Posts Tagged ‘access controls’

Electronic Signatures, Workflows, Lifecycles and Security in Aras

May 24, 2012

MarcL: PLM solutions should provide a secure way for electronic sign-off of controlled Parts, CAD documents, specifications and other objects. Please describe how access controls and permissions are combined with meta-data attributes, prevention of modification of released data objects, and other measures, to provide electronic sign-off.

Peter Schroer:

All business objects (Items) within the Aras Innovator platform are controlled by an access rights management service, that complies with the security requirements of our US Gov’t and defense industry customers for “need-to-know” level security.

The security model can be used at the object instance paired with individual user level (only Bob can see Spec#001),  or for simpler administration,  hierarchical groups and roles can be defined which are expressed as patterns that are applied to sets of business objects  (anyone on the Electronics team can see the design files created for the EX-001 new product). Digital rights management (DRM) on the actual files can also be included.

Once the Lifecycle of an Item has advanced to the designated state, the access rights to the Item automatically switch to a Read-only level (normally at Release, but can be anything you specify), that object is completely protected against modifications.

The out-of-the-box CMII compliant processes use the Aras Workflow services with electronic signatures to capture the authorization and approvals.

Once the Workflow has secured the correct votes with signatures,  it automatically promotes the Lifecycle status of the Item to Released (which in turns locks down the access rights).

Approval mechanisms, electronic signatures (passwords and 2nd level passwords or e-signatures), audit trails, and notifications are all standard out-of-the-box capabilities within Aras Innovator.

Aras has built-in capabilities to satisfy regulatory compliance requirements for e-signature such as 21 CFR Part 11 in the Medical Device industry (these settings can be turned on/off of course).

We provide training on how to set-up, administer and customize these capabilities as well.

For additional information on these capabilities see ‘Security Permissions & Access Controls in Aras’ or check out the Posts Tagged ‘Lifecycle’ and ‘Security’.


Change Management Process Alerts and Audit Trails in Aras

May 16, 2012

MarcL: An audit-trail of change history should be maintained within the PLM solution which will provide a triggering mechanism to automatically launch activities and alerts (e.g., when a new version of a specification is approved, it is automatically sent to the appropriate individuals, groups, and roles).

Peter Schroer:

All three Aras process services (workflow, lifecycle, project) include triggering events on every Activity within process flow along with secure audit trail logging of every action taken.

Your PLM administrator can assign actions / rules to any of the triggers to initiate alerts and capture the real-world process results.

Any of the States in Lifecycles, Activities in Workflows, Tasks in Projects, etc can be assigned to either a person, or a Method (a script or program/service that executes an automatic set of actions).

Workflows once defined, are started automatically, escalate automatically, and resolve themselves into closed-loop processes automatically.

The audit-trail of what actions have occurred, who voted or took action, how they voted or what action was taken and time / date stamp on every action along with other information is visible at any time as long as the person has the proper permissions.

We provide training on how to implement, customize, integrate and optimize the use of these Aras Innovator change management functions and workflow process capabilities.

For additional information on workflow see the previous post ‘Lifecycle, Workflow and Other Types of Process Management in Aras’ and ‘Change Process Definition, SOA Workflow Service and Integration in Aras’ or check out the Posts Tagged ‘Workflow’.

Business Intelligence, Custom Reports and Secure Reporting in Aras

May 15, 2012

MarcL: PLM solutions must provide the ability to create and manage customized reports that adhere to security requirements. Please explain how this is accomplished.

Peter Schroer:

Aras recommends Microsoft Report Services which is part of SQL Server’s business intelligence capabilities for customized reporting templates.

You can also use any of the other reporting/BI packages such as SAP’s BusinessObjects, Oracle’s Hyperion, IBM’s Cognos and even solutions like Google Charts, etc.

There are also built-in tools for searching for data, ordering the layout and exporting to Excel / Word, but these reporting tools are really for ad-hoc columnar layouts.    Microsoft Reporting Services adds the power of sophisticated layout tools, built-in charts, cubes, analytics, etc.

Reports are a managed Item within Aras Innovator subject to the same access control model that determines which users are able to run which reports.

Microsoft Reporting Services supports HTML, Excel and PDF outputs with CSV and XML supported by Microsoft as available Rendering Extensions.    Aras also has internal reporting tools which are 100% XML (XSLT and HTML).

Both the Microsoft Reporting Services reports (or those from other BI packages) and Aras reports (XML + XSLT) have batch run capabilities.

It is very simple for example to configure a report to run every Sunday night at a set time, and be distributed by emailed to certain end users.   It can be in the body of the email as text, HTML, etc or as an attachment like Excel, Word, PDF, etc.

Real-time reporting for pre-defined reports is also supported with the User access controls determining which Reports a user is allowed to run. A user must have the proper permissions to even see different report options on the pull down menu.

Those reports are available in context sensitive pull down menus throughout the user interface. For example, FMEA reports are available in the FMEA area of the solution.  This reduces menu clutter for the end user.

Users can configure any report alert emails to have URL links within the body of the report or email.   When the recipients access the link however, they must provide their own credentials to view the data.  It is not possible to provide someone a backdoor to access data within the PLM, unless the administrator has provided tools for publishing data out of the repository.

Aras PLM Report SQL Server to Microsoft Excel

Screenshot example of report output from Microsoft Reporting Services into Excel

Information Release and Data Vault Management in Aras

April 20, 2012

MarcL: When a document or any other type of data is formally released through the PLM solution, the vault must then recognize the file as released as a result of the workflow completion, and provide appropriate control of the document. This should also set the release baseline, and do notification of the change to the designated access group.

Peter Schroer:

The Aras Innovator platform’s Lifecycle and Workflow services are normally used together to coordinate the Enterprise Change and Release processes.

Lifecycle ensures that baselines of configurations are created and frozen (against future changes), and Lifecycle drives the automatic changes in access control rights that your company will need for release processes.

Notifications are handled by Lifecycle (one-way distribution list) and Workflow (certified response required) as required.

The default process templates with the downloaded version of Aras Innovator are the CMII standard processes.

These can of course be modified by your company, and we provide training so you can customize these processes yourself.

For more info on this see posts like ‘Version & Revision Release Levels in Aras’ or check out the Posts Tagged ‘Revision & Version’.

Released Data, Baselines and Single “View” of the Truth in Aras

April 18, 2012

MarcL: PLM solutions should ensure that all users receive the latest version of any item managed which requires the solution to track all changes to the item as well as formal releases of final changes.    PLM solutions should also be able to provide a snapshot of data states and associated object release levels for specific user-defined release levels of an Item.

Peter Schroer:

The underlying architecture of Aras Innovator preserves “baselines” of configurations automatically as data is changed;  both Work-In-Process (WIP) editing and the release events.

Your company can then define which of these Baselines you want to expose, by default in the CMII model, the ECN Workflow automatically creates the configuration baseline.

If you would like to create named snapshots, you can tailor the rules to allow exposing the underlying “baselines” as required, and applying a name to the selected configuration.  All WIP and Release changes are tracked by default, this is Aras’s out-of-the-box configuration.

User permissions and profiles determine whether the user sees    the latest version,    the latest released version,     the latest version released in his / her location (may not be the “latest” revision), etc.

At Aras we recognize that in a globally distributed company, the single version of the truth, may have different “viewpoints” (single view of the truth) depending on the user’s context.

All of these views are supported, in addition to the classic CMII-style of configuration management which is the out-of-the-box set up.

Document & File Management Check-in / Check-out, Lifecycle and Security in Aras

April 10, 2012

MarcL: PLM solutions must be able to store, manage, archive, and retrieve digital data at the file level. PLM should enable check-in / check-out which are authorized by the security schemes, and should also allow checkouts to be cancelled if needed. Please describe how this is supported.

Peter Schroer:

Check-in / Check-out and Security

Any digital data in file form can be vaulted and managed by the Aras Innovator vault server, and out-of-the-box Aras supports Check-in and Check-out according to established / authorized security permissions.

All actions and data are controlled by platform-level rights management infrastructure in Aras Innovator for document & file management.

Check-outs can be cancelled by the end-user or an Administrator can override a check-out by clearing the reservation flag.  Additional capabilities can be easily added if needed.

Also, the Aras Innovator security model enforces update and delete actions (CRUD) by user by business object providing the ability for approved users with appropriate security credentials to make changes / delete any incorrect data in the vault as required which further simplifies administration while ensuring that security is enforced.

Lifecycles and Security

The Aras Innovator Lifecycle web service is often used to implement access controls that are based on Status.

Lifecycle status security is a default behavior of Aras solutions.

As business items / objects move through a lifecycle,  the access rights are modified automatically to patterns (sets of permissions for users/roles/groups) appropriate for that state in the lifecycle.

The permission structures and user access can be configured to support multiple, simultaneous company-specific security control structures for work-in-process business items and files.

You can set-up, administer and modify/customize these capabilities yourself and we’ll train you how.

Pick Lists and Data Validation in Aras

April 5, 2012

MarcL: PLM solutions should support pre-defined pick lists, validation of data entered, etc. including the dynamic creation of appropriate (i.e. filtered-based on user access rights) pick lists, validation of data entered, etc. Can you describe how this is supported?

Peter Schroer:

Aras Innovator includes Pick Lists, field level validation and form level validation as standard form definitions.

Dynamic filtered lists are a standard part of the modeling tools within the Aras solution studio (graphical administrator/dev interface).  Most filtering rules can be implemented without programming, for example user access rights is a standard filter.  

The meta-dictionary of these filtering and validation rules is also accessible through the web interface, so that data entered programmatically by other systems can be verified.

We’ve made it pretty simple to do these kinds of things and provide training on how to set-up, administer and modify these capabilities yourself.

Security Permissions & Access Controls in Aras

March 26, 2012
Aras PLM Security

Robust "Need To Know" Level Security in Aras

MarcL: Defining and managing security permission access controls in PLM is very important.   Please describe how Aras provides the ability to specify access privileges to specific data (metadata, managed data objects and files) as well as processes for individuals and groups including those outside the firewall like suppliers and customers.

Peter Schroer:

Aras Innovator security, authentication and data access rights model was directly defined by our defense industry customers including the US Army, US Air Force, Lockheed Martin, L-3 Communications, Rolls-Royce Naval Marine and others.

Every business object (item) in Aras is linked to a “need-to-know” access control list which specifies the access rights of each User with that data element.

Aras Innovator out-of-the-box configuration implements data access security to the Item level.  Attribute level security is implemented using view masks, rather than permission controls by attribute.

This design improves performance and simplifies the day-to-day management of data security.  For the end users, the net effect is the same, they will only see the data items, and the attributes of those items that they have permission to work with.  

Out-of-the-box access rights management in Aras covers control of Read, Discover, Update, Create, Delete, and Modify-Rights, for any Data Item by any Identity, where Identity is a hierarchical construct with inheritance of access rights permissions.

All data items in Aras are linked to a hierarchical organization structure that simplifies the task of segregating data that can be managed by one product team versus another team or by customer or by owner.

%d bloggers like this: