24 Replies Latest reply on Feb 17, 2017 10:23 AM by Greg Steward

    How to Block Files when Obsolete?

    Brian Dalton

      I've created a state for files that have been determined are obsolete and should never be manufactured again.  The members of the Engineering group should still be able to view these files for historical reference purposes, but the Fabrication group should not, since they are not allowed to make them.

       

      In the permissions for the Obsolete state, I made sure that the Engineering group is granted 'Read file contents' permission, but the Fabrication group does not have that right.  I also set the little green flag option (Ignore permissions in previous states) on the Obsolete state because I read here that the 'Read file contents' permission will be inherited from previous states if I don't use this option.  Seems reasonable, right?

       

      Problem is that the Fabrication group can still see these files.  It seems that they are still inheriting the 'Read file contents' right even with the 'Ignore permissions in previous states' option enabled.  Anyone have a clue as to why this is?  The Obsolete state is rather pointless if I can't block access to it.

        • Re: How to Block Files when Obsolete?
          Brian Dalton

          Oooops, forgot the link I was intending to include in my original post (for some reason I'm not able to edit it...)

           

          Here's the link

            • Re: How to Block Files when Obsolete?
              Charley Saint

              Brian,

               

              Sounds like you did everything right, can you post a screenshot of the permissions of a user that doesn't have read access to that state and a screenshot of him logged in and able to see a file in that state. Make sure the file isn't "ghosted" indicating that he can just see a local copy, not the vaulted version. And check to see if he at least loses the right to see the latest version of the file that's in the obsolete state.

              • Re: How to Block Files when Obsolete?
                Brian Dalton

                OK, after some more experimentation I've determined that the feature is working the way it should - unfortunately.  It just doesn't do what I'd hoped it would.

                 

                Here's what I found:

                 

                • The 'Read file contents' permission does just that - it controls the ability to read the contents of the file, not the ability to see the file in the Explorer window.
                • Denying this permission actually only prevents the user from getting any versions of the file.  If they already have a version in their local cache, they will still have full access to that version.  They just can't get anything from the vault.
                • When they see the file in the Explorer, they see it listed in the state it was in when the most recently available version was created.  So in my case, they could access the file when it was in the "RELEASED FOR MANUFACTURE" state, so despite the fact that it is now in the "OBSOLETE" state, they still see it as "RELEASED FOR MANUFACTURE".

                 

                So in other words, my solution is a total failure and won't work at all to block visibility of a file.  I'm back to the original question:

                 

                How can I block a file from being visible or accessible in any way to a given group or user when the file goes into the OBSOLETE state?

              • Re: How to Block Files when Obsolete?
                Brian Dalton

                I'm doing some testing of my own...  I'll get back with the results.

                 

                Thanks for your help, guys.

                • Re: How to Block Files when Obsolete?
                  Brian Dalton

                  I just finished some testing on my test vault, and the issue seems to only occur when the 'Show working versions' permission is off.  I do this for the Fabricators group because they should only be able to see official released revisions, not the interim versions.

                   

                  Background:

                   

                  All permissions are granted solely by means of groups.  No user has permissions set specifically for them.

                  Two users were created, each in a separate group:

                   

                  User CM in group Cfg Mgmt

                     Folder permissions (root): All

                     State permissions: All

                     Transition permissions: All

                   

                  User FAB in group Fabricators

                     Folder permissions (root): Read file contents, Show working versions

                     State permissions: Read file contents for State 3 only

                     Transition permissions: None

                   

                  Workflow:

                     State 1 -> Ignore previous permissions off

                     State 2 -> Ignore previous permissions off

                     State 3 -> Inc Revision, Ignore previous permissions off

                     State 4 -> Ignore previous permissions on

                   

                  Working as CM, I created a text file and saved it into the root folder.  I checked this file in, then moved it through each state to State 4.

                   

                  Result for user FAB:

                    State 1: file not visible

                    State 2: file not visible

                    State 3: file visible

                    State 4: file not visible

                   

                  This is just what I want, except that with this setup, the user FAB can see all versions of the file.  In the real setup, I have FAB set up with only 'Read file contents' for folder permissions - 'Show working versions' is off.

                   

                  I changed this setting (turned off show working versions) for user FAB and got this result:

                   

                  Result for user FAB with 'Show working versions' off:

                    State 1: file not visible

                    State 2: file not visible

                    State 3: file visible

                    State 4: file visible, listed as being in State 3

                   

                  This is what I saw out on the floor, as I reported in my third post in this thread, and it's the result that simply won't work for me.  For some reason when the 'Show working versions' permission is denied, the system allows the user to see previous versions as they were when the file was in a visible state, but when the permission is granted, the system honors the latest permissions and shows the user nothing.

                   

                  So... I can't use the 'Ignore permissions from previous states' option and the 'Show working versions' permission at the same time.  Together they should prevent users from seeing interim versions AND allow blocking all visibility if needed, but they don't.

                   

                  If I don't use 'Ignore permissions', then the user's vision of the file can't be blocked (unacceptable), and if I don't deny 'Show working versions', then the user's vision of interim versions can't be blocked (also unacceptable).  I don't know if this conflict is a bug or by design, but it's totally thwarting my efforts here.

                   

                  BTW, we're using EPDM 2012 sp4

                    • Re: How to Block Files when Obsolete?
                      Tim Webb

                      HI Brian,

                       

                      What you are saying makes sense however, are you sure the Fabricators group can actually "see" or "Get" the interim versions of the file? The versions may show up in the "Get version" menu. This is normal. The real test is to see if they can "Get" any of the versions from State 1, 2, or 4. Check that.

                       

                      Let me see if I can clarify the working model for the way I have used the "Obsolete" setup and visibility.

                       

                      It does work very well for what you are trying to accomplish. Bear with me

                       

                      • ALL groups NOT in Engineering have only ONE state they can "Read file contents" enabled which is in the "Production Released" state (state 3)
                      • If the Fabrication shop can "Get" a non-released version, they can build to it so I approach this one with state visibility control.
                      • This avoids any Fabrication shop being able to build to unreleased data.

                       

                      As long as the files are in an editable state, non-Engineering can ONLY see the latest version of the file they had permissions to see which reflects the last time the file hit the "Production Released" state. (HINT: There are some tricks you can play with pass through states. As long as the file passes through the state for a millisecond, the workflow can act like a light switch. I use this for named BOMs.)

                       

                      I always enable "Show working versions" for all groups and then control visbility at the state level. This way even the non-Engineering groups can see the files are in work but they are not able to "Get" the interim versions if you control the visibility by the state.

                       

                      With this, when the non-Engineering user groups search for files, if a file is still in Engineering and has never been released, their search results do not contain the files. After that file has been released at least once, their search results only show them the latest released version they had permissions to see (when it was in state 3).

                       

                      Next, my approach is to avoid using the "Ignore permissions from previous states" until I use an "Obsolete" or "Archived" state in which the file disappears completely using the setup I've shown.

                       

                      Here's an example:

                      • A SLDPRT is released at version 5, version 9, and version 13.
                      • In the file history the non-Engineering can see version 5 in bold, 9 in bold, and 13 in bold.
                      • If the file is now back in engineering for an ECO, the non-Engineering can see there is a version 14 or 15 in the history but they are unable to pull down those versions. They can hit "Get Latest Version" 10,000 times but they will only get version 13.
                      • However if the file is released again at version 17, they can now get version 17.
                      • Using the approach I showed, if the file is then transitioned to the "Obsolete" state, now the non-Engineering groups can no longer see the file whatsoever. Period.
                      • Engineering can still see the file no problem. Period.

                       

                      Do you think this is what you are trying to accomplish?

                       

                      Tim CEPA

                      http://www.equivaq.com

                        • Re: How to Block Files when Obsolete?
                          Brian Dalton

                          Ahhh, now the lights are all on...

                           

                          I was thinking of 'Show working versions' as meaning full access to working versions.  I see now that seeing is not the same as getting.

                           

                          I tried the setup you described and it seems to work quite well - Thank you!..  It actually works better here because the Fab users are set to 'Always work with the latest version' which seems to prevent them from even seeing the interim versions.  Not sure that's logical, but it seems to be the case.  Fab users can see only released revisions and can only get the latest released revision.

                           

                          And most importantly, when a file goes to Obsolete, they can't see it at all!

                           

                          Ten big chocolate chip cookies for Tim!!

                          • Re: How to Block Files when Obsolete?
                            Brian McEwen

                            Tim,

                             

                            The plot thickens...  Following on this idea:

                            """""I always enable "Show working versions" for all groups and then control visbility at the state level. This way even the non-Engineering groups can see the files are in work but they are not able to "Get" the interim versions if you control the visibility by the state."""""

                            There is a possible consequence to this Show Working Versions approach.  It is counter intutive, but that setting is actually more restrictive in some cases. 

                             

                            File 1234 rev B is Released.  An engineer moves it to an Edit state and starts working on Rev C.  Say Bob has a Viewer seat and no read access to the Edit state, and he has Show Working Versions turned on - he can no longer see file 1234, at all!  Andy has the same state permissions, but he has Show Working Versions (a folder permission) turned off... Andy can still see 1234 rev B, because he can see the Released revisions and that is all he cares about (or all his permissions care about).

                             

                            This effect seems to occur only when Ignore Permissions in Previous states is turned on for the Edit state.  I wanted to have this on so that engineers can delete files from the Edit state, but the interconnected nature of permissions makes it hard to get all the things I want.  [edit] I now notice you do mention the Ignore Permissions setting in your April 26, 2013 post. 

                            • Re: How to Block Files when Obsolete?
                              Jim Sculley

                              Tim Webb wrote:

                               

                              Here's an example:

                              • A SLDPRT is released at version 5, version 9, and version 13.
                              • In the file history the non-Engineering can see version 5 in bold, 9 in bold, and 13 in bold.
                              • If the file is now back in engineering for an ECO, the non-Engineering can see there is a version 14 or 15 in the history but they are unable to pull down those versions. They can hit "Get Latest Version" 10,000 times but they will only get version 13.

                              I hate to revive an old thread with a long, rambling rant but the bizarre interaction between Ignore Permissions in Previous States and Show Working Versions just bit me in the ass.  I have spent my entire day trying to figure out a problem that occurred in our shop.

                               

                              We do not have a formal ECO process (the overhead would obliterate our typical project schedule), and we work strictly from automatically generated (via custom add-in, not tasks) PDFs to ensure that changes to models don't leak out into the manufacturing floor prematurely and (I thought) to ensure that old revisions are never sent out for manufacture).  When SW drawings are released, they go to an Approved state and PDFs are created with a revision that matches the SW drawing.  These PDFs are in a Published state.  If a drawing needs to be changed, it is moved to a Change Pending state and the associated PDF is automatically moved to a corresponding Published Change Pending state.  The manufacturing group does not have  Read File Contents permission for PDFs in this state.  The folder containing the PDFs did not have the Show Working Versions permission set. However, neither PDF state has the Ignore Permissions option checked.

                               

                              With these seemingly logical settings, our manufacturing group was able to print and manufacture a part to Revision 3 when the SW drawing was in the process of being revised to revision 4.  They didn't have to jump through any special hoops to do this.  They just printed what was in the folder in Explorer.  I *thought* my settings would prevent that, specifically, if the manufacturing group does not have  Read File Contents permission for the Published Change Pending state, why could they even see the file?  The answer, obviously was Ignore Permissions in Previous States, or so I thought.  The Manufacturing group needs Read File Contents permission for files in the Published state, and that was being inherited when the files moved to the Published Change Pending state.  However, setting the Ignore Permissions in Previous States option for the Published Change Pending state made zero difference.  The Manufacturing group could still see the previous Revision 3.  Only after turning ON the Show Working Versions option for the folder containing the PDF did the PDF disappear for the Manufacturing group.  This makes no sense to me.  I turn on an option to show something and things disappear.

                               

                              I find the EPDM Help not very helpful on this topic.  The fact that state permissions are inherited seems to only be mentioned in the description of the Ignore Permissions in Previous States option.  It really should appear in big bold flashing red letters somewhere.  The documentation also says this:

                              ======================

                              The minimum permission for (sic) a user must have to see a file checked in to the vault are:

                              • Permissions per Folder tab 

                                          -- Read file contents

                                          -- Show working versions of files

                              • State Permissions tab

                                          -- Read file contents

                              ======================

                              No mention of inherited permissions whatsoever.  Anyone reading the above would think that denying Read File Contents permission on a state for a group would prevent a group from seeing files in that state.  But no, you have to take into account all other states that it may have been in unless you know about the Ignore Permissions in Previous States option. 

                               

                              The same vagueness surrounds the Show Working Versions permission:

                              =============================

                              • Show working versions of files

                                          -- See both working versions and revisions of files.

                                   This permission must be set together with Read file contents  to see a file that has no revision set (or if revisions are not being used).

                              =============================

                              So, how is it that enabling Show Working Versions can cause files to disappear?  Don't get me wrong, it now does what I want.  I just have no understanding of why it now does what I want.

                               

                                • Re: How to Block Files when Obsolete?
                                  Brian McEwen

                                  I agree that I was never really satisfied that I understood how those layers of permissions interacted.  I'm not using EPDM these days so less fresh in my mind.

                                   

                                  Could your situation have anything to do with cached files still being visible?  ...What you ended up with is kinda the way Webb described his setup, and that is what I followed with our vault. The fact it works that way does not seem fully logical.

                                   

                                  [edit] And you could check the 'Always work with the latest version' setting for the shop.

                            • Re: How to Block Files when Obsolete?
                              Greg Steward

                              I know I am a little late for this, but I wanted to do the same thing but instead setup  dispatch in the workflow to move the files to a folder where I had the permissions locked down for select groups. I also had it append "OBS-" to the file name and had it update the file properties. it works pretty good so far.