Clarity Business Rules - Manage Access Rights at the Team Level

Have you ever wished for an easy way to grant and revoke access rights for Clarity users, without having to rely on a system admin to do this for you?

Good news! The Clarity user group has spoken, and Broadcom has delivered. Clarity version 16.3.0 contains new functionality which has been developed as a result of a customer innovation idea.

This feature allows admins create business rules on blueprints, which empowers Clarity users at the team level to provision and remove access rights for users based on resource attributes. The beauty of this functionality is that project managers and other Clarity users can really take control of their investments and make their own decisions about who should have access. This can foster greater collaboration between team members. It also saves time and reduces administrative tasks for system admins.

In this article, you will learn how to set up your Clarity system to empower team members to manage access rights on their own.

Watch this helpful video demonstration

Get Started – System Configurations

To save themselves time and effort, system admins need to do a little work to get the system set up correctly.

To set up a rule for access rights on the blueprint, a system admin must ensure there is a designated resource attribute on the target object. Remember, these rules must be created on master objects only.

Admins can use a single select or a multi select lookup on the attribute. Just make sure that the lookup is a resource-based lookup. If uncertain, the best way to verify is to review the lookup itself, and make sure the Object is set to Resource.

Now, let’s consider a scenario:
A project manager (PM) needs to provide access to staff from the finance department so that they can update cost plans on one particular project.

The system admin follows the steps above and confirms that the lookup is attached to the correct Object: [Resource].

Next, the system admin creates a new attribute on the Project object, utilizing the Active Resources Browse lookup. In this example, it’s called, “Finance Partners.”

Once the attribute has been set up, the admin creates the rule on the blueprint by navigating to the blueprint type associated to the master object. For this example, the new Project blueprint is called, “Project – Shared Access.”

Next, the admin places the blueprint into Edit mode and ensures they are on the Properties tab. Then, they search for the new attribute and click and drag it onto the blueprint layout.

With the attribute now visible on the blueprint, the admin sets up the rule by clicking the Rules tab and select New Rule.

Next, they Name the rule, add a Description and select the Target Object.

Under Rule Type, they select Security Update.

Next, the admin updates the Target Resource Attribute and selects the resource field.

There are three options:

Grant Rights to New Resource: Each time you add a resource to this attribute, they will automatically be granted the designated access rights.
Revoke Rights from Previous Resource: Each time you remove a resource from this attribute, the access rights attached to this blueprint rule will be automatically revoked.
Transfer Rights from Previous Resource to New Resource: This option will automatically revoke rights for resources that are removed from the attribute and grant the same rights to resources that are added.

Once they make your selections from the above options, the admin can specify the access rights for the rule. Remember, a maximum of 20 rights can be added per rule.

In this example, the admin selects both the Grant and Revoke options to provision access rights for project financial plans. This allows the PM to tailor specific rights for individual users.

Here, resources are provided with access to ‘view’ the project, and ‘view’ and ‘edit’ the financial plans.

Once the preferred rights have been selected, the admin clicks Create.

To finish, the admin clicks Publish.

Testing System Settings

To test that the settings are correct, let’s log in as a Project Manager.

First, to make sure this rule comes into effect, make sure the correct blueprint assigned to your project. In our example, the Project – Shared Access blueprint assigned to the “Website Upgrade” project.

When the project manager drills down into the project record, the Finance Partners attribute now appears on the project Properties page, just as configured in the blueprint. At this point, the field is still blank, with no resources added yet. This is as expected. We’ll leave this blank for now while we check the current access level of our test resource…

To check the new rule, first we log out of the system as our PM. Next, we log in as Sally Smith, our test resource and a member of the finance department.

Sally has not yet been assigned the Finance Partners attribute, and so she does not have access to any projects in the system. The system is operating as it should.

Screenshot from Clarity 16.3.0 showing the Projects grid with the Projects module icon highlighted in the left navigation panel. The user “Sally Smith” is logged in, as shown in the upper right corner. The main grid displays the message “No Rows To Show,” indicating the user has no visible project access.

To manage access rights for Sally, log out as Sally and log back in as the project manager.

The PM adds Sally to the Finance Partners field.

Remember, the rule won’t be triggered when creating a new record, so don’t add resources to your templates. Instead, wait until project/investment record is created, then assign team members to your attribute.

For the final system check, log back in as Sally. Now, you can see that she has access to the Website Upgrade Project, as she should.

Still logged in as Sally, click on the name of the project to open it. On the Properties tab, notice that the attribute fields are read-only. These access rights align with the permissions that the PM provisioned within the blueprint: Finance Partners can view project details, but not to edit them.

Screenshot from Clarity 16.3.0 showing the “Properties” tab of the “Website Upgrade” project. The fields display details such as Project Name, Project ID, Project Type, Project Category, Start and Finish dates, and Work Status, which is set to “Requested.” A cursor hovers over the Work Status field, indicating it is view-only. This aligns with the Finance Partner role’s read-only permissions set in the blueprint.

To confirm additional permissions are correct, navigate to the Financials tab and checks the Cost Plans. As expected, Sally has access to Create a new cost plan…

Screenshot from Clarity 16.3.0 showing the “Financials” tab selected for the “Website Upgrade” project while logged in as user “SS” (Sally Smith). The left navigation highlights “Cost Plans,” and a blue plus sign button is visible, indicating that Sally has permission to create a new cost plan.

… and Sally also has access to Edit cost plans.

In accordance with the access rights on the blueprint, Sally also has access to Create new benefit plans…

Screenshot from Clarity 16.3.0 showing the “Financials” tab of the “Website Upgrade” project. The “Benefit Plans” section is selected in the left panel, and the plus icon is highlighted, indicating that user Sally Smith (shown in the upper-right corner) has permission to create new benefit plans.

… and can also Edit Benefit Plans.

If a Budget Plan exists in a Submitted state, Sally can edit the budget plan. (Note: by design, Budget Plans can only be edited when they are in a Submitted state.)

As shown in this walkthrough, the new blueprint capabilities for access rights can save time and provide greater autonomy for project managers and other Clarity users. They can now provision access for their investments without relying on a system administrator.

Settings for Success

To ensure you get the most out of this feature, keep the following in mind:

First of all, you can only have one active security update rule per blueprint for the same user, and you can’t use bulk edit to update the resource attribute.
The rule will also only apply to selected MUX rights – any rights specific to Classic will not work.
If you select Grant or Revoke for your rule, then you cannot select Transfer (and vice-versa).
If your lookup displays a Role, Team or Non-Labor value, it will be ignored, so make sure you are using only named resources against your attributes.

Learn More

For more information on how to use blueprints to provision access rights in Clarity:

Review the Clarity 16.3.0 release notes.

If you are interested in learning more about Clarity blueprints and blueprint rules, Rego can guide you.

Our experienced, real-world practitioners have helped organizations all across the globe to track actionable data through enhanced visibility and real-time monitoring. To learn more, contact us or reach out to your Rego Account Manager.

Business Rules – Grant and Remove Access Rights_Footer

About the Author: Michelle Sergeant

Michelle Sergeant is an accomplished PMO Manager with 15+ years’ experience in all aspects of project delivery and project governance. In her role at Rego Consulting, she is responsible for partnering with our valued clients to help guide them in meeting business needs and maximizing the value from their Clarity PPM investment. She is also an experienced journalist, having completed a Bachelor of Communications at Griffith University, in Brisbane Australia, so writing tech-based articles for Rego is right up her alley.