The classic Spider-Man quote, “With great power comes great responsibility,” is the theme of today’s Tech Tip, which explores a few key differences between the Administrator and Member permissions roles in Onshape Professional – and why these distinctions matter even if you are working with a small team.
To start, let’s define each role and who is responsible for what:
- An Admin has unrestricted access to all aspects of the data (Document access, permissions, etc.)
- A Member has data access based on what was assigned by an Admin.
An Admin has the responsibility of setting permissions to best protect the intellectual property (IP) of the data within their Onshape account (remember the Spider-Man line). It’s a balancing act between protecting the IP while not hindering the design process. Of course, a Member also shares a duty to protect their company’s IP, but what tasks they can perform depend on the permissions assigned by an Admin.
Let’s go over a few examples to highlight why it is important to separate Admins from Members based on their roles at your company.
Situations where restrictions are warranted may include having a Member (or team) who requires edit permissions for some folders or Documents, but should have view-only access (or no access) to others. These restrictions can’t be enforced if all your Onshape users were designated “Admin” status out of convenience. It’s worth stressing again that Admins have unrestricted access to everything.
Let’s review an example that addresses who can access Documents and folders.
Permissions for Document/Folder Access
Any Onshape Document (or folder) created by a member can automatically be accessed by an Admin, but Documents are not automatically shared with other members. (This is assuming the Document created is either at the root level or in a folder not currently shared out.) This is a non-issue as the Admin can simply create a folder and set access/share permissions accordingly. Users can then place related Documents into this folder, and they are automatically shared – negating the need for everyone to be an Admin.
Below is an example of a folder that is shared to “All Company Users” where copying and exporting Documents are restricted:
Now picture you are working with a supplier and they need access to your Onshape Documents. Instead of giving them broad access to all the folders and Documents, why not create a folder specifically for them and set the correct permissions? From there, you can place any of the Documents they need to access in that folder.
Here’s a familiar scenario: A user (with Admin permissions) is looking through their company Documents and “finds” a confidential design. This user exports the data onto a thumb drive and happens to lose it on the commute home. Just like that, the company’s IP is no longer secure or controlled.
If this user were a Member instead of an Admin, he or she could have had restricted permissions (Folder and Document) to that IP, significantly reducing the chances of an intentional or unintentional security breach.
Permissions in Release Management
What about assigning roles when using Release Management? With Admin permissions, a user can create and approve any and all release candidates. A user assigned the Member role would need to specifically be given create/approval permissions (see options below).
Let’s imagine the following scenario, which is unfortunately all too common: A user is setup with Admin permissions and is working on a widget. This widget has to be sent out today in order to meet the deadline. In haste and unknown to anyone else, the user creates and approves a release candidate without it being checked or following protocols. Not surprisingly, this results in a costly manufacturing error and the lead time is pushed out even further.
If this user were a Member, there would be an insurance policy. The widget would have to go through the proper workflow and be checked by another individual before being sent to the supplier.
The scenarios above are hardly unique. The more people who have unrestricted access to your company’s IP, the more likely something can and will go wrong – even if your colleagues have the best of intentions. The best practice is never having more than two Admins per company (a primary and a backup).
Interested in learning more Onshape Tech Tips? You can review the most recent technical blogs here.