CM4D User Roles

There are two levels of user rights for the CM4D module:

CM4D Module Admins - Users that can log into ATS Security and Configuration Manager and make changes to the CM4D Configuration module, as relates to the CM4D Upload Portal.

CM4D Users - Users that run CM4D applications that require access to databases and modify data, such as CM4D Classic, DataSmith or DataUtility.

CM4D Upload Portal Users - Users that log in to the CM4D Upload Portal and access projects to upload data files for DataSmith Batch.

CM4D rights can be assigned to an existing Role or a new one may be created if your specific configuration determines a different role than the roles set up for other ATS modules.

CM4D Configuration Admins

If the installation of the CM4D Config plugin was successful, the status of the registered application in ATS Security Manager should be 'Configuration Uploaded'. This means that the CM4D Config application rights are uploaded in ATS Security Manager and can be assigned to security roles.

Configure CM4D - Access the CM4D Configuration plugin.
Configure Jobs - Edit DataSmith Batch jobs.
Configure Endpoints - Edit Configuration>Service Endpoints.

CM4D Users

CM4D has the option to control which Databases users can access and what each user is allowed to do within those Databases. Consider the following situations. A user starts CM4D and wants to connect to a new Database or use the Feature Editor to add a new feature to an existing Database. A second user opens CM4D Web in a browser window and wants to view reports. A third user wants to use DataSmith to output data to a Managed DataSource.

How can you control whether or not each one of these users can or should accomplish these tasks?

An administrator can define Roles for users and then assign database access and data rights to each role. Access rights determine whether or not a user is allowed to connect to, use, or make changes to a specific Managed Datasource. Data rights determine if a user is allowed to perform specific tasks, such as editing documents or outputting data to a Database. Users become members of one or more roles, and thereby gain the rights assigned to that role.

Rights only apply for the Managed DataSource(s) the role is given access to within that role
Rights for a given user are an accumulation of the rights of all roles to which the user is assigned
Not all users will need to be able to make changes to Databases and documents

Access Rights

All user roles must be assigned to the Site(s) and/or Database(s) to which its members will need access.

For example, if a group has been given access to a Site but has not been given access to a Managed DataSource within it, the users in that group will still be able to view any Managed Documents that connects to that Managed DataSource but will not be able to load any data.


Site Access	Grants all role members access to information that is stored within the Site Database.
DataSource Access	Grants the role members access to the selected Managed Datasource. Granting access to a DataSource automatically grants access to the Site that is managing that DataSource.
Routine Access	Grants the role members access to Routines within the selected Managed DataSource. In most cases, the first Routine Access option ‘Any Routine’ will be used for all selected Databases, granting access to all Routines (part data) within that Database. Although very uncommon, additional control at the Routine level may be added by implementing Routine Access Codes. Any Routine - All Routines in the DataSource are available to the group. Access to Any Routine is primarily for users who are Routine creators and who set up routine access. Hide Routines without Access Codes - Only Routines with an Access Code selected will be accessible. When this option is not selected and an access code is assigned to a Routine, the role has access to any Routines which do not have access codes AND Routines which have the selected access code.

What are Routine Access Codes?What are Routine Access Codes?Routine Access Codes are user defined strings added to the routines in the DataSource. The only reason to use Routine Access Codes is to restrict user access to specific routines. Routines cannot have more than one access code. Any Routine and Hide Routines without Access Codes are options within each DataSource. If Access Codes have been assigned to routines in the DataSource, the name of the Access code will appear under the DataSource after Hide Routines without Access Codes.

Data Rights

Each role must be assigned the data rights granted to its members. The available rights are listed in the table below.

Users can see what rights they have been assigned by checking the Session Properties dialogs in CM4D, DataSmith, or DataUtility.

Right		Description
Analyst		Allows a user to open and view managed and unmanaged CM4D documents, but they cannot create or modify any CM4D documents. This option is very restrictive and can sometimes interfere with some of the higher-level rights, so it should not be assigned to users that also have rights such as Developer, Document Manager, Data Manager, etc.
API		Allows a user to use external scripting to automate certain functions of CM4D through Visual Basic. Access to the API via external scripts requires a special ATS CM4D License. Internal Scripts are controlled by the various Script rights
Batch Manager		Allows a user to run the DataSmith Batch Manager application to create and modify Batch Jobs. This does not allow a user to run the DataSmith Batch Service. If you would like a specific user to run Batch Manager and the Batch Service, then BOTH the Batch User and the Batch Manager rights must be assigned.
Batch User		Allows a user to run the DataSmith Batch service and/or Batch Jobs. Users with this right must also be assigned the appropriate Data Manager rights in order to add new data or make changes to existing data in the database. The most common rights assigned to Batch users is the ‘Create Sample’ and/or ‘Modify Sample’.
Change Log Manager		Allows a user to delete Process Change Log entries, modify any user comments, and turn logging on and off for a session of CM4D. The ‘Disable Change Log’ child right allows the user to turn the Process Change Log function on or off during a session of CM4D.
Data Archiver		Allows a user to run the DataArchiver application. Few users should be assigned the Data Archiver right, as the application allows for removing data from the Database. A user with the Data Archiver right must also have the Data Manager child rights ‘Delete Samples’ and ‘Delete Actuals’ (the parent Data Manager right is not necessary).
Data Manager		Allows a user to make changes to the data stored in the Database. For example, a user with the parent Data Manager right can use DataSmith to output data to DataSources, CM4D's feature editor to make changes to DataSources, or DataUtility to make changes to DataSources. This right has a parent level that grants all data modification rights and child rights under the parent which grant users a specific subset of the parent Data Manager abilities. Assigning all of the child Data Manager rights is not equivalent to having the parent Data Manager right.
	Child Data Manager Rights	There are separate child right options grant a user Create, Modify, or Delete rights on specific types of data. For example, if a user had the right ‘Create Samples’, they could create new Samples and Actual values. The Create Samples right implies the Create Actuals right. If a user had only the Create Actuals right they would only be able to create Actuals. In order to modify existing samples, a user would have to have the 'Modify Samples' right.
	DataSmith Batch Job User Requirement	The Data Manager right is a requirement for DataSmithBatch job users, but the parent Data Manager right is not always needed in order for a user to process a Batch Job. In most cases, Batch Job users are assigned the child rights ‘Create Sample’ and/or ‘Modify Sample’. However, keep in mind that if your Batch job will be doing more than processing new Samples into the Database, additional Data Manager child rights may need to be assigned accordingly.
	Assign or Remove Causes Requirement	To assign or remove Causes in CM4D, a user must have the ‘Modify Actual’ child right. When a Cause is assigned to data, the reference to that Cause is saved on the Actual. Causes are stored in the database as a separate entity, the Cause-specific child rights are only used for those Cause entities.
Developer		Allows a user to create and make changes to unmanaged CM4D documents. The user can also open Managed Documents, but cannot make changes to them.
Document Manager		Allows a user to create or modify Managed Documents, create or modify unmanaged CM4D documents, and perform the Managed Report Administration functionality in CM4D Web.
Event Administrator		Allows a user to subscribe to EventSmith Alarm notifications on behalf of other users. Must also have the Event Manager right.
Event Manager		Allows a user to subscribe to EventSmith Alarms notifications in CM4D Web on behalf of other users. Must also have the Event Administrator right.
Filter Manager		Allows a user to create and modify Database Filters using DataUtility. If a user has the parent right, Filter Manager, all six child rights are implied by default (even when the six are not checked individually). If a user has only the child Definition right, the child Element right is included. If the child Element is the only right selected, the user will not automatically have the child Definition right.
Scheduler Manager		Allows a user to create and modify Scheduler Jobs within the Scheduler Manager application, as well as view Scheduled jobs for all users. Having the Scheduler Manager right does not automatically grant the user to have Scheduler User rights. In order to run Scheduler jobs (via the Services), a user must have the Scheduler User right in addition to the Scheduler Manager right.
Scheduler User		Allows a user to runs the Scheduler and Launcher Services and/or Scheduler Jobs. A Scheduler User can then be used to run jobs without being granted the Scheduler Manager right. If a Scheduler User does not also have the Scheduler Manager right, they will only be able to view (but not edit) their own scheduled and processing jobs in the Scheduler Manager application.
Script Administrator		Allows a user to configure which .Net Assemblies (global or private) are available for use with internal scripting in CM4D via the Script Config dialog.
Script Executor Group		Allows a user to run any scripts created for the role(s) that the user belongs to.
Script Executor Public		Allows a user to run any scripts created for Public use.
Script Executor User		Allows a user to run any scripts a user has created themselves.
Script Manager Group		Allows a user to create, modify, or remove scripts for all users that belong to the role selected in the script.
Script Manager Public		Allows a user to create, modify, or remove scripts that are available to all users in the Site.
Script Manager User		Allows a user to create, modify, or remove their own scripts.
Site Database Admin		Allows a user to run the SiteManager application to create Sites, DataSources, Users, Roles, and assign access and rights to those roles. If the Enterprise Email Configuration is set up, users with this right and a valid email address will also receive CM4D Web User Registration notifications.
Workcell Data Manager		Allows a user to commit data to the Database using CM4D Workcell. A user with the Workcell Data Manager right will not be able to load data into a Database using any other applications (such as DataSmith), unless they also have the Data Manager right. The Workcell Data Manager right can be assigned to a user without any other rights if the user will only be running CM4D Workcell.

Upload Portal Users

CM4D Upload Portal users must have a User login with Roles assigned with access to specific projects. Users can be granted access on two levels for each project:

[ProjectName]-ViewOwn - User can upload files to the project and view their own upload history. No other user information is viewable.
[ProjectName]-ViewAll - User can upload files to the project and view the complete upload history of a project, including other user uploads to the same project.

If you have not set up DataSmith Batch already, consider doing this before attempting to set up user Roles for Upload Portal users. Since each Batch job (Project) has its own Rights, projects rights can only be added to a role after the Batch server is connected and jobs are set up in DataSmith Batch Manager.

Add Upload Portal Rights to a Role

Each DataSmith Job has two corresponding security Rights that must be granted to a Role for users to be able to see the project in their Upload Portal.

For example, a Job/Project with the label 'Silo' has the associated rights labelled 'Silo-ViewOwn' and 'Silo-ViewAll'.

Complete the following steps for each Role that requires Upload Portal Project rights:

Click on a role in the Roles grid card to open its properties.

In the role properties, click on the Rights tab.

Click Add.

Select CM4D Upload Portal from the dropdown.

Check boxes for the projects you want to add for the role, either ViewOwn or ViewAll for each project.

Click Select.

Click Save.

Type "ViewOwn" or "ViewAll" in the Search field to reduce the list to the relevant options based on rights. This is helpful in a system with a long list of jobs/projects where you may not know the project name to search by, but you do know which type of rights you want to select.

Example - Roles for Upload Portal Projects/Databases

The example below shows a use case where roles are created based a CM4D system set up as one Site with three CM4D databases (Auto, Aero, Misc). Each CM4D database is used for a different area of data, so Jobs/Projects are set up accordingly.

The table below shows one way that roles, users (members) and rights can be setup for different projects in a larger overall system.

Role	Description	Members	Rights
DataSmith Admin	[ViewAll] User role for all batch jobs for all databases.	[email protected]	Silo-ViewAll q1000-ViewAll ProChan-ViewAll Legoman-ViewAll Corner Module-ViewAll PolarPlate-ViewAll Fire Truck 1.5-ViewAll Fire Truck 2.5-ViewAll Fire Truck 4.5-ViewAll Que Plane X400-ViewAll Que Plane X500-ViewAll Que Plane X600-ViewAll
DataSmith User	[ViewOwn] Users with access to all projects in the system, but only to view their own uploads.	[email protected]	Silo-ViewOwn q1000-ViewOwn ProChan-ViewOwn Legoman-ViewOwn Corner Module-ViewOwn PolarPlate-ViewOwn Fire Truck 1.5-ViewOwn Fire Truck 2.5-ViewOwn Fire Truck 4.5-ViewOwn Que Plane X400-ViewOwn Que Plane X500-ViewOwn Que Plane X600-ViewOwn
Own - AERO	[ViewOwn] User role for all batch jobs for Aero database.	[email protected]	Que Plane X400-ViewOwn Que Plane X500-ViewOwn Que Plane X600-ViewOwn
Own - AUTO	[ViewOwn] User role for all batch jobs for Auto database.	[email protected]	Corner Module-ViewOwn Fire Truck 1.5-ViewOwn Fire Truck 2.5-ViewOwn Fire Truck 4.5-ViewOwn
Own - MISC	[ViewOwn] User role for all batch jobs for MsAlaineous database.	[email protected]	Silo-ViewOwn q1000-ViewOwn ProChan-ViewOwn Legoman-ViewOwn PolarPlate-Own
Own - Silo	[ViewOwn] User role for one project/job/routine.	[email protected]	Silo-ViewOwn

Example Member User Information Blade:

Example Role Rights: