Whether adding or creating, sharing controls are accessed from the folder's associated properties dialog. Simply click the Sharing link (or  icon) at the bottom-left of the dialog. This will give access to the Permissions For Folder dialog – command-central for specifying just how the folder can be shared.

Access the Permissions For Folder dialog, with which to control how the folder is shared with others.

Configuring Sharing using the Browser-based Interface

From a browser-based interface, sharing permissions for a folder can be set after the folder has been created. Sharing controls are accessed by using the Share command from the associated control drop-down at the far right of the folder's entry. The Sharing Settings window will appear, from where the access permissions for the folder can be modified as required.

The Sharing Settings window can also be accessed by clicking the Sharing control, when editing a folder.

Configure folder-level sharing from the vault's browser-based interface

The beauty of configuring permissions through the vault's browser-based interface is that an account admin isn't tied to a PC on which Altium Designer is installed, and a connection to the vault is made. They can effect a change in the vault's folder sharing permissions from anywhere they can get an internet connection.

Levels of Sharing

A folder can be shared on a number of different levels. Choose the required level of access in the Sharing Level dialog/region, accessed by clicking the Change link at the top-right of the Permissions For Folder dialog (Vaults panel access) or Sharing Settings window (browser-based access).

Set the level of sharing for the folder. Left: When accessed through Vaults panel. Right: When accessed through browser-based interface.

The following levels of sharing are supported:

  • Private – only users or groups explicitly granted permission can access or change according to their granted access rights.
  • Anyone in my organization can view – any user logged-in to the vault can view the folder (Read-only access rights).
  • Anyone in my organization can change – any logged-in user can view and change the folder and its content (Read/Write access rights).

Remember, Administrators for the vault will have full read/write access to the vault and all of its folders.

Sharing with Specific Users and Groups

When the sharing level of a folder is set to Private, use the Sharing With Specific Users And Groups region of the Permissions For Folder dialog/Sharing Settings window to determine exactly who is allowed to access and 'see' that folder. Simply use the Add User and/or Add Group controls to access dialogs/controls with which to add users and/or groups respectively – ultimately creating a specific access list for sharing folder content.

Example of adding a user and a group (Vaults panel interface).

Example of adding a user and a group (browser-based interface).

The owner of the folder (the user who created the folder) will always have full access to all content that the folder holds. As such, an entry for the Owner is added by default to the list of specific users and groups, and cannot be removed.

The following image shows the result of adding a single user (Desmond Igner) and a single group (Procurement) to the permissions list for a folder. Note than when configuring permissions through the Vaults panel, added users and groups will appear listed under sections for Shared with Users and Shared with Groups respectively.

The result of adding a single user and group to the permissions list for both Vaults panel interface (top) and browser-based interface (bottom).

Read-only access is assigned by default, reflected in the status:

  • Viewer [Added] – for a user.
  • All Users in <GroupName> as Viewers [Added] – for a group.

This can be changed simply by enabling the Can Edit option next to a user or group. The status will change to reflect this:

  • Collaborator [Added] – for a user.
  • All Users in <GroupName> as Collaborators [Added] – for a group.

Users and groups that are newly added have their status presented in red. When configuring sharing through the Vaults panel, these additions will not be finalized (saved) until either clicking Apply in the Permissions For Folder dialog, or clicking OK in both the Permissions For Folder dialog AND the Add Folder/Edit Folder dialog (if the Apply button is not used). When configuring sharing through the browser-based interface, these additions will not be finalized (saved) until the Commit Changes button is clicked.

Once the permissions are saved, the associated status will be presented in grey and without the [Added] suffix.

The appearance of the permissions list after the additions are finalized (saved), for both Vaults panel interface (top) and browser-based interface (bottom).

Editing Permissions

Make changes to the permissions list at any time. Any subsequent changes made to existing users/groups in the list will result in the applicable status entries being presented in blue, along with the addition of the suffix [Changed] (Vaults panel interface) or [Modified] (browser-based interface). Once all changes have been made, apply/commit them.

Example changes made to the permissions list for a folder, for both Vaults panel interface (top) and browser-based interface (bottom).

Descendant Permissions

Permissions defined for a folder can be applied to sub-folders. The exact nature of this descendency depends on the interface being used to configure the sharing:

  • Vaults panel – the sharing permissions can be applied to sub-folders and the Items they contain. To do so, enable the Apply to child folders and Items option. This allows a specified user to be able to see all content under the folder being shared. Conversely, by having this option disabled, a user will only be able to see the root folder -- the content in any sub-folders will be unavailable, unless explicitly shared.
  • Browser-based interface – the sharing permissions can be applied to sub-folders only. To do so, enable the Apply To Children option. This allows a specified user to be able to see the folder being shared and all its sub-folders. Conversely, by having this option disabled, a user will only be able to see the root folder – any sub-folders will be unavailable, unless explicitly shared.

Removing a User or Group

To remove permission for a user or group to access a folder, simply select that user/group in the list and click the Remove control (Vaults panel interface) or Delete control (browser-based interface). When using the Vaults panel to configure permissions, a confirmation dialog will appear, click Yes to proceed. Once all required removals/deletions have been made, apply/commit the changes.

Remove a user/group from the list by selecting its entry and using the Remove/Delete command as applicable.

The Owner of the folder – the person who created it – cannot be removed from the permissions list.

Specifying who can Change Permission Settings for a Folder

When configuring folder-level sharing through the Vaults panel, the owner of the folder, or an administrator for the vault, can specify the Sharing Control for a folder therein – who is allowed to change the permissions and sharing for that folder. This is performed from the Sharing Control dialog, accessed by clicking the Change link at the bottom-right of the Permissions For Folder dialog.

Specify sharing control for a folder.

The following levels of control are supported:

  • Only the owner can change the permissions – editors cannot add or remove people, or change the visibility of the item.
  • Collaborators are allowed to add people and change permissions – editors have full control to add and remove people and change the visibility of the item.

Item-Level Sharing

Sharing a folder within a vault is one thing, but sharing the data within that folder is another altogether. For example, a folder may be in use by two teams, with content from one team not intended for general consumption, while the other team's data is public-facing. Certain data – more specifically the Items and revisions thereof – is therefore required to be hidden, while still allowing applicable users to see the remaining content. In support of this, the Altium Vault Server supports the ability to 'share' Items within vault folders, offering a finer level of sharing when it comes to the actual data in a vault.

As with folders, an Item in a vault can be shared on a number of different levels, in effect defining both the level of visibility of that Item, and the level of security for access to it. This can range from being strictly private access by specified individuals or groups, through to levels for allowing anyone in the same organization to view or change that Item respectively.

Those with administrator-level privileges will be able to see and manage all Items. For a non-administrative user of the vault, only those Items that have been shared – i.e. the user has permissions to access – will be accessible when the user connects to that vault. In addition, non-administrative users of the vault can only share an Item they have created.

Controls for working with access and permissions at the Item-level are much the same as for defining access and permissions at the folder level. Sharing permissions for an Item can be set up at the time of creating the Item, or at any stage after its creation. Whether adding or creating, sharing controls are accessed from the Item's associated properties dialog. Simply click the Sharing link (or  icon) at the bottom-left of the dialog. This will give access to the Permissions For Item dialog – command-central for specifying just how the Item can be shared.

Access the Permissions For Item dialog, with which to control how the Item is shared with others.

If an Item in a vault folder is shared with a given user, but the folder itself is not, then the user will not be able to 'see' that Item when browsing the vault's content.

If the same users/groups permitted to 'see' a folder are also required to 'see' the Items therein (and in each sub-folder as applicable), use the Apply to child folders and Items option in the Permissions For Folder dialog when defining the permissions for that parent folder. In this way, permissions are inherited quickly at the Item (and Item Revision) level. Adjustments can always be made for specific Items (or revisions) at those lower levels. At the end of the day, full control over who sees what, and where, is facilitated.

You are reporting an issue with the following selected text and/or image within the active document: