HOPEX V5 EN

HOPEX Administration (Web) > Managing Users > Introduction to Person Group Management > Person Group Properties

Person Group Properties

For information on a person group, see:

Managing Person Groups Rather than Persons,

User Groups Provided,

Viewing the Person Group Characteristics, and

Modifying a Person Group Login.

Name

The name of the person group can comprise letters, figures and/or special characters.

E.g.: HR Department

Person group writing access area and writing access area at creation

Writing access management is available only with the HOPEX Power Supervisor technical module.

A writing access area is a tag attached to an object to protect it from unwanted modifications. At creation, an object takes the writing access area of the group to which the user creating it belongs.

There is a hierarchical link between writing access areas: a user can only modify an object when he/she has the same writing access level as this object or a higher writing access area level.

Person group reading access area and reading access area at creation

Information related to the reading access area is only visible when the Activate reading access diagram is selected in the Options of the Repository of the environment.

Certain objects or modeling projects may be confidential or contain data (costs, risks, controls) that should be visible only to authorized users.

The HOPEX administrator can hide objects corresponding to this confidential data.

To implement a data confidentiality policy, objects must be organized in distinct sets. Each set of objects is a reading access areas.

Each person group is associated with a reading access area that determines the objects the person group can see. A user can only see objects located in the reading access area of the group or in the lower reading access areas.

The login of a person group is a unique character string uniquely identifying the person group. It enables to make the group inactive.

For more details, see Properties of a Person Group Login.

A person belonging to a group connects to the application with his/her own login.

Default connection group

When the Default connection group attribute is selected, any person who has not a direct link with a specific group but with the "Belongs to a person group" attribute selected, belongs to the default connection group.

Use of this attribute in read-only mode is recommended.

By default, at installation "Guests" is the default connection group.

See Defining a default connection group.

Person group types

A person can belong to:

• a static group

Persons are explicitly connected to the group.

See Defining a Person Group.

• a dynamic group

The group computes group persons on the fly.

See Connection request and user created on the fly.

Examples of dynamic groups:

• LDAP groups (case of LDAP authentication)

See Defining a dynamic person group (LDAP or SSO type).

• SSO type groups (SSO authentication case)

See Defining a dynamic person group (LDAP or SSO type).

• groups connected to a macro (the macro checks if the person belongs to the group or not)

See Defining a dynamic person group with a Macro.

LDAP dynamic group

An LDAP group is an organization within a directory. It is often characterized by the OU type.

Example: the LDAP Quality group has the unique identifier (Distinguished Name):

OU=Quality,OU=UNIVERSITE,OU=FRANCE,DC=fr,DC=mega,DC=com

All persons belonging to this organization belong to the LDAP group.

LDAP groups represent a list of persons distributed by organization. Users belonging to an LDAP group use configuration available on the group:

• HOPEX repository connection

• access to roles

The LDAP group defines a group or organization in the LDAP directory or Active Directory. It contains a list of users authorized to connect to the application concerned with the group configuration.

SSO type dynamic group

An SSO type group is characterized by claims.

Dynamic group connected to a macro

The implemented macro calculates a list of persons connected to the person group. Persons resulting from the macro use the configuration defined on the person group, notably access to roles.

The macro should implement the following function:

Function IsUserExists (oPersonGroup, sUserName as String) as Boolean

sUserName: authentication login of the person.

oPersonGroup: person group object executing the query.

The function returns TRUE if the person belongs to the group, FALSE if not.

Persons

A person group is defined by a list of persons belonging to the same group.

Data language

The Data language attribute of the person group is used to define a specific data language for this user group.

By default, the data language is defined in the environment options for all users at installation (Options/Installation/Web application) via the Data language option.

Assignments - Profile

To be able to connect to HOPEX the user must have at least one profile.

By default, no profile is assigned to the person group; you must assign at least one profile to the person group.

The profiles assigned to the person group are listed in the Assignments > Profile Assignments page.

The profile determines the following for the person group:

• the applications and desktops accessible

• access to repositories

• the products accessible

See Description of a Profile.

• the objects and tools accessible

See Managing UI Access (Permissions).

The profile assignment defines:

• the repository concerned by the assignment

• the access rights to the repositories with this profile assignment

• (optional) the validity period of the assignment

See Assigning a Profile to a Person Group.