How are Automatic Rights Assigned?

Discussion created by John_George Employee on Apr 2, 2015
Latest reply on Mar 8, 2019 by Joxi_Mujika

Originally published on the CA Clarity PPM Cookbook on Flipboard

Also available in the CA Clarity PPM On Premise DocOps Platform

Document ID: TEC468721


Contributed by: CA Technologies Support and edited by Sunder Rosy, Information Services Engineer


CA PPM allows some rights to be automatically granted to users when their role changes. For example, if a user is assigned as the Project Manager, that user is automatically granted the Project Edit rights for that project. This eliminates the need for an administrator to have to grant that individual instance rights. Without these implied rights, the administrative overhead of constantly managing specific rights as users change assignments becomes overly burdensome, time-consuming, and cost-ineffective.


The next question is how to monitor and control user license counts if users can grant rights that will move users up to a higher license class (for example, from viewer to participant or creator) without administrative review?


There are several means within the product to monitor and control user license counts. A combination of internal processes and application functionality is necessary to manage license compliance according to your company’s individual needs.

The License Information portlets allow administrators to monitor the user license count. The administrator can track the number of users licensed as Full, Restricted, or View Only. They can drill down deeper to see how individual users are classified, and even further to see which rights caused the users to be classified. If a user is found to have rights that they should not have, the administrator can remove that right, or have the user unassigned as a project, program, or department manager which removes the automatic (or implied) rights. If the user needs those rights, you can increase the license count.

For example, a user with only view rights (and therefore classified as a Viewer) is assigned as Project Manager to a project. They will be granted project edit rights automatically based on the assignment and will be re-classified as a Full User. To manage a project, a user must be a Full User and have edit rights.

The following query identifies all resources that have automatic security access rights:

SELECT u.user_name, u.last_name, u.first_name, lu.user_id, g.group_name Access_Right, g.LIC_RIGHT_TYPE FROM

cmn_lic_users_v lu,

cmn_sec_users u,

cmn_sec_groups_v g

WHERE = lu.user_id AND

u.user_status_id = 200 AND

lu.right_id = g.ID AND

g.language_code = 'en' AND

g.group_name like '%Auto%' AND

--add right types to exclude

g.LIC_RIGHT_TYPE NOT in ('viewer')

ORDER BY u.user_name

If you want more control and are willing to assume the administrative overhead associated with this control, here are some ways to prevent assigning rights automatically:

  • Do not use the fields (such as project manager, department manager, program manager, resource manager) that assign edit rights automatically.
  • Hide the fields and substitute a custom field that associates the user as the manager without granting rights.
  • Administrators need to explicitly grant rights in these cases.