How to organise security groups ?

[Regis]

Hello,

Each package of the repository represents a project.
Then I want to review the groups in EA based on 2 dimensions :
1) groups based on projects --> they are authorized to work only on diagrams contained in the project package;
2) groups based on  the function (project manager, solution architect,..) --> they are authorized to perform the actions relative to the function

Is this a good approach ? If yes, is it possible to implement this with the capabilities of EA ? (groups locks)

Thanks in advance.

[Geert Bellekens]

Regis,

I always recommend to only use groups based on the functions they need to be able to perform.

Don't use group locking, but use "Require user lock to edit" only.
This seems to work perfectly fine for most clients I worked with.

I've never come across an incident where someone from project A changed something from project B using this setup.
People in general just don't do that (unless they have bad intentions, but in that case user locking isn't going to help you)

Geert

[Regis]

Thanks Geert for your quick answer !

[Mauricio Moya (Arquesoft)]

Don't use group locking, but use "Require user lock to edit" only.
This seems to work perfectly fine for most clients I worked with.

Geert, but if you use "require user lock to edit" don't you lose the ability of multiple users editing different elements within the same package? This is an approach that I always try to avoid: as when you use Package Control or version control, were users "locks" the package content, and if they leave for vacation and keep the package locked, the other people can't edit the elements in the same package.

[Geert Bellekens]

Yes, that is true.
We educate users to not lock too much, and I have an EA-Matic script that pops up at project close to unlock any locks left.

And if someone still has forgotten to unlock his stuff, we can always unlock things for them using the general locks window.
I generally allow every user to use that dialog. Since it is such a pain to select the right locks among the thousands of locks, this never gets abused. People only use it if there really is no other option (e.g. coworker on vacation)

I (and the other users with me) find it reassuring that everything in the model is always read-only unless I make a conscious choice to lock a part of the model.

Geert

[Geert Bellekens]

For those that use EA-Matic, here's the script I use:

Code: [Select]

'[path=\Projects\EA-Matic Scripts]
'[group=EA-Matic]
option explicit

!INC Local Scripts.EAConstants-VBScript

'
' Script Name: UnlockAtProjectClose
' Author: Geert Bellekens
' Purpose: Unlock all locks when closing a project (doesn't work yet because of a bug in EA-Matic fixed in version EA Toolpack version 1.0.23 or higher
' Date: 2016-08-05
'
'EA-Matic

function EA_FileClose()
if Repository.IsSecurityEnabled then
'get current user id
dim currentUserID
currentUserID = Repository.GetCurrentLoginUser(true)
'figure out how many locks he has
dim currentUserLocks
currentUserLocks = getCurrentUserLocks(currentUserID)
if currentUserLocks > 0 then
dim response
response = Msgbox("Unlock all " & currentUserLocks & " locked elements?", vbYesNo+vbQuestion, "Unlock Elements")
If response = vbYes Then
dim sqlUnlock
sqlUnlock = "delete from t_seclocks where UserID = '" & currentUserID & "'"
Repository.Execute sqlUnlock
End If
end if
end if
end function

function getCurrentUserLocks(currentUserID)
dim sqlGetLocks
sqlGetLocks = "select count(EntityID) AS UserLocks from t_seclocks where UserID = '" & currentUserID & "'"
dim queryResponse
queryResponse = Repository.SQLQuery(sqlGetLocks)
    Dim xDoc
    Set xDoc = CreateObject( "MSXML2.DOMDocument" )
xDoc.LoadXML(queryResponse)
dim countNode
set countNode = xDoc.SelectSingleNode("//UserLocks")
'return count as integer
getCurrentUserLocks = CInt(countNode.Text)
end function