PLDB supports different security models depending on the requirements of a company. In general the security model restricts access to a prospect. Based on that, access is also restricted to the data underneath that prospect.
Currently the following three models are supported:
Security Restricted by Basin
Security Restricted by Joint Venture
Security Restricted by Basin with optional Joint Venture override
For all three models, it is possible to specify Read, Write, Delete and Archive access for users. Delete and Archive access only apply to the prospect itself. A user needs Delete access to delete a whole prospect, however, they only need Write access in order to delete data underneath a prospect, like targets and drilling opportunities.
To set up the security model to use, a specific entry in the database table PPDM_RULE is required, with RULE_ID='SECURITY_MODEL' and the USE_CONDITION_TYPE value set to either 'BASIN', 'JV' or 'BASIN_JV_OVERRIDE'. This can be setup as part of your Petrosys PLDB installation process. The default security model is by Basin.
Security Restricted by Basin
This model uses the Basin assigned to a prospect to determine whether a user has Read, Write, Delete and Archive access.
If a user does not have Read access to a Basin, they will not be able to see any prospects in that Basin.
The same principle applies to Write, Delete and Archive access.
Security Restricted by Joint Venture
This model uses the Joint Ventures assigned to a prospect to determine whether a user has Read, Write, Delete and Archive access.
As prospects support optional assignment of a main Joint Venture, along with other Joint Ventures the following rules apply:
Prospects with no Joint Venture assigned are visible and editable by all users with PLDB database access.
If a user has Read access for one or more Joint Ventures assigned to a prospect, they will be able to see that prospect.
If a user does not have Read access to any Joint Venture assigned to a prospect, they will not be able to see that prospect.
The same principle applies to Write, Delete and Archive access.
Security Restricted by Basin and Joint Venture
This model uses the Basin along with any Joint Ventures assigned to a prospect to determine whether a user has Read, Write, Delete and Archive access.
This is to support the base level security access for users being defined at the Basin level, with the option to additionally restrict or grant access to specific/sensitive Joint Ventures for certain users. The Joint Venture access or restrictions take precedence over the Basin level user access. The default security for a Joint Venture is full access, unless one or more users have been explicitly given access to that Joint Venture, in which case the default for all other users is no access. e.g.
If a user has Read/Write access for the Basin assigned to a prospect, and no additional access has been defined for the Joint Venture(s) assigned to the prospect for any user, then the user will be able to view and edit that prospect.
If a user has Read/Write access for the Basin assigned to a prospect, and no additional access has been defined for the Joint Venture(s) assigned to the prospect for this user, however access has been defined for all of the Joint Ventures for some other users, then the user will not be able to view or edit that prospect.
If a user has Read/Write access for the Basin assigned to a prospect, but for the Joint Venture(s) assigned to the prospect, they have only been given Read access, they will only be able to view the prospect, and not edit it.
If a user has Read only access for the Basin assigned to a project, but they have Read/Write access for any of the Joint Ventures assigned to the prospect, then they will be able to view and edit that prospect.
For a prospect with two Joint Ventures, if security has been defined for one Joint Venture for another user (meaning this user has no access for this Joint Venture), and the other Joint Venture has no access defined for anyone (meaning this user has full access for this Joint Venture), then it will fall back to the Basin level access that has been defined for that user.
The same principle applies to Delete and Archive access.
There are some additional restrictions to this:
A user must have Write access for the Basin when creating a new prospect. i.e. a user cannot create a prospect for which they only have Read access at Basin level, despite having Write access to the Joint Venture.
A user must have Write access for the Basin of an existing prospect in order to change or assign a new Joint Venture to it.
Viewing your permissions
Menu Option:
/Prospects & Leads/My Access
The My Access screen allows individual users to see which Basins and Joint Ventures they have access to, without needing to involve an administrator. This screen does not allow changes to access permissions.
Setting permissions for a single user
Menu options:
/Admin/Security/Prospects & Leads/User Access
/Admin/Security/Prospects & Leads/Basin Access/Single
/Admin/Security/Prospects & Leads/JV Access/Single
These options are only available to administrators. They allow viewing of which permissions a user has, as well as assigning of access to Basins and Joint Ventures.
Alternately you can view the permissions starting at a Basin or Joint Venture and see which users have access.
Setting permissions for multiple users
Menu option:
/Admin/Security/Prospects & Leads/Basin Access/Multi
This option is only available to administrators. It allows changing of access permission for multiple users in a single step. The administrator selects:
The users they want to update.
The Basins they want to update permissions for.
The access they want the users to have - Read / Write / Delete / Archive
and then presses 'Save' to update the access permissions.
The screen can also be used to remove permissions. e.g. To remove access to one or more Basins from a group of users, the administrator selects:
The users they want to update.
The Basins they want to remove permissions for.
and then presses 'Delete'.
