Estimate uses a role-based security model, where users can be assigned to a role on a project or also a role in a node of the organization breakdown structure (OBS). A role identifies if a user has been granted access for various permissions to perform defined functions in Estimate. An advantage of using role-based permissions to manage security is that it is possible for users to have different roles on different projects where the role assigned to a user determines what they have permission to do within any given project.
A role is a collection of permissions that defines a user’s responsibilities on a project or in an organization.
As an example of using role-based permissions to have different roles on different projects, a Lead Estimators of the Utilities Division that gives them access to all estimates in that division, they are also the Superintendent on one of the company's Mining projects, which gives them access to that projects control budget and other applications used in project execution.
The role-based permissions for a project can be inherited from the OBS where the project is assigned. You can be assigned a role in a node of the OBS, giving you the permissions granted by that role for every project in that node of the OBS. This lets users have different roles on different projects, meaning that what a user has access to do in any specific estimate is based on the role they have been assigned for that project.
For example, in the following image, the user is the Lead Estimator of the Utilities Division.
Roles are created and managed in the Roles and Permissions page in InEight Platform Suite Administration > Roles and permissions).
The following image shows the Platform permissions available for Estimate in the Master data libraries section.
For more information on setting up roles in InEight Platform, see Roles & Permissions.
The capacity to grant permissions in a job and what can be performed is accomplished with a combination of permissions that exist in both Platform and Estimate.
Generally, permissions managed in Platform determine which users can launch Estimate, manage the Estimate library, and manage job templates. Permissions managed in Estimate determine which users are granted permissions to specific commands and destinations solely in Estimate.
To use Estimate, you must have a role that includes the Edit estimate library or Use templates permission.
When creating jobs in Estimate, it is required to associate new estimates with existing Platform projects and all the related OBS contents.
Multiple estimates can be assigned to a single Platform project. In this case, permissions granted to users on a project will be the same permissions for all the estimates belonging to that project.
This Platform project is used to assign roles for the purposes of granting various permissions.
To grant permissions to a particular user on a Job, go to the User Management page in InEight Platform, edit the user, and then assign the user a role on a project on the Roles tab of the Add or Edit User slide-out panel.
For more information on managing users, see the User Management section in Roles & Permissions.
Projects in Platform are required to have an Organizational Breakdown Structure (OBS) assignment. The OBS assignments can be utilized for assigning roles and granting permissions to all jobs belonging to a node in the OBS.
In the following example, Johny has been assigned as the Lead Estimator for the Site Work node of the OBS, which grants him the permissions assigned to the Lead Estimator role for every estimate created that belongs to the Site Work node in the OBS.
Permissions are cumulative, so if a user is assigned multiple roles on a single project, the role with the most permissions is applied when attempting to access various functions.
Estimate can grant permissions at a deep-rooted level by assigning which roles can access specific forms. You can also assign certain roles that can perform specific commands or actions that can be performed within those forms.
Permissions are managed in the Access Control Register in the Setup tab of the Library.
This register is a list of accessible objects, which can be used to grant or restrict permissions to various roles. By default, the register is organized by type, then by category. Removing the grouping lets you search for key words using the search capabilities of the register.
The Type of the accessible object is one of the following:
• Command: Actions that are in the main ribbon navigation.
• Destination: A form or location within the application. Restricting this type of permission means that all the actions that are available in the form are unavailable.
• Register Command: These are the commands that appear for the specified register and are commonly accessed either by using the actions menu in the navigation ribbon when the register is active or using the right-click context menu commands on the records in a register.
Categories and subcategories can be used to further group and identify various accessible objects.
The Ribbon Name column provides the navigation path and name of the object as it appears in the ribbon navigation. The Show Classic Navigation Accessible Objects button on the Actions tab of the Access Control register can be used to identify accessible objects as they might have existed in the legacy version of Estimate, and are still available to assist users who may have set up Access Control prior to the newer ribbon navigation.
Follow these steps to set up Access Control on an Accessible object:
Identify the role or roles in the User Roles register, then right-click to copy.
In the Access Control register, you can filter on the Role Assigned field to help you see the associated roles with Access Controllable objects.
Select one or more accessible objects in the Access Control register and right-click to paste.
Expand the detail records of the accessible objects to verify the role assignments have been correctly made.
You can drag and drop the Roles onto the accessible objects in these two registers.
If no roles are assigned to an accessible object, no restrictions are applied to the accessible object, and anyone with access to the application will be able to access that destination or command. When setting up Access Control, be sure to identify the commands and destinations in Estimate that you want to restrict permissions to, and then assign the roles to explicitly grant permissions to those accessible objects.
In the following example, both Estimators and Lead Estimators are permitted to invoke any of the actions on the records in the PBS Changes Register, but only the Lead Estimator is permitted to activate or deactivate the PBS Changes Log. Because no roles have been assigned to the Activate ‘View Change Record’ prompt, anyone with access to the application will be able to perform that action.
You can use the Access Control report to audit user permissions, command access, and various restrictions without having to search through the Access Control register for this information.
The report makes it easier to find the role names along with their associated Yes and No access permissions to each form in Estimate.
Open a job, and then select the Setup tab.
Click the Reports icon.
You can access the Reports menu from the Setup, Estimate, Quote, Price, and Execution tabs.
Expand Library Module, and then select Access Control (Excel).
Select a file name, or choose another file name path.
Click Save, and then click Run.
In the report, you can filter, sort, or perform any type of audit to help you determine user or role access.
In Platform, permissions relating to the Estimate library are found in the Master data libraries permission section.
To grant Estimate library permissions to a role, the role must be an Administrator Level 3 - Account Admin. If not, the permissions are not selectable on the Add/Edit Role setup page.
The Master data libraries permission section is also where the permissions controlling which roles can manage templates are found.
The process of creating an estimate for a bidding opportunity commonly requires unrestricted access to the capabilities of Estimate so that estimators can work efficiently. However, depending on the level of data governance within an organization, you might want to preclude certain users from accessing some of the more sensitive parts of Estimate. If changes were made, either accidentally or otherwise, it could impose detrimental impacts on the organization.
Estimate’s security model is very detailed and robust. When designing a security model that restricts certain features and functionality of Estimate, each company must weigh the benefit of the protection of such restrictions which could bring unwanted or uncontrolled changes and negatively impact the productivity of the estimating process. While it is possible to create a very detailed and robust security model with many different roles for individuals within an organization, it is not necessary to set up and maintain roles for all of Estimates accessible objects. It is likely a company can effectively secure their sensitive data with no more than a couple roles granting permissions to a few commands and destinations.
A common way to implement security on the Estimate application is to restrict access to certain system level settings, such as who can modify data in the library, or who can change any company specified custom column captions.
The following are some of the more common Roles a company may set up, describing the purpose of the role and typical permissions:
Lead Estimator: Lead Estimators are commonly assigned to estimates based on their knowledge and experience. They may be precluded from creating or deleting estimates themselves or changing any system level settings, but commonly have full access to all the capabilities needed to create and maintain the estimates they are assigned to.
Estimate Manager: Estimate Managers are commonly responsible for identifying bidding opportunities and determining which opportunities to pursue. Once it has been determined that the company will pursue an opportunity, the Estimate Manager creates the estimate and assign it to a Lead Estimator based on resource availability relative to all the bidding opportunities the company will be pursuing. These roles manage the creation of estimates and assist in ensuring all the necessary supporting data is available, such as assigning appropriate project attributes or including needed resource libraries.
Administrator: Administrators ensure accessibility and availability of the solutions utilized by estimators. Typically, they control system level settings and activities that would affect company standards, such as changing column captions, ability to define corporate views, list of job statuses and ribbon settings. Other typical permissions restricted to only the Administrator level roles are the ability to access the User Roles register and the Access Control register.
Additional Information
9977 N 90th Street, Suite 250 Scottsdale, AZ 85258 | 1-800-637-7496
© 2024 InEight, Inc. All Rights Reserved | Privacy Statement | Terms of Service | Cookie Policy | Do not sell/share my information
