Privilege reference

This section describes privileges and the rules that can apply to each privilege.

For a detailed description of each rule, see Privilege rules.

Privilege areas

Privileges are classified into the following areas:

Area	Description
Administration Privileges	Privileges to perform various administrative functions within the Dimensions CM database, for example, to assign roles to users or update the properties of a deployment area. Administration privileges apply to all products in the base database. The privileges are divided into these subareas: Process Management Area Management Other Administration For details, see Administration privileges.
Product Level Privileges	Privileges to perform operations on classes of Dimensions CM objects within a specified product, for example, to promote an item or create a baseline. Product-level privileges apply only to your currently selected product. The object classes are: Product. See Product privileges. Project/stream. See Project/stream privileges. Design part. See Design part privileges. Baseline. See Baseline privileges. Release. See Release privileges. Request. See Request privileges. Item. See Item privileges.

Area

Description

Administration Privileges

Privileges to perform various administrative functions within the Dimensions CM database, for example, to assign roles to users or update the properties of a deployment area.

Administration privileges apply to all products in the base database.

The privileges are divided into these subareas:

Process Management
Area Management
Other Administration

For details, see Administration privileges.

Product Level Privileges

Privileges to perform operations on classes of Dimensions CM objects within a specified product, for example, to promote an item or create a baseline.

Product-level privileges apply only to your currently selected product.

The object classes are:

Product. See Product privileges.
Project/stream. See Project/stream privileges.
Design part. See Design part privileges.
Baseline. See Baseline privileges.
Release. See Release privileges.
Request. See Request privileges.
Item. See Item privileges.

Considerations:

Rollback privileges: Access to all rollback operations is controlled through the use of the item rollback privilege. Although they are displayed through the user interface, the roll back request and roll back baseline privileges are not used and are ignored. Future releases of Dimensions CM may provide a single rollback privilege to control access to these operations.
Default grant rules for the Download Files from Project privilege: When you create a new base database or upgrade an existing installation, the default grant rules for the Update Files from Project/Stream and Deliver Files into Project/Stream privileges include the rule User holds any role on the product owning the object.

As a result, there is a security issue where certain users can download and upload files from any project in the product, including those to which they should not have access. To correct this, remove the User holds any role on the product owning the object rule from the grant rules for the privileges Update Files from Project/Stream and Deliver Files into Project/Stream.

Administration privileges

Administration privileges apply to all products in the base database.

Process Management privileges

Privilege	ID	Description
Create Products	ADMIN_CREATE_PRODUCT	Create products.
Manage Baseline and Release Templates	ADMIN_TEMPLATEMAN	Manage baseline and release template definitions.
Manage File Format Definitions	ADMIN_FORMATMAN	Manage file formats for items and requests.
Manage Lifecycles	ADMIN_LIFECYCLEMAN	Manage lifecycle definitions.
Manage Privileges	ADMIN_PRIVILEGEMAN	Grant admin and non-admin privileges.
Manage Role Definitions	ADMIN_ROLEMAN	Manage role definitions.
Manage Upload Rules	ADMIN_UPLOADMAN	Manage upload and item/request format definitions.
Manage Users and Group Definitions	ADMIN_USERMAN	Manage users and groups for a database.
Manage Version Branch Definitions	ADMIN_BRANCHMAN	Manage the version branches in the database.

Area Management privileges

Privilege	ID	Description
Create Deployment Areas	ADMIN_CREATE_DEPLOY_AREA	Create a deployment area.
Create Library Cache Areas	ADMIN_CREATE_LIBCACHE_AREA	Create a library cache area.
Create Work Areas	ADMIN_CREATE_WORK_AREA	Create a work area.
Delete Deployment Areas	ADMIN_DELETE_DEPLOY_AREA	Delete a deployment area.
Delete Library Cache Areas	ADMIN_DELETE_LIBCACHE_AREA	Delete a library cache area.
Delete Work Areas	ADMIN_DELETE_WORK_AREA	Delete a work area.
Update Deployment Area Properties	ADMIN_UPDATE_DEPLOY_AREA	Update deployment area properties such as host name, area owner user, and password.
Update Library Cache Area Properties	ADMIN_UPDATE_LIBCACHE_AREA	Update library cache area properties such as host name, area owner user, and password.
Update Work Area Properties	ADMIN_UPDATE_WORK_AREA	Update work area properties such as host name, area owner user, and password.

Other Admin privileges

Privilege	ID	Description
Impersonate Other Users	ADMIN_LOGIN_AND_IMPERSONATE	Impersonate other users after logging in.
Manage and View Other Users' Lists	ADMIN_OTHER_PENDLIST	View other users' lists.
Manage Build Configurations	ADMIN_BUILDMAN	Manage build configurations.
Manage Customer Definitions	ADMIN_CUSTDEFMAN	Manage customer definitions.
Manage Email Notifications	ADMIN_EMAILNOTIFY_SUBSCRIBE	Manage email notifications.
Manage Item Relationship Names	ADMIN_ITEMRELSMAN	Manage item relationships.
Manage Network Definitions	ADMIN_NETWORK	Manage the Dimensions CM network definitions.
Manage Public Reports	ADMIN_PUBLICQUERIES	Manage public client reports.
Manage Replication Configurations	ADMIN_REPL	Manage replication configuration definitions, run replicator, and run pdiff.
Manage Request Providers	ADMIN_IDMTOOLMAN	Configure request providers.
Manage Schedule Jobs	ADMIN_SCHEDULING	Manage schedule jobs.
Manage Stream Groups	ADMIN_MANAGE_STREAM_GROUPS	Manage stream groups for the database.
Manage Topic Streams	ADMIN_MANAGE_TOPIC_STREAMS	Manage all topic streams for the database.
Manage User Interface Profiles	ADMIN_UI_PROFILES	Manage user interface profiles.
Manage User Report Configurations	ADMIN_REPORTMAN	Manage user report configurations and definitions.
Publishing Preferences	ADMIN_PUBLISHPREFS	Publish a set of default preferences.
Run Admin Reports	ADMIN_RUN_REPORT	Run admin reports and other reports.
Update Database Options	ADMIN_UPDATE_DBOPTIONS	Update database options, such as the Project/Stream option.

Product privileges

The following table lists product-level privileges.

Privilege	ID	Description
Assign Roles to Users And Groups	PRODUCT_ROLE_ASSIGN	Assign roles to users and groups.
Delete	PRODUCT_DELETE	Delete a product.
Manage Libraries	PRODUCT_LIBRARYMAN	Define product libraries.
Manage Object Types	PRODUCT_OBJTYPEMAN	Manage the object type definitions and their attributes in your product.
Manage Project/Stream Upload Inclusions/ Exclusions	PRODUCT_PROJECTUPLOADMAN	Manage project/stream-specific upload inclusions/exclusions.
Manage Valid Sets	PRODUCT_VALIDSETMAN	Manage valid set definitions and values.
Override Process Checks	PRODUCT_OVERRIDE_PROCESS_CHECK	Override certain levels of process checks.
Perform Requirement Related Operation	PRODUCT_REQUIREMENTMAN	Perform requirement related operations.
Refresh Inboxes for All Users	PRODUCT_RUN_REFRESH_INBOXES	Refresh the user in-box of objects belonging to the product using the PEND command.
Rename	PRODUCT_RENAME	Rename a product.
Run Reports	PRODUCT_RUN_REPORT	Run reports.
Update	PRODUCT_UPDATE	Update the attributes of the product.
View Other Users' Privileges	PRODUCT_VIEW_USERS_PRIVS	View other users' privileges.

Project/stream privileges

The following table lists project and stream level privileges.

Privilege	ID	Description
Action to Any State	PROJECT_ACTION_ANYSTATE	Action a project/stream to any state in the lifecycle.
Action to Next State	PROJECT_ACTION_NEXTSTATE	Action a project/stream to the next state in the lifecycle. Note: When the rule is Object is in the user's inbox or the user has current role (OBJ_PEND), the or in this rule becomes and.
Add Item revisions to Project	PROJECT_ADDFILE	Add item revisions to a project.
Assign Deployment Areas to Project/Stream	PROJECT_ASSIGN_DEPL_AREA	Relate or unrelate deployment areas to/from a project or stream.
Attach Baseline as Sub Project	PROJECT_ATTACH_BASELINE	Attach or detach a subproject baseline to/from a project.
Attach Project as Sub Project	PROJECT_ATTACH_SUBPROJECT	Attach or detach a subproject to/from a project.
Audit a Project/ Stream	PROJECT_AUDIT	Audit a project or stream using the AUDIT command.
Audit Project/ Stream for Reporting only	PROJECT_AUDIT_NOFIX	Audit a project or stream, for reporting purposes only, using the AUDIT command. No changes to the area are permitted.
Build from a Project/Stream	PROJECT_BUILD	Build from a project or stream.
Bypass Locked Project/Stream	PROJECT_BYPASSLOCKED	Bypass locked project/stream constraints.
Change CM Rules for Project/ Stream	PROJECT_EDIT_CMRULES	Change whether or not the CM rules are active for a project or stream.
Clean areas	AREA_CLEAN	Clean areas.
Control Topic Stream	PROJECT_TOPIC_STREAM_CONTROL	After delegating a topic stream that you originated, you can continue contributing to it. ADMIN group has this privilege granted by default.
Create Directories	PROJECT_CREATE_DIR	Create project/stream directories.
Create Project	PROJECT_CREATE	Create projects.
Create Stream	PROJECT_STREAM_CREATE	Create streams.
Create Topic Stream	PROJECT_TOPIC_STREAM_CREATE	Create topic streams.
Delete Directories	PROJECT_DELETE_DIR	Delete project/stream directories.
Delete Project	PROJECT_DELETE	Delete a project.
Delete Stream	PROJECT_STREAM_DELETE	Delete a stream.
Delete Topic Stream	PROJECT_TOPIC_STREAM_DELETE	Delete topic streams.
Deliver Files into Project/Stream	PROJECT_UPLOAD	Deliver files from your work area into a project or stream. Note: If this privilege is removed, upload enforces the privileges for the commands used to effect the changes. These can include CI, UI, RI, AIWS, SWF, RIWS, DI, CWSD, MWSD and DWSD. Which commands get used depends on the upload options and the content of the area compared to the project at the time of upload. When setting the general grant rules for this privilege, you can choose from the following options: Object is in the user's inbox, or user has current role. User is the originator of the object. User has any role on the initial lifecycle state transition. User has any role on object lifecycle. User holds any role on the product owning the object. User holds any role on any product. Grant to all users. By default, the Deliver Files into Project/Stream privilege is enabled for anyone in the ADMIN group. Example of using the Deliver Files into Project/Stream privilege The company has decided that their project/stream can be delivered to by users with any role on the initial lifecycle state transition. To achieve this, the following general grant rules for the Deliver Files into Project/Stream have been enabled: Object is in the user's inbox, or user has current role. User is the originator of the object. User has any role on the initial lifecycle state transition. This way, the privilege is checked against the project/stream into which you are delivering. It checks if: The project/stream is in the user's inbox or the user has a current role on the project/stream lifecycle, or The user is the originator of the project/stream, or The user holds any role on the product owning the project/stream.
Import Request into Project	PROJECT_IMPORT_REQUEST	Import a request into a project.
Lock and Hide	PROJECT_LOCK	Lock/unlock a project or stream.
Populate an Area from a Project/ Stream	PROJECT_POPULATE_AREAS	Populate an area from a project or stream.
Rebase a Topic Stream	PROJECT_REBASE	Rebase a topic stream.
Relate Requests to Project/Stream	PROJECT_RELATE_REQUEST	Relate or unrelate requests to/from a project or stream.
Remove Item revisions from Project	PROJECT_REMOVEFILE	Remove item revisions from a project.
Rename	PROJECT_RENAME	Rename a project or stream.
Rename Directories	PROJECT_RENAME_DIR	Rename or move directories.
Rename Item Filenames	PROJECT_RENAME_FILE	Rename project file names.
Update	PROJECT_UPDATE	Update the attributes of a project or stream.
Update Files from Project/Stream	PROJECT_DOWNLOAD	Update files in your work area from a project/stream. Note: If this privilege is removed, the Download command enforces the privileges specified for Fetch Item.

Design part privileges

The following table lists design part-level privileges.

Privilege	ID	Description
Create	PART_CREATE	Create design parts.
Delete	PART_DELETE	Delete design parts.
Relate Design Part to Design Part	PART_RELATE_PART	Relate/unrelate a design part to/from another design part.
Rename	PART_RENAME	Rename design parts.
Suspend	PART_SUSPEND	Suspend design parts.
Update	PART_UPDATE	Update the attributes of the design part and create a new design part revision (or PCS).

Baseline privileges

The following table lists baseline-level privileges.

Privilege	ID	Description
Action to Any State	BASELINE_ACTION_ANYSTATE	Action a baseline to any state in the lifecycle.
Action to Next State	BASELINE_ACTION_NEXTSTATE	Action a baseline to the next state in the lifecycle. Note: When the rule is Object is in the user's inbox or the user has current role (OBJ_PEND), the or in this rule becomes and. The object, when first created, is displayed only in the inbox of the originator. Only that user or, by default, users in the ADMIN group can perform the operations required, such as update item, until the object is actioned.
Build from a Baseline	BASELINE_BUILD	Build from a baseline.
Create	BASELINE_CREATE	Create baselines.
Create Archive	BASELINE_CREATE_ARCHIVE	Create an archive (ART) within the product.
Delete	BASELINE_DELETE	Delete baselines.
Delete Archive	BASELINE_DELETE_ARCHIVE	Delete an archive (ART) from your product.
Demote to Any Stage	BASELINE_DEMOTE_ANYSTAGE	Demote baselines to the any demotion stage in the lifecycle.
Demote to Next Stage	BASELINE_DEMOTE_NEXTSTAGE	Demote baselines to the next demotion stage in the lifecycle.
Deploy to Areas	BASELINE_DEPLOY	Deploy baselines to areas.
Promote to Any Stage	BASELINE_PROMOTE_ANYSTAGE	Promote baselines to the any promotion stage in the lifecycle.
Promote to Next Stage	BASELINE_PROMOTE_NEXTSTAGE	Promote baselines to the next promotion stage in the lifecycle.
Relate Baseline to Baseline	BASELINE_RELATE_BASELINE	Relate/unrelate a baseline to/from another baseline.
Rename	BASELINE_RENAME	Rename baselines.
Rollback from Areas	BASELINE_ROLLBACK	This privilege does not have any effect, and should not be used. Access to all rollback operations is controlled through the use of the item rollback privilege. Although displayed in the user interface, the roll back baseline privileges is not used and is ignored.
Transfer Baseline In	BASELINE_TRANSFER_IN	Transfer baselines into a product (ART).
Transfer Baseline Out	BASELINE_TRANSFER_OUT	Transfer baselines out from a product (ART).
Update	BASELINE_UPDATE	Edit baseline attributes.
Update Files from Baseline	BASELINE_DOWNLOAD	Update files in your work area from a baseline.

Release privileges

The following table lists release level privileges.

Privilege	ID	Description
Create	RELEASE_CREATE	Create a release.
Delete	RELEASE_DELETE	Delete a release.
Forward to Customer	RELEASE_FORWARD_CUSTOMER	Forward or withdraw releases from customers.

Request privileges

The following table lists request-level privileges.

Note: The request privileges do not apply to external requests.

Privilege	ID	Description
Action to Any State	REQUEST_ACTION_ANYSTATE	Action a request to any state in the lifecycle.
Action to Next State	REQUEST_ACTION_NEXTSTATE	Action requests to the next state in the lifecycle. Note: When the rule is Object is in the user's inbox or the user has current role (OBJ_PEND), the or in this rule becomes and.
Add Action Description	REQUEST_ADD_ACTION_DESC	Add the action description of a request.
Add/Edit Detailed Description	REQUEST_DETAILDESC	Add or edit the detailed description of a request.
Browse	REQUEST_BROWSE	Browse requests.
Create	REQUEST_CREATE	Create requests. Note: If you have the privilege to create a request but you do not hold the necessary role on the initial lifecycle state, Dimensions CM temporarily grants you that role, enabling the create operation to complete successfully. In this case, a warning message is displayed. When you action the request to the next state, the temporary role is deleted.
Delegate	REQUEST_DELEGATE	Delegate requests to users and groups.
Delete	REQUEST_DELETE	Delete requests. Applies only to draft requests.
Demote to Any Stage	REQUEST_DEMOTE_ANYSTAGE	Demote requests to any demotion stage in the lifecycle.
Demote to Next Stage	REQUEST_DEMOTE_NEXTSTAGE	Demote requests to the next demotion stage in the lifecycle.
Deploy to Areas	REQUEST_DEPLOY	Deploy requests to areas.
Edit Action Description	REQUEST_EDIT_ACTION_DESC	Edit the action description of a request.
Move	REQUEST_MOVE	Move requests between the primary and secondary catalog.
Perform Replication Operations	REQUEST_RREPLIC_OPS	Perform replication specific operations for requests.
Prime	REQUEST_PRIME	Prime requests.
Promote to Any Stage	REQUEST_PROMOTE_ANYSTAGE	Promote requests to any promotion stage in the lifecycle.
Promote to Next Stage	REQUEST_PROMOTE_NEXTSTAGE	Promote requests to the next promotion stage in the lifecycle.
Relate Request to Baseline	REQUEST_RELATE_BASELINE	Relate/unrelate a request to/from baselines.
Relate Request to Design Part	REQUEST_RELATE_PART	Relate/unrelate a request to/from design parts.
Relate Request to Item	REQUEST_RELATE_ITEM	Relate/unrelate a request to/from items.
Relate Request to Request	REQUEST_RELATE_REQUEST	Relate/unrelate a request to/from other requests.
Rollback from Areas	REQUEST_ROLLBACK	This privilege does not have any effect and should not be used. Access to all rollback operations is controlled through the use of the item rollback privilege. Although displayed in the user interface, the roll back request privileges is not used and is ignored.
Update Attachments	REQUEST_UPDATE_ATTACH	Add or remove attachments.
Update Request	REQUEST_UPDATE	Edit attributes and add or remove action descriptions.

Item privileges

The following table lists item-level privileges.

Privilege	ID	Description
Action to Any State	ITEM_ACTION_ANYSTATE	Action an item to any state in the lifecycle.
Action to Next State	ITEM_ACTION_NEXTSTATE	Action items to the next state in the lifecycle. Note: When the rule is Object is in the user's inbox or the user has current role (OBJ_PEND), the or in this rule becomes and. The object, when first created, is displayed only in the inbox of the originator. Only that user or, by default, users in the ADMIN group can perform the operations required, such as update item, until the object is actioned.
Archive	ITEM_ARCHIVE	Archive items and retrieve previously archived items (ART).
Break Lock	ITEM_UNLOCK_OTHER	Unlock an item previously locked by another user in that stream.
Browse	ITEM_BROWSE	Browse an item or search its content.
Create	ITEM_CREATE	Create items. Note: If you have the privilege to create an item, but you do not hold the necessary role on the initial lifecycle state, Dimensions CM temporarily grants you that role, enabling the create operation to complete successfully. In this case, a warning message is displayed. When you action the item to the next state, the temporary role is deleted.
Delegate	ITEM_DELEGATE	Delegate items to users and groups.
Delete	ITEM_DELETE	Delete items.
Demote to Any Stage	ITEM_DEMOTE_ANYSTAGE	Demote items to the any demotion stage in the lifecycle
Demote to Next Stage	ITEM_DEMOTE_NEXTSTAGE	Demote items to the next demotion stage in the lifecycle
Deploy to Areas	ITEM_DEPLOY	Deploy items to areas
Lock/Unlock	ITEM_LOCK	Lock or unlock items in a stream
Move Item to Another Design Part	ITEM_MOVE_PART	Move an item to a different design part.
Promote to Any Stage	ITEM_PROMOTE_ANYSTAGE	Promote items to the any promotion stage in the lifecycle.
Promote to Next Stage	ITEM_PROMOTE_NEXTSTAGE	Promote items to the next promotion stage in the lifecycle.
Relate Item to Design Part	ITEM_RELATE_PART	Relate/unrelate items to/from a design part.
Relate Item to Item	ITEM_RELATE_ITEM	Relate/unrelate items to/from items.
Rename	ITEM_RENAME	Rename item identifiers.
Revise Item Content	ITEM_UPDATECONTENT	Check out, check in and merge items.
Rollback from Areas	ITEM_ROLLBACK	Roll back items from areas. Note: Access to all rollback operations is controlled through the use of the item rollback privilege.
Suspend	ITEM_SUSPEND	Suspend items.
Update	ITEM_UPDATE	Edit the attributes of an item.