Best Practices for Managing Folder Access for 1500+ Users in ARIS

Gautam Kumar Singh on November 13, 2024

Hello ARIS Community,

I’m working with a complex folder structure in ARIS, organized as follows: Business Line, Sector, Department, and Division. With around 1500+ users in our system, not everyone requires access to every folder. Instead, access should be limited based on specific needs. For instance, certain users need access only to folders within a specific sector.

Could anyone recommend the most efficient way to manage folder access in this scenario? I’d like to implement an approach that minimizes manual management and ensures security. Ideally, this would allow us to assign permissions by user groups or roles to streamline the process.

Any guidance on role-based access control or automation options in ARIS would be greatly appreciated.

Thank you in advance for your help!

Best regards,
Gautam Singh

Tags: #aris; #aris10; #arisadvanced; #arisapi; #arisarchitect; #arisconnect; #arisscript

Notify Moderator

Best Reply

Klemens Hauk on November 18, 2024

I personally have no experience administrating such a user community to give you best practice advise.

My recommendation is to only define privileges on a user group level not on the level of individual users. So a user has the privileges based on the user group where she/he is the member. As a user can be member of more than one user group, she/he can have different privileges. For sure exceptionally you can define privileges on user level. Be aware that the highest (W overrides R) privilege is valid if a user is linked individually and in addition by a user group to a folder.

The general functionality ARIS is providing, is to define access (rwdcv) and function rights starting on the root level down to each level of the folder structure (group level). The privileges defined on the group level are valid for all models in the group. No inheritance (passing privileges to underlying folders) is done. Example below shows the group "Architecture".

The privileges are set based on the user group AND for the specific group in the explorer (folder). The position of the folder in the hierarchy plays no role. So a user group can have Write privilege for all models of department A in business line X and only Read privilege for all models of department B in business line Y. The privileges are NOT passed to the underlying folders.

I guess that you have models on all levels of your folder structure.

As your folder structure is based on your organizational structure a first approach is to define the user groups in accordance with the folder structure e.g. all users of a specific department is one group.

In addition as a second layer you can define role specific privileges. Then you have to define a role specific user group (again a user can be part of several user groups), e.g. role "modeler" and set the Write privilege on the level of all specific departments (e.g. Finance) for all business lines.

In the administration part of the Architect & Designer there is an easy way to set the privileges for a defined user group for ALL groups (folders) starting form the root level (below database HIBB / user group Test).

This describes more or less the ARIS functionality.

You should also think about using the database level to reduce complexity of the explorer structure e.g. different databases for the different business lines.

Regards

Klemens

or register to reply.

Show in context Notify Moderator

4 Replies

Klemens Hauk on November 18, 2024

Best reply

I personally have no experience administrating such a user community to give you best practice advise.

My recommendation is to only define privileges on a user group level not on the level of individual users. So a user has the privileges based on the user group where she/he is the member. As a user can be member of more than one user group, she/he can have different privileges. For sure exceptionally you can define privileges on user level. Be aware that the highest (W overrides R) privilege is valid if a user is linked individually and in addition by a user group to a folder.

The general functionality ARIS is providing, is to define access (rwdcv) and function rights starting on the root level down to each level of the folder structure (group level). The privileges defined on the group level are valid for all models in the group. No inheritance (passing privileges to underlying folders) is done. Example below shows the group "Architecture".

The privileges are set based on the user group AND for the specific group in the explorer (folder). The position of the folder in the hierarchy plays no role. So a user group can have Write privilege for all models of department A in business line X and only Read privilege for all models of department B in business line Y. The privileges are NOT passed to the underlying folders.

I guess that you have models on all levels of your folder structure.

As your folder structure is based on your organizational structure a first approach is to define the user groups in accordance with the folder structure e.g. all users of a specific department is one group.

In addition as a second layer you can define role specific privileges. Then you have to define a role specific user group (again a user can be part of several user groups), e.g. role "modeler" and set the Write privilege on the level of all specific departments (e.g. Finance) for all business lines.

In the administration part of the Architect & Designer there is an easy way to set the privileges for a defined user group for ALL groups (folders) starting form the root level (below database HIBB / user group Test).

This describes more or less the ARIS functionality.

You should also think about using the database level to reduce complexity of the explorer structure e.g. different databases for the different business lines.

Regards

Klemens

Like

Sign in
or register to reply.

Notify Moderator
GS

Gautam Kumar Singh on November 20, 2024 as Reply to Klemens Hauk

Hi Klemens Hauk,
Thank you so much for your support, It is very help full for me.

Like

Sign in
or register to reply.

Notify Moderator
GS

Gautam Kumar Singh on November 20, 2024 as Reply to Klemens Hauk

Hello Klemens Hauk,

I have to mask the attributes (Created by and Last update) from the users who have only viewer access. but admin can view these attributes.

For viewer access user's I have also a group.
Please guide me how can I achieve this.

Thanks for support.

Like

Sign in
or register to reply.

Notify Moderator
Klemens Hauk on November 22, 2024

See the answer of Alexander:

https://ariscommunity.com/users/gautam-kumar-singh/2024-11-20-mask-attributes-viewer-user

Regards

Klemens

Like

Sign in
or register to reply.

Notify Moderator

Best Reply

Webinar: Building Resilient Operations: The Role of BPM