Users and security
Safran Project and Safran Planner provide three mechanisms for protecting against unauthorised access:
• Username and password - to prevent "outsiders" from accessing your project data
• Access permissions - to control the actions authorised users can perform on the objects in your Safran Project implementation.
• Multi-factor authentication – to only allow sign-ins approved through Azure Active Directory users.
Usernames and passwords
When you start your Safran session and select the database you wish to use in your Safran session, Safran asks for your username and password.
It checks the information in the user tables of that database to see if they are a valid combination and, if so, starts your Safran Project session.
Azure Active Directory users
These users are not to be members of the database role "powerplan". They should instead only be a member of the database role "public".
This is to ensure that the user cannot perform any database commands onto the Safran database tables, except being able to perform an SQL select command on a new database table: "SafranAuthenticatedUser".
When using Azure AD as authentication, it is required that the user is automatically added to the "users" table.
Safran Project users
Control over who can access Safran is mainly kept by creating users who can be granted or denied access to Projects, Project Groups, Calendars, Userfield sets, Resource sets, Symbol sets, Rule sets, Rate sets, and Profile sets. The users are kept in the table "users" with columns "login_name" and "full_name."
Each Safran user must also be a database user. To create a Safran user, the user should be made in the database first. All Safran users should be members of at least one database group. When a Safran database is initiated, a default group is initiated, and this group is granted "all" privilege to all the tables and "execute" privilege to stored procedures. Initially, all Safran project users should be assigned to this group.
Suppose the technical system administrator wants to differentiate the database privilege between different groups of users. In that case, a new group may be added through the Safran interface, and some users can be moved from the default group to this new group. The system administrator must then keep track of which users belong to which database group and grant and revoke privileges accordingly.
Safran user groups
Safran users can be organised into user groups to simplify access control.
Note: User groups, as defined in Safran, are different from DBMS Groups, which are part of the database management system. User groups in Safran are used to organize users for access control purposes.
A user can be a member of several groups.
Information about groups is kept in two tables: One table, "user_groups," keeps the definition of the groups, with columns "group_id," a numeric identification for the group, and "name," to keep a descriptive name for the group; another table "group_members" with the column "group_id" and "login_name," keeps track of which user is member of which groups.
When a Safran database is initiated, the default group "public" is created, with group_id=1. All new users are given membership in this group.
User access object type
There are two tables for access control: "user_access," with the columns "login" (user), "object_id," "object_type," and "access_level" (From 1(Read) to 4 (Exclusive); and "group_access" with "group_id," "object_id," "object_type," and "access_level."
Access to the different objects is controlled from inside Safran Project or Safran Planner.
Code | Safran Project Object | Access Levels | Access Levels | Access Levels | Access Levels |
---|---|---|---|---|---|
N | Project | 1=read | 2=test | 3=update | 4=exclusive |
S | Sub-Project | 1=read | 2=test | 3=update | 4=exclusive |
R | Resource set | 1=read | 2=update | ||
P | Profile set | 1=read | 2=update | ||
C | Calendar set | 1=read | 2=update | ||
U | Userfield set | 1=read | 2=update | ||
W | Window | 1=read | 2=update | ||
A | Rule set | 1=read | 2=update | ||
B | Symbol set | 1=read | 2=update | ||
G | Project group | 1=read | 2=test | 3=update | 4=exclusive |
L | Global set | 1=read | 2=update | ||
R | Rate set | 1=read | 2=update |
Window access restrictions
Whereas access must be set explicitly on a standard object for a user to be able to access them, windows are, by default, accessible for all users.
This window must be added to the list of windows with limited access to restrict user access to a window. If a window has restrictions, only users granted access can open it.
Setting Window access restrictions is done from Tools -> Window.