Controlling Access to Vault Content

Old Content - see latest equivalent
Modified by Jason Howie on May 31, 2017
Contents

Parent article: Altium Vault

An Altium Vault provides secure handling of data with high integrity, while providing both Design Team and Supply Chain access to that data as needed. This latter aspect, of who can access a vault, and more importantly what data they are allowed to access, is facilitated by the Altium Vault's user access control and sharing capabilities. These can be broken down into the following key areas:

  • User Management – which people are able to connect to the Altium Vault (through Altium Designer or an external browser). Management of users, as well as defined Roles (groupings of users), is performed using the vault's browser-based interface. This can be done either from an external browser or via the relevant views under Altium Designer's Home page. For detailed information, see Browser-based Access and Management of an Altium Vault.
  • Folder-level Sharing – providing the ability to control who is able to see what content in the vault by sharing vault folders. This allows control over whether other users can simply view a folder and its content, or also edit it (effectively releasing design data into it). A single vault can be partitioned into various effective 'zones' of content, but with controlled folder-level permissions, the content can be made selectively visible, or hidden, as required, giving the right people, the right access, to the right data.
  • Item-level Sharing – providing the ability to control who is able to see which Items in a shared folder. Think of this as a finer level of sharing, in contrast to the coarser level of sharing provided through folder access control. Provided a user has access to the folder itself, they will then be able to view/edit (as permitted) Items within that folder that are shared with them.
  • Item Revision-level Sharing – providing the ability to control who is able to see which revisions of a shared Item. Think of this as the finest level of sharing. Provided a user has access to a parent Item itself, they will then be able to view/edit (as permitted) revisions of that Item that are shared with them.
  • Revision Data Access Control – providing the ability to manage access to an Item Revision's data for a released PCB design, allowing users to see only the portion of data they are allowed to see, while by-passing the need for additional publishing.

This article takes a look at the sharing capabilities of the Altium Vault.

Sharing and management of access to revision data are features that are only available when using an Altium Vault, as part of its wider user access control and sharing capabilities. An Altium Personal Vault (part of Altium's previous Vault Technology offerings) does not offer user and access control management, so there is no notion of sharing or folder/Item/Item Revision-level access permissions. However, publishing of data is supported.

Folder-Level Sharing

An Altium Vault supports the ability to 'share' vault folders – facilitating connection to, and access of, vault content of a particular nature. By sharing vault folders, design content in a vault can be easily partitioned and shared with others.

A folder in a vault can be shared on a number of different levels, in effect defining both the level of visibility of that folder, and the level of security for access to it. This can range from being strictly private access by specified individuals or roles, through to levels for allowing anyone in the same organization to view or change content respectively.

Those with administrator-level privileges will be able to see and manage all folders. For a non-administrative user of the vault, only those folders that have been shared – i.e. the user has permissions to access – will be accessible when the user signs in to that vault. In addition, non-administrative users of the vault can only share a folder they have created.

Accessing Folder Sharing Controls

Folder-level sharing permissions can be configured from various locations:

  • The Vaults panel, when signed in to the Altium Vault through Altium Designer.
  • The Vault page when signed in to the Altium Vault through an external Web Browser.
  • From the Home page, when signed in to the Altium Vault through Altium Designer.

The last two take advantage of the vault's browser-based interface. Controls are therefore the same between these two access methods.

Folder Sharing using the Vaults Panel

From the Vaults panel, sharing permissions for a folder can be set up at the time of adding the folder, or at any stage after its creation. Whether adding or creating, sharing controls are accessed from the folder's associated properties dialog. Simply click the Sharing link (or  icon) at the bottom-left of the dialog. This will give access to the Permissions For Folder dialog – command-central for specifying just how the folder can be shared.

Access the Permissions For Folder dialog, with which to control how the folder is shared with others.

Folder Sharing using the Browser-based Interface

From a browser-based interface, sharing permissions for a folder can be set after the folder has been created. Sharing controls are accessed by right-clicking over the folder's entry, and using the Share Folder command from the context menu. The Sharing Settings window will appear, from where the access permissions for the folder can be modified as required.

Configure folder-level sharing from the vault's browser-based interface

The beauty of configuring permissions through the vault's browser-based interface is that an account admin isn't tied to a PC on which Altium Designer is installed, and a connection to the vault is made. They can effect a change in the vault's folder sharing permissions from anywhere they can get an internet connection.

Levels of Sharing

A folder can be shared on a number of different levels. Choose the required level of access in the Sharing Level dialog/window, accessed by clicking the Change link at the top-right of the Permissions For Folder dialog (Vaults panel access) or Sharing Settings window (browser-based access).

Set the level of sharing for the folder. Left: When accessed through Vaults panel. Right: When accessed through browser-based interface.

The following levels of sharing are supported:

  • Private – only users or roles explicitly granted permission can access or change according to their granted access rights.
  • Anyone in my organization can view – any user signed-in to the vault can view the folder (Read-only access rights).
  • Anyone in my organization can change – any user signed-in to the vault can view and change the folder and its content (Read/Write access rights).

Remember, Administrators for the vault will have full read/write access to the vault and all of its folders.

Sharing with Specific Users and Roles

When the sharing level of a folder is set to Private, use the Sharing With Specific Users And Roles region of the Permissions For Folder dialog/Sharing Settings window to determine exactly who is allowed to access and 'see' that folder. Simply use the Add User and/or Add Role controls to access dialogs/controls with which to add users and/or roles respectively – ultimately creating a specific access list for sharing folder content.

Example of adding a user and a role (Vaults panel interface).

Example of adding the same user and role through the vault's browser-based interface.

The owner of the folder (the user who created the folder) will always have full access to all content that the folder holds. As such, an entry for the Owner is added by default to the list of specific users and roles, and cannot be removed.

The following image shows the result of adding a single user (Desmond Igner) and a single role (Procurement) to the permissions list for a folder. Note than when configuring permissions through the Vaults panel, added users and roles will appear listed under sections for Shared with Users and Shared with Roles respectively.

The result of adding a single user and role to the permissions list for both Vaults panel interface (top) and browser-based interface (bottom).

Read-only access is assigned by default, reflected in the Can Edit option being disabled. With the Vaults panel interface, status is further reflected textually:

  • Viewer [Added] – for a user.
  • All Users in <RoleName> as Viewers [Added] – for a role.

Change to allow Read/Write access by enabling the Can Edit option for a user or role. In the Vaults panel interface, the textual status will change to reflect this:

  • Collaborator [Added] – for a user.
  • All Users in <RoleName> as Collaborators [Added] – for a role.

When configuring sharing through the Vaults panel, users and roles that are newly added have their status presented in red. These additions will not be finalized (saved) until either clicking Apply in the Permissions For Folder dialog, or clicking OK in both the Permissions For Folder dialog AND the Add Folder/Edit Folder dialog (if the Apply button is not used). When configuring sharing through the browser-based interface, these additions will not be finalized (saved) until the OK button is clicked in the Sharing Settings window.

Once the permissions are saved in the Vaults panel interface, the associated textual status will be presented in grey and without the [Added] suffix.

The appearance of the permissions list after the additions are finalized (saved), for the Vaults panel interface.

Editing Permissions

Make changes to the permissions list at any time. Through the Vaults panel interface, subsequent changes made to existing users/roles in the list will result in the applicable textual status entries being presented in blue, along with the addition of the suffix [Changed]. Once all changes have been made, apply them.

Example changes made to the permissions list for a folder, for the Vaults panel interface.

Descendant Permissions

Permissions defined for a folder can be applied to sub-folders and the Items (and revisions) they contain:

  • Vaults panel interface - enable the Apply to child folders and Items option, in the Permissions For Folder dialog.
  • Browser-based interface - enable the Apply To Children option, in the Sharing Settings window.

This allows a specified user (or role) to be able to see all content under the folder being shared. Conversely, by having this option disabled, a user will only be able to see the root folder -- the content in any sub-folders will be unavailable, unless explicitly shared.

Removing a User or Role

To remove permission for a user or role to access a folder:

  • Vaults panel interface - select that user/role in the Permissions For Folder dialog, and click the Remove control. A confirmation dialog will appear, click Yes to proceed.
  • Browser-based interface - simply click the Remove control associated to that user/role, in the Sharing Settings window.

Once all required removals have been made, apply the changes.

Remove a user/role from the list by selecting its entry and using the Remove control.

The Owner of the folder – the person who created it – cannot be removed from the permissions list.

Specifying who can Change Permission Settings for a Folder

When configuring folder-level sharing through the Vaults panel, the owner of the folder, or an administrator for the vault, can specify the Sharing Control for a folder therein – who is allowed to change the permissions and sharing for that folder. This is performed from the Sharing Control dialog, accessed by clicking the Change link at the bottom-right of the Permissions For Folder dialog.

Specify sharing control for a folder.

The following levels of control are supported:

  • Only the owner can change the permissions – editors cannot add or remove people, or change the visibility of the item.
  • Collaborators are allowed to add people and change permissions – editors have full control to add and remove people and change the visibility of the item.

Item-Level Sharing

Sharing a folder within a vault is one thing, but sharing the data within that folder is another altogether. For example, a folder may be in use by two teams, with content from one team not intended for general consumption, while the other team's data is public-facing. Certain data – more specifically the Items and revisions thereof – is therefore required to be hidden, while still allowing applicable users to see the remaining content. In support of this, the Altium Vault supports the ability to 'share' Items within vault folders, offering a finer level of sharing when it comes to the actual data in a vault.

As with folders, an Item in a vault can be shared on a number of different levels, in effect defining both the level of visibility of that Item, and the level of security for access to it. This can range from being strictly private access by specified individuals or roles, through to levels for allowing anyone in the same organization to view or change that Item respectively.

Those with administrator-level privileges will be able to see and manage all Items. For a non-administrative user of the vault, only those Items that have been shared – i.e. the user has permissions to access – will be accessible when the user signs in to that vault. In addition, non-administrative users of the vault can only share an Item they have created.

Controls for working with access and permissions at the Item-level are much the same as for defining access and permissions at the folder level. Sharing permissions for an Item can be set up at the time of creating the Item, or at any stage after its creation.

If an Item in a vault folder is shared with a given user, but the folder itself is not, then the user will not be able to 'see' that Item when browsing the vault's content.
If the same users/roles permitted to 'see' a folder are also required to 'see' the Items therein (and in each sub-folder as applicable), use the Apply to child folders and Items option in the Permissions For Folder dialog (Vaults panel interface), or Apply To Children option in the Sharing Settings window (browser-based interface), when defining the permissions for that parent folder. In this way, permissions are inherited quickly at the Item (and Item Revision) level. Adjustments can always be made for specific Items (or revisions) at those lower levels. At the end of the day, full control over who sees what, and where, is facilitated.

Item Sharing using the Vaults Panel

From the Vaults panel, sharing controls are accessed from the Item's associated properties dialog. Simply click the Item Sharing link (or  icon) located below the Item ID field. This will give access to the Permissions For Item dialog – command-central for specifying just how the Item can be shared.

Access the Permissions For Item dialog, with which to control how the Item is shared with others.

Item Sharing using the Browser-based Interface

From a browser-based interface, sharing controls are accessed by right-clicking over the Item's entry, and using the Share command from the context menu. The Sharing Settings window will appear, from where the access permissions for the Item can be modified as required.

Configure Item-level sharing from the vault's browser-based interface.

Item Revision-Level Sharing

As with folders and Items, an Item Revision in a vault can be shared on a number of different levels, in effect defining both the level of visibility of that Item Revision, and the level of security for access to it. This can range from being strictly private access by specified individuals or roles, through to levels for allowing anyone in the same organization to view or change that Item Revision respectively.

Item Revision-level sharing is only truly configurable through the Vaults panel. It is not fully supported using the vault's browser-based interface. The difference is that through the Vaults panel, you can specifically share individual revisions, whereas the browser interface simply supports Item-level sharing, and if an Item is shared, all of its revisions are also shared.

Those with administrator-level privileges will be able to see and manage all Item Revisions. For a non-administrative user of the vault, only those Item Revisions that have been shared – i.e. the user has permissions to access – will be accessible when the user signs in to that vault. In addition, non-administrative users of the vault can only share an Item Revision they have created.

Controls for working with access and permissions at the Item Revision-level are much the same as for defining access and permissions at the folder- or Item-level. Sharing permissions for an Item Revision can be set up at the time of creating the parent Item, or at any stage after its creation. Whether adding or creating, sharing controls are accessed from the Item's associated properties dialog. Simply click the Revision Sharing link (or  icon) at the bottom-left of the middle region of the dialog (beneath the Lifecycle Definition field). This will give access to the Permissions For Item Revision dialog – command-central for specifying just how the Item Revision can be shared.

If accessing the Item Properties dialog for the top-level parent Item, clicking the Revision Sharing control will access the permissions dialog for the latest revision of that Item. To configure sharing permissions for a previously released revision of the Item, make sure to access the Item Properties dialog for that specific revision.

Access the Permissions For Item Revision dialog, with which to control how the Item Revision is shared with others.

If the same users/roles permitted to 'see' an Item are also required to 'see' its Item Revisions, use the Apply to revisions option in the Permissions For Item dialog when defining the permissions for that parent Item. In this way, permissions are inherited quickly at the Item Revision level. Adjustments can always be made for specific Item Revisions at those lower levels. At the end of the day, full control over who sees what, and where, is facilitated.

Managing Access Rights for Revision Data

Direct access to data for a released PCB design project can be effectively controlled by a vault administrator through careful configuration of folder-level access permissions. However, this direct folder-level access to the data does not control which elements of the release data are accessible. So both the design snapshot AND the generated data are available. When interfacing to the manufacturer, only the fabrication and assembly "instructions" need to be shared, keeping the valuable design IP 'under wraps' as it were. And while a solution is available – to Publish only the data required by the Fabrication and Assembly Houses to fabricate and assemble the board respectively – this requires the involvement of dedicated Publishing Destinations.

A far better approach is to manage access to an Item Revision's data for a released PCB design – allowing users to see only the portion of data they are allowed to see, while by-passing the need for additional publishing. This is made possible through sharing at the individual Item Revision level, and the propagation of sharing permissions through to a revision's data folders (Released Documents and Design Snapshot). In this way, a standard set of sharing permissions can be defined at the Item level and passed through to its revisions, while having independent control over how the data for those revisions is shared.

The concept of controlling access to an Item Revision's documents is only available for blank board (altium-pcb-blank) and assembled board (altium-pcb-assembly) Item types.

Enabing Access Management

To enable management of access rights to an Item Revision's data, ensure the Control access for revision documents option is enabled, when configuring the sharing permissions for that Item Revision, in the associated Permissions For Item Revision dialog.

Enabling the option that will pass the defined permissions through to the data folders for the Item Revision.

Managing Permissions for Released Data

With the option to control access for a revision's documents enabled as part of that revision's sharing permissions, those defined permissions will be propagated to the data folders for that revision. Permissions can then be varied independently for the Released Documents and the Design Snapshot – the two data folders for the Item Revision. Permissions for these data folders can be accessed either from the Preview view for the Item Revision within the Vaults panel, or from the detailed view for the Item within Altium Designer (right-click on the Item's entry in the Vaults panel and choose Full Item History).

Right-click within the region for the Released Documents or Design Snapshot, and choose Manage Permissions from the context menu. The Permissions For Data Folder - Released, or Permissions For Data Folder - Design dialog will appear respectively. Set the permissions as required for each set of data, in accordance with whom you would like to see the data.

Set access permissions independently for the generated release data and the design snapshot - sharing fabrication and assembly files, while protecting your valuable design IP!

The following image shows what user Wally Righter sees when he accesses the Altium Vault. Since he is included in the access permissions for the Released data folder, he can access the Released Documents for that particular Item Revision. However, the Design data folder has not been shared with this user – he is not shared as an individual, nor is he a member of the Designers or Librarians roles. The Design Snapshot region is therefore not presented for that Item Revision.

The parent vault folder does not need to be shared with a user for them to see an Item specifically shared with them. Similarly, the parent Item does not have to be shared for the user to see a specifically shared revision of that Item. These specifically shared Items and Item Revisions will be available for their access (viewing) in a dedicated vault folder – Shared with me.

An example of restricting data access for an Item Revision. User Wally Righter can see the generated release data, but is prohibited from seeing the design snapshot.

 

You are reporting an issue with the following selected text and/or image within the active document: