Privilege reference

This section describes privileges and the rules that can apply to each privilege.

For a detailed description of each rule, see Privilege rules.

Privilege areas

Privileges are classified into the following areas:

Area Description

Administration Privileges

Privileges to perform various administrative functions within the Dimensions CM database, for example, to assign roles to users or update the properties of a deployment area.

Administration privileges apply to all products in the base database.

The privileges are divided into these subareas:

  • Process Management

  • Area Management

  • Other Administration

For details, see Administration privileges.

Product Level Privileges

Privileges to perform operations on classes of Dimensions CM objects within a specified product, for example, to promote an item or create a baseline.

Product-level privileges apply only to your currently selected product.

The object classes are:

Considerations:

  • Rollback privileges: Access to all rollback operations is controlled through the use of the item rollback privilege. Although they are displayed through the user interface, the roll back request and roll back baseline privileges are not used and are ignored. Future releases of Dimensions CM may provide a single rollback privilege to control access to these operations.

  • Default grant rules for the Download Files from Project privilege: When you create a new base database or upgrade an existing installation, the default grant rules for the Update Files from Project/Stream and Deliver Files into Project/Stream privileges include the rule User holds any role on the product owning the object.

    As a result, there is a security issue where certain users can download and upload files from any project in the product, including those to which they should not have access. To correct this, remove the User holds any role on the product owning the object rule from the grant rules for the privileges Update Files from Project/Stream and Deliver Files into Project/Stream.

Back to top

Administration privileges

Administration privileges apply to all products in the base database.

Process Management privileges

Privilege ID Description
Create Products ADMIN_CREATE_PRODUCT Create products.
Manage Baseline and Release Templates ADMIN_TEMPLATEMAN Manage baseline and release template definitions.
Manage File Format Definitions ADMIN_FORMATMAN Manage file formats for items and requests.
Manage Lifecycles ADMIN_LIFECYCLEMAN Manage lifecycle definitions.
Manage Privileges ADMIN_PRIVILEGEMAN Grant admin and non-admin privileges.
Manage Role Definitions ADMIN_ROLEMAN Manage role definitions.
Manage Upload Rules ADMIN_UPLOADMAN Manage upload and item/request format definitions.
Manage Users and Group Definitions ADMIN_USERMAN Manage users and groups for a database.
Manage Version Branch Definitions ADMIN_BRANCHMAN Manage the version branches in the database.

Area Management privileges

Privilege ID Description
Create Deployment Areas ADMIN_CREATE_DEPLOY_AREA Create a deployment area.
Create Library Cache Areas ADMIN_CREATE_LIBCACHE_AREA Create a library cache area.
Create Work Areas ADMIN_CREATE_WORK_AREA Create a work area.
Delete Deployment Areas ADMIN_DELETE_DEPLOY_AREA Delete a deployment area.
Delete Library Cache Areas ADMIN_DELETE_LIBCACHE_AREA Delete a library cache area.
Delete Work Areas ADMIN_DELETE_WORK_AREA Delete a work area.
Update Deployment Area Properties ADMIN_UPDATE_DEPLOY_AREA Update deployment area properties such as host name, area owner user, and password.
Update Library Cache Area Properties ADMIN_UPDATE_LIBCACHE_AREA Update library cache area properties such as host name, area owner user, and password.
Update Work Area Properties ADMIN_UPDATE_WORK_AREA Update work area properties such as host name, area owner user, and password.

Other Admin privileges

Privilege ID Description
Impersonate Other Users ADMIN_LOGIN_AND_IMPERSONATE Impersonate other users after logging in.
Manage and View Other Users' Lists ADMIN_OTHER_PENDLIST View other users' lists.
Manage Build Configurations ADMIN_BUILDMAN Manage build configurations.
Manage Customer Definitions ADMIN_CUSTDEFMAN Manage customer definitions.
Manage Email Notifications ADMIN_EMAILNOTIFY_SUBSCRIBE Manage email notifications.
Manage Item Relationship Names ADMIN_ITEMRELSMAN Manage item relationships.
Manage Network Definitions ADMIN_NETWORK Manage the Dimensions CM network definitions.
Manage Public Reports ADMIN_PUBLICQUERIES Manage public client reports.
Manage Replication Configurations ADMIN_REPL Manage replication configuration definitions, run replicator, and run pdiff.
Manage Request Providers ADMIN_IDMTOOLMAN Configure request providers.
Manage Schedule Jobs ADMIN_SCHEDULING Manage schedule jobs.
Manage Stream Groups ADMIN_MANAGE_STREAM_GROUPS Manage stream groups for the database.
Manage Topic Streams ADMIN_MANAGE_TOPIC_STREAMS Manage all topic streams for the database.
Manage User Interface Profiles ADMIN_UI_PROFILES Manage user interface profiles.
Manage User Report Configurations ADMIN_REPORTMAN Manage user report configurations and definitions.
Publishing Preferences ADMIN_PUBLISHPREFS Publish a set of default preferences.
Run Admin Reports ADMIN_RUN_REPORT Run admin reports and other reports.
Update Database Options ADMIN_UPDATE_DBOPTIONS Update database options, such as the Project/Stream option.

Back to top

Product privileges

The following table lists product-level privileges.

Privilege ID Description

Assign Roles to Users And Groups

PRODUCT_ROLE_ASSIGN Assign roles to users and groups.
Delete PRODUCT_DELETE Delete a product.
Manage Libraries PRODUCT_LIBRARYMAN Define product libraries.
Manage Object Types PRODUCT_OBJTYPEMAN Manage the object type definitions and their attributes in your product.
Manage Project/Stream Upload Inclusions/ Exclusions PRODUCT_PROJECTUPLOADMAN Manage project/stream-specific upload inclusions/exclusions.
Manage Valid Sets PRODUCT_VALIDSETMAN Manage valid set definitions and values.
Override Process Checks PRODUCT_OVERRIDE_PROCESS_CHECK Override certain levels of process checks.
Perform Requirement Related Operation PRODUCT_REQUIREMENTMAN Perform requirement related operations.
Refresh Inboxes for All Users PRODUCT_RUN_REFRESH_INBOXES Refresh the user in-box of objects belonging to the product using the PEND command.
Rename PRODUCT_RENAME Rename a product.
Run Reports PRODUCT_RUN_REPORT Run reports.
Update PRODUCT_UPDATE Update the attributes of the product.
View Other Users' Privileges PRODUCT_VIEW_USERS_PRIVS View other users' privileges.

Back to top

Project/stream privileges

The following table lists project and stream level privileges.

Privilege ID Description
Action to Any State PROJECT_ACTION_ANYSTATE Action a project/stream to any state in the lifecycle.
Action to Next State PROJECT_ACTION_NEXTSTATE

Action a project/stream to the next state in the lifecycle.

Note: When the rule is Object is in the user's inbox or the user has current role (OBJ_PEND), the or in this rule becomes and.

Add Item revisions to Project PROJECT_ADDFILE Add item revisions to a project.
Assign Deployment Areas to Project/Stream PROJECT_ASSIGN_DEPL_AREA Relate or unrelate deployment areas to/from a project or stream.
Attach Baseline as Sub Project PROJECT_ATTACH_BASELINE Attach or detach a subproject baseline to/from a project.
Attach Project as Sub Project PROJECT_ATTACH_SUBPROJECT Attach or detach a subproject to/from a project.
Audit a Project/ Stream PROJECT_AUDIT Audit a project or stream using the AUDIT command.
Audit Project/ Stream for Reporting only PROJECT_AUDIT_NOFIX Audit a project or stream, for reporting purposes only, using the AUDIT command. No changes to the area are permitted.
Build from a Project/Stream PROJECT_BUILD Build from a project or stream.
Bypass Locked Project/Stream PROJECT_BYPASSLOCKED Bypass locked project/stream constraints.
Change CM Rules for Project/ Stream PROJECT_EDIT_CMRULES Change whether or not the CM rules are active for a project or stream.
Clean areas AREA_CLEAN Clean areas.
Control Topic Stream PROJECT_TOPIC_STREAM_CONTROL After delegating a topic stream that you originated, you can continue contributing to it. ADMIN group has this privilege granted by default.
Create Directories PROJECT_CREATE_DIR Create project/stream directories.
Create Project PROJECT_CREATE Create projects.
Create Stream PROJECT_STREAM_CREATE Create streams.
Create Topic Stream PROJECT_TOPIC_STREAM_CREATE Create topic streams.
Delete Directories PROJECT_DELETE_DIR Delete project/stream directories.
Delete Project PROJECT_DELETE Delete a project.
Delete Stream PROJECT_STREAM_DELETE Delete a stream.
Delete Topic Stream PROJECT_TOPIC_STREAM_DELETE Delete topic streams.

Deliver Files into Project/Stream

PROJECT_UPLOAD

Deliver files from your work area into a project or stream.

Note: If this privilege is removed, upload enforces the privileges for the commands used to effect the changes. These can include CI, UI, RI, AIWS, SWF, RIWS, DI, CWSD, MWSD and DWSD. Which commands get used depends on the upload options and the content of the area compared to the project at the time of upload.

When setting the general grant rules for this privilege, you can choose from the following options:

  • Object is in the user's inbox, or user has current role.

  • User is the originator of the object.

  • User has any role on the initial lifecycle state transition.

  • User has any role on object lifecycle.

  • User holds any role on the product owning the object.

  • User holds any role on any product.

  • Grant to all users.

By default, the Deliver Files into Project/Stream privilege is enabled for anyone in the ADMIN group.

Import Request into Project PROJECT_IMPORT_REQUEST Import a request into a project.
Lock and Hide PROJECT_LOCK Lock/unlock a project or stream.
Populate an Area from a Project/ Stream PROJECT_POPULATE_AREAS Populate an area from a project or stream.
Rebase a Topic Stream PROJECT_REBASE Rebase a topic stream.
Relate Requests to Project/Stream PROJECT_RELATE_REQUEST Relate or unrelate requests to/from a project or stream.
Remove Item revisions from Project PROJECT_REMOVEFILE Remove item revisions from a project.
Rename PROJECT_RENAME Rename a project or stream.
Rename Directories PROJECT_RENAME_DIR Rename or move directories.
Rename Item Filenames PROJECT_RENAME_FILE Rename project file names.
Update PROJECT_UPDATE Update the attributes of a project or stream.

Update Files from Project/Stream

PROJECT_DOWNLOAD

Update files in your work area from a project/stream.  

Note: If this privilege is removed, the Download command enforces the privileges specified for Fetch Item.

Back to top

Design part privileges

The following table lists design part-level privileges.

Privilege ID Description
Create PART_CREATE Create design parts.
Delete PART_DELETE Delete design parts.
Relate Design Part to Design Part PART_RELATE_PART Relate/unrelate a design part to/from another design part.
Rename PART_RENAME Rename design parts.
Suspend PART_SUSPEND Suspend design parts.
Update PART_UPDATE Update the attributes of the design part and create a new design part revision (or PCS).

Back to top

Baseline privileges

The following table lists baseline-level privileges.

Privilege ID Description
Action to Any State BASELINE_ACTION_ANYSTATE Action a baseline to any state in the lifecycle.

Action to Next State

BASELINE_ACTION_NEXTSTATE

Action a baseline to the next state in the lifecycle.

Note: When the rule is Object is in the user's inbox or the user has current role (OBJ_PEND), the or in this rule becomes and.

The object, when first created, is displayed only in the inbox of the originator. Only that user or, by default, users in the ADMIN group can perform the operations required, such as update item, until the object is actioned.

Build from a Baseline BASELINE_BUILD Build from a baseline.
Create BASELINE_CREATE Create baselines.
Create Archive BASELINE_CREATE_ARCHIVE Create an archive (ART) within the product.
Delete BASELINE_DELETE Delete baselines.
Delete Archive BASELINE_DELETE_ARCHIVE Delete an archive (ART) from your product.
Demote to Any Stage BASELINE_DEMOTE_ANYSTAGE Demote baselines to the any demotion stage in the lifecycle.
Demote to Next Stage BASELINE_DEMOTE_NEXTSTAGE Demote baselines to the next demotion stage in the lifecycle.
Deploy to Areas BASELINE_DEPLOY Deploy baselines to areas.
Promote to Any Stage BASELINE_PROMOTE_ANYSTAGE Promote baselines to the any promotion
stage in the lifecycle.
Promote to Next Stage BASELINE_PROMOTE_NEXTSTAGE Promote baselines to the next promotion stage in the lifecycle.
Relate Baseline to Baseline BASELINE_RELATE_BASELINE Relate/unrelate a baseline to/from another baseline.
Rename BASELINE_RENAME Rename baselines.

Rollback from Areas

BASELINE_ROLLBACK

This privilege does not have any effect, and should not be used.

Access to all rollback operations is controlled through the use of the item rollback privilege. Although displayed in the user interface, the roll back baseline privileges is not used and is ignored.

Transfer Baseline In BASELINE_TRANSFER_IN Transfer baselines into a product (ART).
Transfer Baseline Out BASELINE_TRANSFER_OUT Transfer baselines out from a product (ART).
Update BASELINE_UPDATE Edit baseline attributes.
Update Files from Baseline BASELINE_DOWNLOAD Update files in your work area from a baseline.

Back to top

Release privileges

The following table lists release level privileges.

Privilege ID Description
Create RELEASE_CREATE Create a release.
Delete RELEASE_DELETE Delete a release.
Forward to Customer RELEASE_FORWARD_CUSTOMER Forward or withdraw releases from customers.

Back to top

Request privileges

The following table lists request-level privileges.

Note: The request privileges do not apply to external requests.

Privilege ID Description
Action to Any State REQUEST_ACTION_ANYSTATE Action a request to any state in the lifecycle.
Action to Next State

REQUEST_ACTION_NEXTSTATE

Action requests to the next state in the lifecycle.

Note: When the rule is Object is in the user's inbox or the user has current role (OBJ_PEND), the or in this rule becomes and.

Add Action Description REQUEST_ADD_ACTION_DESC Add the action description of a request.
Add/Edit Detailed Description REQUEST_DETAILDESC Add or edit the detailed description of a request.
Browse REQUEST_BROWSE Browse requests.

Create

REQUEST_CREATE

Create requests.

Note: If you have the privilege to create a request but you do not hold the necessary role on the initial lifecycle state, Dimensions CM temporarily grants you that role, enabling the create operation to complete successfully.

In this case, a warning message is displayed. When you action the request to the next state, the temporary role is deleted.

Delegate REQUEST_DELEGATE Delegate requests to users and groups.
Delete

REQUEST_DELETE

Delete requests.

Applies only to draft requests.

Demote to Any Stage REQUEST_DEMOTE_ANYSTAGE Demote requests to any demotion stage in the lifecycle.
Demote to Next Stage REQUEST_DEMOTE_NEXTSTAGE Demote requests to the next demotion stage in the lifecycle.
Deploy to Areas REQUEST_DEPLOY Deploy requests to areas.
Edit Action Description REQUEST_EDIT_ACTION_DESC Edit the action description of a request.
Move REQUEST_MOVE Move requests between the primary and secondary catalog.
Perform Replication Operations REQUEST_RREPLIC_OPS Perform replication specific operations for requests.
Prime REQUEST_PRIME Prime requests.
Promote to Any Stage REQUEST_PROMOTE_ANYSTAGE Promote requests to any promotion stage in the lifecycle.
Promote to Next Stage REQUEST_PROMOTE_NEXTSTAGE Promote requests to the next promotion stage in the lifecycle.
Relate Request to Baseline REQUEST_RELATE_BASELINE Relate/unrelate a request to/from baselines.
Relate Request to Design Part REQUEST_RELATE_PART Relate/unrelate a request to/from design parts.
Relate Request to Item REQUEST_RELATE_ITEM Relate/unrelate a request to/from items.
Relate Request to Request REQUEST_RELATE_REQUEST Relate/unrelate a request to/from other requests.

Rollback from Areas

REQUEST_ROLLBACK

This privilege does not have any effect and should not be used.

Access to all rollback operations is controlled through the use of the item rollback privilege. Although displayed in the user interface, the roll back request privileges is not used and is ignored.

Update Attachments REQUEST_UPDATE_ATTACH Add or remove attachments.
Update Request REQUEST_UPDATE Edit attributes and add or remove action descriptions.

Back to top

Item privileges

The following table lists item-level privileges.

Privilege ID Description
Action to Any State ITEM_ACTION_ANYSTATE Action an item to any state in the lifecycle.

Action to Next State

ITEM_ACTION_NEXTSTATE

Action items to the next state in the lifecycle.

Note: When the rule is Object is in the user's inbox or the user has current role (OBJ_PEND), the or in this rule becomes and.

The object, when first created, is displayed only in the inbox of the originator. Only that user or, by default, users in the ADMIN group can perform the operations required, such as update item, until the object is actioned.

Archive ITEM_ARCHIVE Archive items and retrieve previously archived items (ART).
Break Lock ITEM_UNLOCK_OTHER Unlock an item previously locked by another user in that stream.
Browse ITEM_BROWSE Browse an item or search its content.

Create

ITEM_CREATE

Create items.

Note: If you have the privilege to create an item, but you do not hold the necessary role on the initial lifecycle state, Dimensions CM temporarily grants you that role, enabling the create operation to complete successfully.

In this case, a warning message is displayed. When you action the item to the next state, the temporary role is deleted.

Delegate ITEM_DELEGATE Delegate items to users and groups.
Delete ITEM_DELETE Delete items.
Demote to Any Stage ITEM_DEMOTE_ANYSTAGE Demote items to the any demotion stage in the lifecycle
Demote to Next Stage ITEM_DEMOTE_NEXTSTAGE Demote items to the next demotion stage in the lifecycle
Deploy to Areas ITEM_DEPLOY Deploy items to areas
Lock/Unlock ITEM_LOCK Lock or unlock items in a stream
Move Item to Another Design Part ITEM_MOVE_PART Move an item to a different design part.
Promote to Any Stage ITEM_PROMOTE_ANYSTAGE Promote items to the any promotion stage in the lifecycle.
Promote to Next Stage ITEM_PROMOTE_NEXTSTAGE Promote items to the next promotion stage in the lifecycle.
Relate Item to Design Part ITEM_RELATE_PART Relate/unrelate items to/from a design part.
Relate Item to Item ITEM_RELATE_ITEM Relate/unrelate items to/from items.
Rename ITEM_RENAME Rename item identifiers.
Revise Item Content ITEM_UPDATECONTENT Check out, check in and merge items.
Rollback from Areas

ITEM_ROLLBACK

Roll back items from areas.

Note: Access to all rollback operations is controlled through the use of the item rollback privilege.

Suspend ITEM_SUSPEND Suspend items.
Update ITEM_UPDATE Edit the attributes of an item.

Back to top

See also: