Security in Estimate

Role based permissions

Estimate uses a role-based security model, where users can be assigned to a role on a project. A role identifies if a user has been granted access for various permissions to perform defined functions in Estimate.

A role is a collection of permissions that defines a user’s responsibilities on a project or in an organization.

For example, Johny can be an Estimator on Job A and a Lead Estimator on Job B, giving him elevated permissions to perform actions that a less responsible estimator may not permitted to perform.

Roles are created and managed in the Roles and Permissions page in the Suite Administration section of InEight Platform (Suite Administration > Roles and permissions).

The following image shows how the Estimator role has been defined with permissions to launch Estimate, add and edit jobs, and view snapshots, but it does not have permissions to delete jobs or add and edit snapshots.

For more information on setting up roles in InEight Platform, see Roles & Permissions in the Knowledge Library.

Security in Estimate

The capacity to grant permissions in a job and what can be performed is accomplished with a combination of permissions that exist in both Platform and Estimate.

Generally, permissions managed in Platform determine which users can launch Estimate and who can manage jobs, snapshots, templates and access the Estimate library. Permissions managed in the Estimate determine which users are granted permissions to specific commands and destinations solely in Estimate.

For any user to use Estimate, they need to have a role that has been granted the Launch Estimate permission, which is found in the Estimate blade of the Roles and permissions page when editing the details of a role.

Granting permissions to access Jobs and Snapshots

When creating jobs in Estimate, it is required to associate new estimates with existing Platform projects and all the related OBS contents.

Multiple estimates can be assigned to a single Platform project. In this case, permissions granted to users on a project will be the same permissions for all the estimates belonging to that project.

This Platform project is used to assign roles for the purposes of granting various permissions.

To grant permissions to a particular user on a Job, go to the User Management page in InEight Platform, edit the user, and then assign the user a role on a project on the Roles tab of the Add or Edit User slide-out panel.

For more information on managing users, see the User Management section in Roles & Permissions in the Knowledge Library.

In Estimate on-premise, roles are created and managed in the User Roles register. After the role is created, users can be assigned to the role from the list in the Windows Active Directory Users and Groups in Estimate. The Users assigned role as determined by the currently logged in user is used to grant permissions at the application level. Because Estimate on-premise uses the computer’s logged in user in determining the user’s role, roles cannot be segregated by job. To enforce job-level security in Estimate on-premise, populate the list of users allowed in the job on the Security tab of the Job Properties form.

Organizational Breakdown Structure

Projects in Platform are required to have an Organizational Breakdown Structure (OBS) assignment. The OBS assignments can be utilized for assigning roles and granting permissions to all jobs belonging to a node in the OBS.

In the following example, Johny has been assigned as the Lead Estimator for the Site Work node of the OBS, which grants him the permissions assigned to the Lead Estimator role for every estimate created that belongs to the Site Work node in the OBS.

Permissions are cumulative, so if a user is assigned multiple roles on a single project, the role with the most permissions is applied when attempting to access various functions.

Granting permissions to destinations and commands

Estimate can grant permissions at a deep-rooted level by assigning which roles can access specific forms. You can also assign certain roles that can perform specific commands or actions that can be performed within those forms.

Permissions are managed in the Access Control Register in the Setup tab of the Library.

This register is a list of accessible objects, which can be used to grant or restrict permissions to various roles. By default, the register is organized by type, then by category. Removing the grouping lets you search for key words using the search capabilities of the register.

The Type of the accessible object is one of the following:

Command: Actions that are in the main ribbon navigation.

Destination: A form or location within the application. Restricting this type of permission means that all the actions that are available in the form are unavailable.

Register Command: These are the commands that appear for the specified register and are commonly accessed either by using the actions menu in the navigation ribbon when the register is active or using the right-click context menu commands on the records in a register.

Categories and subcategories can be used to further group and identify various accessible objects.

The Ribbon Name column provides the navigation path and name of the object as it appears in the ribbon navigation. The Show Classic Navigation Accessible Objects button on the Actions tab of the Access Control register can be used to identify accessible objects as they might have existed in the legacy version of Estimate, and are still available to assist users who may have set up Access Control prior to the newer ribbon navigation.

Follow these steps to set up Access Control on an Accessible object:

  1. Identify the role or roles in the User Roles register, then right-click to copy.

    • In the Access Control register, you can filter on the Role Assigned field to help you see the associated roles with Access Controllable objects.

  2. Select one or more accessible objects in the Access Control register and right-click to paste.

  3. Expand the detail records of the accessible objects to verify the role assignments have been correctly made.

You can drag and drop the Roles onto the accessible objects in these two registers.

If no roles are assigned to an accessible object, no restrictions are applied to the accessible object, and anyone with access to the application will be able to access that destination or command. When setting up Access Control, be sure to identify the commands and destinations in Estimate that you want to restrict permissions to, and then assign the roles to explicitly grant permissions to those accessible objects.

In the following example, both Estimators and Lead Estimators are permitted to invoke any of the actions on the records in the PBS Changes Register, but only the Lead Estimator is permitted to activate or deactivate the PBS Changes Log. Because no roles have been assigned to the Activate ‘View Change Record’ prompt, anyone with access to the application will be able to perform that action.

Access Control Report

You can use the Access Control report to audit user permissions, command access, and various restrictions without having to search through the Access Control register for this information.

The report makes it easier to find the role names along with their associated Yes and No access permissions to each form in Estimate.

Step by Step — Access Control Report

  1. Open a job, and then select the Setup tab.

  2. Click the Reports icon.

    You can access the Reports menu from the Setup, Estimate, Quote, Price, and Execution tabs.

  3. Expand Library Module, and then select Access Control (Excel).

  4. Select a file name, or choose another file name path.

  5. Click Save, and then click Run.

What's Next: Open the Access Control Excel file to filter, sort, or perform any type of audit to help you determine user or role access.

Granting permissions to the Estimate Library

In Platform, permissions relating to the Estimate library are found in the Master data libraries permission section.

To grant Estimate library permissions to a role, the role must be an Administrator Level 3 - Account Admin. If not, the permissions are not selectable on the Add/Edit Role setup page.

The Master data libraries permission section is also where the permissions controlling which roles can manage templates are found.

Common roles used when securing an Estimate

The process of creating an estimate for a bidding opportunity commonly requires unrestricted access to the capabilities of Estimate so that estimators can work efficiently. However, depending on the level of data governance within an organization, you might want to preclude certain users from accessing some of the more sensitive parts of Estimate. If changes were made, either accidentally or otherwise, it could impose detrimental impacts on the organization.

Estimate’s security model is very detailed and robust. When designing a security model that restricts certain features and functionality of Estimate, each company must weigh the benefit of the protection of such restrictions which could bring unwanted or uncontrolled changes and negatively impact the productivity of the estimating process. While it is possible to create a very detailed and robust security model with many different roles for individuals within an organization, it is not necessary to set up and maintain roles for all of Estimates accessible objects. It is likely a company can effectively secure their sensitive data with no more than a couple roles granting permissions to a few commands and destinations.

A common way to implement security on the Estimate application is to restrict access to certain system level settings, such as who can modify data in the library, or who can change any company specified custom column captions.

The following are some of the more common Roles a company may set up, describing the purpose of the role and typical permissions:

  • Lead Estimator: Lead Estimators are commonly assigned to estimates based on their knowledge and experience. They may be precluded from creating or deleting estimates themselves or changing any system level settings, but commonly have full access to all the capabilities needed to create and maintain the estimates they are assigned to.

  • Estimate Manager: Estimate Managers are commonly responsible for identifying bidding opportunities and determining which opportunities to pursue. Once it has been determined that the company will pursue an opportunity, the Estimate Manager creates the estimate and assign it to a Lead Estimator based on resource availability relative to all the bidding opportunities the company will be pursuing. These roles manage the creation of estimates and assist in ensuring all the necessary supporting data is available, such as assigning appropriate project attributes or including needed resource libraries.

  • Administrator: Administrators ensure accessibility and availability of the solutions utilized by estimators. Typically, they control system level settings and activities that would affect company standards, such as changing column captions, ability to define corporate views, list of job statuses and ribbon settings. Other typical permissions restricted to only the Administrator level roles are the ability to access the User Roles register and the Access Control register.