Security Considerations
This section provides information about security considerations related to ownership and entity restrictions.
Different groups of PPM users have ownership and control over different PPM entities. These groups are called ownership groups. Unless a global permission has been designated to all users for an entity, members of ownership groups are the only users who have the right to edit, delete, or copy that entity. The ownership groups must also have the proper access grant for the entity in order to complete those tasks.
Application administrators can assign multiple ownership groups to entities. The ownership groups have sole control over the entity, providing greater security. Ownership groups are defined in the Security Groups window. Security groups become ownership groups when used in the ownership configuration.
Ownership applies to PPM entities during migrations in the following ways:
-
If no ownership security is configured for the entity, any user who has permission to perform migrations can migrate it.
-
If entity ownership is configured and the user migrating is not in the ownership group, the migration fails.
-
If entity ownership is configured and the user migrating is in the ownership group, the migration succeeds.
-
If entity ownership is configured and the user migrating is not in the ownership group but has the Ownership Override access grant, the migration succeeds.
Note: These conditions apply to entity import, but not to entity export.
A report type might refer to security groups through entity restrictions. The Report Type migrator transfers references to security groups, but does not create any new security groups in the destination instance of PPM. If the referenced security group does not exist in the destination instance, the reference is discarded in transit. A message to that effect is displayed in the migration execution log.
If the source instance contains security groups that do not exist in the destination instance during migration, the entity restrictions for the migrated report type might be inaccurate. Therefore, after migration, manually verify report types that contain entity restrictions in the destination instance.