Setting Up Local Administration

1. Log onto the ENOVIA V6 web administration console as VPLM Administrator (PLMADM), then select the Configure My ENOVIA command from the Tools icon.

2. Click the Advanced command, then the Roles tab and search for all roles.

   You will see the Local Administrator role in the list:
   
   

   A Local Administrator, in other words a person assigned to a security context referencing the Local Administrator role, has the right to manage projects and sub-projects for the security context to which the local administrator is assigned, and for the organization (and its sub-organizations) referenced by the security context.

3. Search for the list of contexts created.

   In our example, we already created a number of contexts for the local administrator, for example Local Administrator.RandD.Standard:
   
   

   which means that the local administrator will manage the RandD organization and the Standard project.

   Note that the Local Administrator.Company Name.Standard and Local Administrator.Company Name.Engineering contexts are created at installation.

We have seen that a default security context for the local administrator is created at installation. Additional security contexts allowing the local administrator to log on cannot be created using the Context tab. They must be created using the Grant Administration tab.

1. Log on as either global VPLM administrator.

   The global PLMADM administrator must first create a security context referencing a special role, the Local Administrator role, then create a user and assign the user to the security context, enabling the user to log on as local administrator.

2. Select the VPLM Administration command.

3. Select the Grant Administration tab.

   The dialog box displays, for each organization, the applicable roles. For the moment, do not dwell on the concept of applicability which is described in Set Up Role Applicability for Local Administration.

   You need to use this command first of all just to create a security context for the local administrator.

   Selecting the Grant Administration tab displays by default the number of roles applicable to the default organization Company Name, and the number of security contexts referencing Company Name:
   
   

   Use the * filter to list all organizations in the database:
   
   

   Let's assume that the organization RandD is the local administrator's organization. You must:

   
   
   • select the roles which can be applied to the organization (Applicable Roles column)
   • select the project for the security context to be created (Existing Contexts column).

4. Click the down arrow in the Applicable Roles column.

   Click the Edit button, select a role (for example, VPLMDesigner), then click the Done button:
   
   

5. Click the right arrow in the Existing Contexts column.

   Click the Add Context button, select a project (project Steve in our example), then click the Done button:
   
   

6. Refresh the list, for example by filtering to see all organizations.

   The RandD line looks like this:
   
   

   You have created security context Local Administrator.RandD.Steve, and specified that the role VPLMDesigner is applicable to the RandD organization.

   You can now create a user for local administration and assign the user to the security context you just created.

   Note: You can create multiple nested local administrator levels: you can have one local administrator for an organization, and a local administrator for each sub-organization.

1. Log on as DemoLocalAdministrator sample user (created at installation) using the Local Administrator.Company Name.Engineering context.

   The Configure My ENOVIA command is not available from the Tools icon.

2. Select the VPLM Administration command.

   The administration space of the Local Administrator is displayed:
   
   

   Note that the Local Administrator only has access to people objects: the Resources, Accesses and Model commands are not available.

   Remember that the DemoLocalAdministrator sample user is a demo user, and is not designed to be used for production purposes. But logging on as this user shows you that the number of commands available to a Local Administrator is voluntarily limited.

   For the purposes of our scenario, we are going to use a user named LocalAdmin who logs on using the Local Administrator.RandD.Engineering context.

3. Exit the web administration console, then assume that you log on as user LocalAdmin with the Local Administrator.RandD.Engineering context, and select the VPLM Administration command.

   The user named LocalAdmin can:

   
   
   • create projects under Engineering
   • create organizations under RandD
   • create security contexts referencing Role.Org.Project where:
     
     • Role is one of the roles applicable to the organization and Project is the Local administrator's project or one of its child.
     • Org is RandD or one of its sub-organizations
     • and Project is Engineering or one of its sub-projects.
   • select employees in one of the organizations/sub-organizations managed by the local administrator, and assign them to or remove them from security contexts referencing RandD or one of its sub-organizations, and Engineering or one of its sub-projects
   • assign or deny licenses to employees in organizations/sub-organizations managed by the local administrator.

   Setting up a local administrator means attaching a local administrator to a specific point of your organizational hierarchy, allowing the local administrator control over the projects and organizations at that level and below.

   
   
   

   The following table sums up the creation, update and query capabilities of the local administrator role:

   	Create	Update	Query
   Person	N/A	Assign/unassign security contexts to a set of users. Assign/unassign security licenses to a set of users.	Only users created with "employee" attribute and belonging to the organization or sub-organizations managed by the local administrator.
   Project	Create sub-projects of one of the projects to which the local administrator is assigned. No family to choose. Accreditation and disciplines	Only the set of projects or sub-projects of the organization. Update accreditation and disciplines.	Only the set of projects or sub-projects of the organization.
   Role	N/A	N/A	Only roles applicable to the organization managed by the local administrator.
   Organization	Create sub-organizations belonging to the organization assigned to the security context of the local administrator. Select parent and type.	N/A	N/A
   Security Context	Create security context for one of the projects and organizations in the hierarchy. The security context can reference only roles applicable to the organization managed by the local administrator.	N/A	N/A

In large companies, administration is not centralized, and is rather split between several administrators, each being responsible for a certain population of users. In this context, mechanisms are required to restrict the scope of each administrator and avoid overlapping between their areas of responsibility.

For instance, local administration makes it possible to restrict the scope of administrators to particular organizations, that is, prevent them from authoring organizations that are outside their scope.

Similar restrictions are required regarding roles: it is necessary to prevent administrators from using roles that are outside their scope, for example by creating security contexts using those roles. A typical example would be assigning the VPLMAdmin role to a context.

Global administrators can associate a list of applicable organizations to a role, making that role only usable within the scope of these organizations by local administrators when creating new security contexts. Local administrators can also use the same function.

For instance, if role VPLMDesigner is made applicable to organization Team1, a local administrator using context Local Administrator.Team1.Default may create security contexts using role VPLMDesigner, while another local administrator using Local Administrator.Team2.Default will be denied that operation because VPLMDesigner was not declared applicable to organization Organization2.

Note: A role without applicable organizations may be used without restriction by local administrators.

1. Log on as either global VPLM administrator or local administrator.

   The global PLMADM administrator must first create a security context referencing a special role, the Local Administrator role, then create a user and assign the user to the security context, enabling the user to log on as local administrator.

2. Select the VPLM Administration command.

3. Select the Organization command and create the organizations.

   When a new organization is created (Company/Department/Business Unit), it automatically inherits its parent's role applicability when this is defined.

   When a role is about to become applicable for a given organization, we check before that this role is applicable to the parent of this organization when this is defined (so for a root organization this rule does not apply).

   If the global administrator creates a new organization without any parent, all roles in the database will be applicable to this organization.

   If the global/local administrator creates a new organization with a parent organization, only parent organization applicable roles will be applicable to the new organization.

4. Select the Grant Administration tab.

   The dialog box displays, for each organization, the applicable roles and the existing security contexts.

   The global administrator will be able to search for all organizations in the database by using the * filter. By default, the filter is set to the root company name (Company Name). The filter can be changed. The local administrator will obtain the list of organizations for only the local administrator, and the corresponding sub-organizations.

5. For each organization, add or remove applicable roles.

   1. Click the down arrow to display the current list of applicable roles.
   2. Click the right arrow to display the list of roles available, click the Edit button, select a role then click the Done button.

      If the organization is a root organization, all roles in the database are displayed. If the organization has a parent, only the parent's applicable roles will be displayed.

6. For each organization, select a project required to create a new security context for another local administrator if required.

   1. Click the down arrow to display the current list of security contexts.
   2. Click the right arrow to display the list of projects available, click the Edit button, select a project then click the Done button.

      If the person connected is the global administrator, all projects in the database will be displayed. If the person connected is the local administrator, only the local administrator's projects and sub-projects are displayed.

      If a check box is checked, this means that a security context with role Local Administrator, and organization Company Name and project checked Project exists already.

7. If logged on as local administrator, create the security contexts for the end users in your local organization.

   To do so, select the Context tab:
   
   

   You will see the name of the local organization (RandD), the project (Steve), and the applicable roles (VPLMLeader and VPLMDesigner) that you set up using the Grant Administration tab.