HOPEX Administration (Web) : MEGA Administration-Supervisor : Managing Users : Introduction to Person Group Management : Person Group Properties
   
Person Group Properties
*For information on a person group, see:
"Managing Person Groups Rather than Persons",
"User Groups Delivered",
"Viewing Person Group Characteristics", and
"Defining the Login of a Person Group".
Name
The name of the person group can comprise letters, figures and/or special characters.
Example: HR Department
Person group writing access area and writing access area at creation
*Writing access management is available only with the HOPEX Power Supervisor technical module.
A writing access area is a tag attached to an object to protect it from unwanted modifications. At creation, an object takes the writing access area of the group to which the user creating it belongs.
There is a hierarchical link between writing access areas: a user can only modify an object when he/she has the same writing access level as this object or a higher writing access area level.
Person group reading access area and reading access area at creation
*Information related to the reading access area is only visible when the Activate reading access diagram is selected in the Options of the Repository of the environment.
Certain objects or modeling projects may be confidential or contain data (costs, risks, controls) that should be visible only to authorized users.
The HOPEX administrator can hide objects corresponding to this confidential data.
To implement a data confidentiality policy, objects must be organized in distinct sets. Each set of objects is a reading access areas.
Each person group is associated with a reading access area that determines the objects the person group can see. A user can only see objects located in the reading access area of the group or in the lower reading access areas.
Login
The login of a person group is a unique character string uniquely identifying the person group. This is used to restrict access to the products of the group and make the group inactive.
The user that belongs to the group connects with his/her own login, but with repository access rights defined on the login of the group.
*For more details, see "Properties of a Person Group Login".
*A person belonging to a group connects to the application with his/her own login.
Default connection group
When the Default connection group attribute is selected, any person who has not a direct link with a specific group but with the "Belongs to a person group" attribute selected, belongs to the default connection group.
*Use of this attribute in read-only mode is recommended.
*By default, at installation "Guests" is the default connection group.
*See "Person Properties".
Person group types
A person can belong to:
a static group
Persons are explicitly connected to the group.
*See "Defining a Person Group".
a dynamic group
The group computes group persons on the fly.
Examples of dynamic groups:
LDAP groups (case of LDAP authentication)
*See "Defining a dynamic person group with LDAP".
groups connected to a macro (the macro checks if the person belongs to the group or not)
*See "Defining a dynamic person group with a Macro".
LDAP dynamic group
An LDAP group is an organization within a directory. It is often characterized by type OU.
Example: the LDAP Quality group has the unique identifier (Distinguished Name):
OU=Quality,OU=UNIVERSITE,OU=FRANCE,DC=fr,DC=mega,DC=com
All persons belonging to this organization belong to the LDAP group.
LDAP groups represent a list of persons distributed by organization. Users belonging to an LDAP group use configuration available on the group:
HOPEX repository connection
access to roles
The LDAP group defines a group or organization in the LDAP directory or Active Directory. It contains a list of users authorized to connect to the application concerned with the group configuration.
Dynamic group connected to a macro
The implemented macro calculates a list of persons connected to the person group. Persons resulting from the macro use the configuration defined on the person group, notably access to roles.
The macro should implement the following function:
Function IsUserExists (oPersonGroup, sUserName as String) as Boolean
sUserName: authentication login of the person.
oPersonGroup: person group object executing the query.
The function returns TRUE if the person belongs to the group, FALSE if not.
Persons
A person group is defined by a list of persons belonging to the same group.
Data language
The Data language attribute of the person group is used to define a specific data language for this user group.
*By default, the data language is defined in the environment options for all users at installation (Options/Installation/Web application) via the Data language option.
Assignment - Profile
*To be able to connect to HOPEX the user must have at least one profile.
By default, no profile is assigned to the person group; you must assign at least one profile to the person group.
The profile determines the following for the person group:
the applications and desktops accessible
access to repositories
the products accessible
*See "Description of a profile".
the objects and tools accessible
*See "Managing UI Access (Permissions)", page 157.
The profile assignment defines:
the repository concerned by the assignment
the access rights to the repositories with this profile assignment
(optional) the validity period of the assignment
*See "Assigning a profile to a person group".