Sparx Systems Forum

Enterprise Architect => General Board => Topic started by: Daniel72 on October 26, 2016, 08:31:22 pm

Title: Restrict visibility of some packages to project users or groups?
Post by: Daniel72 on October 26, 2016, 08:31:22 pm

Is it possible to restrict read access to particular project users/groups in EA (v12.1)?

Let's say I have set up two groups in my project: InternalDevs and ExternalDevs

My project is structured as follows

Root
 |- ModelA
 |- ModelB
 |- ...
 
For instance, I'd like to hide ModelB from being accessible by ExternalDevs.

Is it possible? All the permissions I can grant/revoke are generic and not tied to particular project content.

Thanks,
Daniel

Title: Re: Restrict visibility of some packages to project users or groups?
Post by: qwerty on October 26, 2016, 09:21:09 pm

No. That's not possible. Consider setting up different repositories with (version) controlled packages.

q.

Title: Re: Restrict visibility of some packages to project users or groups?
Post by: Geert Bellekens on October 26, 2016, 10:32:59 pm

Daniel,

There are a few options:

- Don't do it
- Link to version control (and manage security there)
- Group locks
- Separate Repositories

I've put them in my preferred order.

Geert

Title: Re: Restrict visibility of some packages to project users or groups?
Post by: qwerty on October 26, 2016, 11:25:27 pm

I also prefer step 1 from Geert's list. Though step 2 will not allow to hide certain parts. That's only possible with separate repos. I also did not really get why someone would want to hide model parts, but obviously people ask for that sometimes.

q.

Title: Re: Restrict visibility of some packages to project users or groups?
Post by: Uffe on October 27, 2016, 12:55:51 am

Piling on,


Restricting read access to parts of a model repository makes sense in certain scenarios, where you want a single repository to contain information of different sensitivity levels, such as might be the case in military applications (my old stomping ground). But the smallest unit in EA where you can apply (and enforce) an information security level is the repository.

It's not possible to restrict read access within a repository, and the reason is that the repository is a database and the database schema has a complex relationship to the model content as displayed in the GUI, but a simple security structure. Each database user account needs read and write access to the entire database, and accounts that need to be able to do project transfers to the database need permission to truncate tables. That's pretty much it in terms of database-level security.

So you can't implement information security within an EA project: anyone who has access to the project can see all information in it. If you need to restrict read or write access to certain parts of your repository, the only option is to split the repository into as many parts as there are information security groups (classification levels).

To clarify Geert's list, group locks do not apply to read access, and linking to version control implies setting up separate repositories. An additional option is to use not external version control but the reusable asset service. You'll still need separate repositories, though. There's no way around that.


/Uffe

Title: Re: Restrict visibility of some packages to project users or groups?
Post by: qwerty on October 27, 2016, 01:04:21 am

Uffe, you can mimc a r/o package by locking it to some admin. Anyhow, the OP asks for hiding which is definitely not possible with any switches.

q.