Why does CA PPM allow some rights to be granted to users from outside the Administrator function?

Document ID : KB000123125
Last Modified Date : 18/12/2018
Show Technical Document Details
Can you please explain how the security rights are assigned and how we can maintain our license compliance for the CA PPM application.
Why does the application allow some rights to be granted to users from outside the Administrator function?

CA PPM is designed to allow some rights to be automatically granted to end-users when their role changes. This is a feature many customers want and need to reduce administrative overhead. For example, if an user is assigned as the Project Manager to a project, that user will automatically be granted Project Edit rights for that project, thus eliminating the need for an Administrator to have to grant that individual instance right. Without this granting of "implied rights" the administrative overhead of constantly managing specific rights as users change assignments becomes overly burdensome, time-consuming, and cost-ineffective for customers.

How do we maintain license compliance if end-users can grant rights that will move users up to a higher license class (e.g. from viewer to participant or creator) without administrative review?

If, for example, a user with only view rights (and therefore classified as a Viewer) is assigned as project manager to a project, it is true that he/she will be granted project edit rights automatically based on the assignment and will be re-classified as a Full User. To manage a project, a user needs to be a Full User and have edit rights. There are several ways to manage this.

The License Information Portlets allow administrators to monitor user license counts. The Administrator can track the numbers of users licensed as Full, Restricted or View Only and can drill down deeper to see how individual users and classified, and even further to see which rights caused the users to be classified. If a user is found to have rights that s/he should not have, the administrator can remove the right, or have the user unassigned as a project, program, or department manager which will remove the automatic (or implied rights). If the user is found to need those rights, increase your license count.

If a customer wants even more control, and is willing to assume the administrative overhead associated with such control, there are methods of preventing end-users from automatically assigning rights.

Do not use the fields (such as project manager, department manager, program manager, resource manager) that assign edit rights automatically. Hide the fields and substitute a custom field that will simply associate the user as the manager without granting rights. Administrators will need to explicitly grant rights in these cases. Please see the Studio Developer's Guide and Application Administration Guide for more details on how to implement this method.

Write a report that will show all users that were upgraded to a different license type via automatic (implied) rights. Run the report monthly and make adjustments accordingly.

Instill processes that train users not to take actions that add rights but consult with administrators instead.

The ability to automatically grant needed rights as user assignments change is an important feature in the application to reduce administrative overhead. There are several means within the product to monitor and control user license counts. A combination of internal processes and application functionality is necessary to manage license compliance according to a specific company's individual needs.

The query below will identify all resources that have 'automatic' security access rights:

g.group_name Access_Right, 
cmn_lic_users_v lu, 
cmn_sec_users u, 
cmn_sec_groups_v g 
u.id = lu.user_id AND 
u.user_status_id = 200 AND 
lu.right_id = g.ID AND 
g.language_code = 'en' AND 
g.group_name like '%Auto%' AND 
--add right types to exclude 
g.LIC_RIGHT_TYPE NOT in ('viewer') 
ORDER BY u.user_name