Permission Sets Overview

Permission sets are collections of security privileges that can be assigned to individual users or user groups. There are two types of permission sets in the application: global and object permission sets.

Global Permission Sets

All users must be assigned a global permission set. Global permission sets determine a user's access to application settings and application-wide functions such as administering workflows, assigning proxy users, adding and supervising timesheets, managing users and companies, and more.

Global permission sets are configured when a user is being added to the application or by editing the user's details. The default global permission set for new users is View Only (System), though the application administrator can choose a different default global permission set. Global permission sets cannot be assigned to user groups.

Object Permission Sets

Users and user groups can also be assigned security permission sets for workspaces, projects, portfolios, programs, custom logs, files, ideas, and reports when access to these objects is being granted. Object permission sets are comprised of privileges that define a user's ability to perform certain functions such as add, edit, and delete. They also define a user's level of access to an object and its data. Object permission sets can be created by application administrators in Global Admin and by workspace administrators at the workspace level.

When you assign access to an object, you can choose to define permission sets that pertain to the objects within that object. For example, when you are assigning a user access to a project, you can choose to also assign a files permission set, which will then grant the user those privileges for all files in the project. If you want a user to only be able to access one file, then you should assign that user to the file directly. Additionally, when you assign a user or user group access to a workspace, the permission sets you define will also apply to any child workspace.

If a user or user group is assigned more than one permission set for an object, the user or group has the privileges for all assigned permissions. For example, if a user is granted the Add Project privilege in one user group that they are assigned to but not another, they will still be granted the Add Project privilege.

There are two default permission sets that cannot be modified from the Permission Sets page but are available to assign to users: Administrator (System) and View Only (System).

• The Administrator (System) permission set has all privileges assigned. It grants all functionality for an object as well as access to all of the object's data. If a user has the Administrator (System) permission set for a workspace, they will be able to see all data in the child workspaces as well. The Administrator (System) permission set for a workspace or project also grants the ability to edit the user and user group security for that object. If a user adds a workspace, project, portfolio, program, custom log, file, idea, or report, then they will automatically gain the Administrator (System) permission set for that object.
• The View Only (System) permission set is the default permission set assigned to objects for users and provides read-only access to objects and their data. Some pages and objects that have their own View privileges are not included in this permission set. To learn which pages and objects have their own View privileges, check out Understanding View Privileges in the Oracle Primavera Cloud Help.