Shared Documents Security

_Ðave_

 It has been my understanding that only I can make my document public. Which is expected if my document is private,
I'm now starting to share my documents with sub-contractors and I'm realizing that there is now way that I can keep the contractor from making a copy and making my document public.

 Is this the intent or can we expect some sort of protection against this? I'm not sure what can/should be done but I have customers with DOD contracts and I don't think this will fly.

 Does anyone have experience with DOD and ITAR compliance? Is this something I should be concerned about?

Thanks

viru

@da_vicki , Currently there is no option in Onshape to restrict for making a copy of shared document. But there is one workaround to protect your model ingredient.You have to save your document tab in other format like Step, IGES, PARASOLID etc and again import in new document. This new document you can share with the contractor.
You raises excellent point regarding data protection. I hope in near future Onshape will definitely solve your concern.
+1 from my side
Document owner can restrict to shared user for his document sharing at the time of sharing by selecting one option as shown below.

shashank_aarya

viru said:

@da_vicki , Currently there is no option in Onshape to restrict for making a copy of shared document. 

@viru You have already given the method to protect the document and I feel this is the only standard method.

matthew_menard

Interesting question.  The facility I work at makes ITAR and DOD controlled components and there are extra measures we must go through to handle these prints.  It would be interesting to hear from an export compliance professional on whether or not cloud based systems are ITAR compatible.  How much access do OnShape staff members have to user's files?  Is it only in the event that you flag the file to be shared with OnShape's staff?  I only ask because one of the few things we know about ITAR is that only US citizens are allowed to see any documentation related to an export controlled project (which makes things interesting because the facility is owned by a British conglomerate).  If OnShape's staff isn't all US citizens and they have some kind of access to user files, this may not be acceptable for ITAR compliance. 

lougallo

@matthew_menard Onshape has access only to what documents you decide to share with us.  If you explicitly share with an email or toggle the share with support slider or make a document PUBLIC is the only way we get access.  We are working improving the service to comply with these standards in the future.  We do outline our Terms and Privacy here: https://www.onshape.com/beta-terms-of-service.

matthew_menard

Thanks for the response, Lou.  The Terms and Privacy statement you linked would (I imagine) be fine for a company's IP security, but I'm not sure defense contractors working with ITAR related items would want to use OnShape (or any other cloud based service) for the time being.

The following links are about a defense contractor that was asking the DOD for the ability to use cloud based systems last year.
http://www.law360.com/articles/562917/cloud-computing-poses-unique-export-controls-challenges
http://blogs.wsj.com/riskandcompliance/2014/06/09/u-s-shifts-on-allowing-defense-data-in-cloud/

It looks like the DOD is starting to think about allowing contractors to use cloud based systems, but haven't yet updated the regulations to reflect that (I am not a lawyer or export control expert, so I may be misunderstanding something here).

Amazon Web Services seem to have a "US Gov Cloud" product to better accommodate ITAR and other sensitive data:
https://aws.amazon.com/govcloud-us/

Perhaps at some point, users would be able to opt to have their data stored in one of these ITAR compliant servers?  Because even if OnShape's features make a defense contractor's data secure within that environment, the lack of control over the cloud based systems running OnShape and storing its data would still prevent it from being ITAR compliant.

_Ðave_

@lougallo Please issue a ticket for me to be advised when Onshape has become ITAR compliant and has a public statement with details that I can present to my client/customer.

Thanks

Hans_Ole_Leirvik

This is a very important topic, I would like to propose to change the option on OnShapes front page 'Shared with me' to 'Shared By Me' - or add a new.
The 'Shared with me' is useless for me because it lists all documents I have made in OnShape (Prof. license)

In my work with OnShape I must confess I have lost track of which documents I have shared with others outside of the company. This is a bad situation for me

For my colleagues I have now prepared a document describing how to share OnShape models in a better way, see attached pdf file.

 

Hans_Ole_Leirvik

This is a very important topic, I would like to propose to change the option on OnShapes front page 'Shared with me' to 'Shared By Me' - or add as new
The 'Shared with me' is useless for me because it lists all documents I have made in OnShape (Prof. license)

In my work with OnShape I must confess I have lost track of which documents I have shared with others outside of the company. This is a bad situation for me


 

For my colleagues I have now prepared a procedure describing how to share OnShape models in a better way:

1.       Choose the tab you want to share

2.       Choose Export and click on «Store file in a new Tab»

3.       You will now get a new Tab containing a STEP fil, but you cant see the geometry

4.       Right click on the new tab and select Import

5.       Choose  «Combine to a single Part Studio”

6.       You now get a new Tab where you can see the geometry 

7.       Now you must move the new tab to a new document. You can then share the new document with others.Later you can stop sharing this document or you can just delete it. Type in the name of the new document and click move

8.       The new document is now containing two tabs, one for the step data and one for the visible geometry

9.       Share the new document

10.   Turn on Link Sharing

11.   You can now safely send the link with others

 

 

 

 

 

 

tim_hess427

From my perspective, there is a big disconnect in the sales pitch for Onshape.

1) "Its easy to securely share your documents with vendors, partners, etc! All they have to do is create a free account, and they can log in to see what you've shared with them!".

Doesn't co-exist very well with... 

2) "Everything you create in your free account is public to anybody in the world!"

I understand the reasoning behind each statement in isolation. But, these can't be isolated. I wanted to share some sensitive data with a vendor, so I asked them to create an account and shared a model with them. The promptly made some design change suggestions (changes not possible in Onshape) and uploaded them to a new, public document to share them back to me  

It would be great to see some work around these workflows and new user education when bringing people in as collaborators. 

owen_sparks

I think the decider here is if you want your vendor to make changes.  If not then I think it's OK today.  You can share without copy or edit rights and your data is safe.

If you do want the vendor to be able to edit then you'll need to activate one of your company accounts with their user/email address and share with them.  (Probably still with copy inhibited.)  You can then remove that user when the project is done.  Has the added advantage that the list of users is far more visible than shares so removing users is easy.

Owen S.