User Permissions
The user permissions implemented by InfoAsset Manager are designed to prevent users from accidentally making changes to data they should not be editing.
A set of simple user access permissions can be applied at database level, group and individual action level.
With access permissions activated the following types of InfoAsset Manager user are available:
Because permissions are assigned at group level and not to a specific software product, every role will be available for selection, even if it does not necessarily apply to your software product.
- Database Owner - a database owner has full administrative powers over the database
Show details - Model Owner - a Model Owner of a Model Group has full edit and delete powers over
that model group Show details
- Model Viewer - a Model Viewer has read-only access to the database. A Model Viewer cannot carry out any editing but may be able to carry out other operations that do not alter the underlying data Show details
- Collection Asset Owner - a Collection Asset Owner has full edit and delete powers over Collection objects in that Asset Group Show details
- Collection Asset User a Collection Asset User has edit powers over Collection database items, but cannot create or delete collection items or carry out any actions that will modify network preferences Show details
- Collection Asset Viewer - a Collection Asset Viewer has read-only access to Collection objects in the database. A Collection Asset Viewer cannot carry out any editing on collection objects but may be able to carry out other operations that do not alter the underlying data Show details
- Distribution Asset Owner - a Distribution Asset Owner has full edit and delete powers over Distribution objects in that Asset Group Show details
- Distribution Asset User a Distribution Asset User has edit powers over Distribution database items, but cannot create or delete distribution items or carry out any actions that will modify network preferences Show details
- Distribution Asset Viewer - a Distribution Asset Viewer has read-only access to Distribution objects in the database. A Distribution Asset Viewer cannot carry out any editing on distribution objects but may be able to carry out other operations that do not alter the underlying data Show details
- Asset Network Owner - an Asset Network Owner has full edit and delete powers over Asset Network objects in that Asset Group Show details
- Asset Network User an Asset Network User has edit powers over Asset Network database items, but cannot create or delete asset network items or carry out any actions that will modify network preferences Show details
- Asset Network Viewer - an Asset Network Viewer has read-only access to Asset Network objects in the database. An Asset Network Viewer cannot carry out any editing on asset network objects but may be able to carry out other operations that do not alter the underlying data Show details
- Database User - a Database User is a user with no specific role specified for a group and has read-only access to the database Show details
- Live Owner - a Live Owner of a Live Group has full edit and delete powers over
all items of a selected Live Group Show details
There are three other Live roles further restricting powers that users may have over Live Groups. These are:
- Live Control Room Manager - A Live Control Room Manager has edit powers in both ICMLive Configuration Manager and ICMLive Operator Client. The difference between Live Control Room Manager and Live Owner is that the Live Owner has full edit privileges over all items in a Live Group whereas a Live Control Room Manager can only edit manifest and manifest deployment objects contained in that Live Group Show details
- Live User - a Live User has edit powers over Live Group items, but cannot create or delete Live Group items or carry out any actions that will modify network preferences. Please note that if Live Users can edit manifests and manifest deployments (for example, edit parameters in the Run Schedule grid of the Setup tab of the Manifest) they are not allowed to perform specific tasks on these objects such as those listed below Show details
- Live Viewer - a Live Viewer of a Live Group has read-only access to that Live Group in the database. A Live Viewer cannot carry out any editing on Live Group objects but may be able to carry out other operations that do not alter the underlying data.
- TSDB Owner - a TSDB Owner of a Model Group has full edit and delete powers over time series database objects contained in that group ( Model Group).
- TSDB Editor - a TSDB Editor of a ModelGroup can edit time series database objects contained in that group (Model Group), but cannot add or delete data streams.
- TSDB User - a TSDB User of a Model Group can create user edits for time series database objects contained in that group (Model Group). These user edits may be used in runs but they cannot be applied to the time series database.
- TSDB Viewer - a TSDB Viewer of a Model Group can view (not edit) time series database objects contained in that group (Model Group).
User roles for a Model Group are viewed in the Properties Dialog of the group. Note that the properties dialog will only display user roles that have been specifically appointed to that group and will not display user roles of parent groups. For example, if parent Model Group A with owner 'user1' has a sub Model Group B, 'user1' will only appear in the properties dialog for A although 'user1' will also have full edit powers over B.
Backwards Compatibility
If your database is an
For any particular user name, if the InfoAsset Manager database list already contains that user, the software checks that the Full Name and Administrator (Database Owner) settings are the same – if they are different, the settings already in InfoAsset Manager take precedence and a message is shown at the end of the import to warn that the settings were different for one or more users.
When a
The above happens regardless of whether Implement Permissions is currently switched on in the
Tip Note that this means that a user who is an Administrator (Database Owner) of the
For new databases created in InfoAsset Manager, you do not have to invoke access permissions. With the permissions option turned off, all users have Database Owner powers.
Using User Permissions
All changes to user permissions are made from within InfoAsset Manager.
You can check whether user permissions are activated or not on the InfoAsset Manager About Box. It will also tell you who the Database Owners are, and if the current user is a Database Owner.
When user permissions are activated, you can tell who owns a particular Model Group by right clicking on the group and choosing Properties from the popup menu. Then change to the Owners Page of the dialog.
Tip The properties dialog of a "child" group will only display owners that have been specifically appointed to that group and will not display owners of any parent groups. Owners of parent groups will also have full edit rights over the child group.
Enabling User Permissions
User permissions are turned on or off for the current master database using the Users and Permissions Dialog, displayed by selecting the Master database settings | Users and permissions... option on the File menu. Only a Database Owner can turn user permissions off.
Check the Implement users and permissions in this database in the dialog to enable user permissions.
There are a number of database-wide settings that, by default, can be edited by all database users. These global settings can be protected, allowing only edits by Database Owners to be saved. Check the Only database owners can change database-wide settings option to restrict editing of global settings to Database Owners. (This option is only enabled if user permissions are turned on.) With this option checked the OK button on the following dialogs will be disabled for all users that are not Database Owners:
- User Defined Flags Dialog
- User Defined Field Names Dialog
- Default Logo Dialog
- Shared Custom Actions Dialog
- Standards and Choice Lists Dialog
- Pipe Shapes Dialog
Use the Default permission is: dropdown to set the default permission for all objects in the database for Database Users that do not have specific roles specified. The options are:
- View all data - the user can open objects but has read-only access.
- View group contents only - the user can see objects in the tree but cannot open them. Only the properties of the objects can be viewed.
You can check on the current status of User Permissions by looking at the InfoAsset Manager About Box.
Adding Users to the Database
Only a Database Owner can add or remove users from the database or change the privileges of a current user.
- With user permissions activated, choose Master database settings then Users and permissions... from the File menu. This displays the Users and Permissions Dialog.
- To add a new user, type the user name in the Username box of the New
User section and click the Add button.
InfoAsset Manager uses login names to identify users, so the name typed in must match the name the user uses to log in to the computer or network.
- By default, users are added with Database User privileges. You can add, or remove, Database Owner privileges by checking or unchecking the tick box next to the user's name.
- To remove a user from the list completely, highlight their name on the users list and then click the Remove button.
The Database Owner who is editing User Permissions cannot alter their own permissions. They will remain as a Database Owner.
Adding a Windows group as a Database User
It is possible to add a Windows group as a Database User. Users who are members of such a Windows groups will automatically inherit the roles assigned to the group for relevant groups in the tree, in addition to the roles assigned specifically for the user.
To add a Windows group as a user, type the group name within square brackets e.g. [User-Group-1]. All users and groups must be in the same domain, which is the domain of the computer.
Adding Owners to Model Groups
Users must be added to the database as Database Users before they can be given control of Model Groups.
Only a Database Owner can give users control over a Model Group.
To make an existing Database User a Model Group Owner:
- If no Explorer Window is open, choose New Explorer window from the Window menu to open an Explorer Window of the current master database
- Right click on the Model Group and choose Advanced, then Edit group permissions from the popup menu to display the Edit Group Permissions dialog OR Manage user permissions from the popup menu to display the Manage User Permissions Dialog.
- Owners can be added or removed from these dialogs.
The Edit Group Permissions Dialog is used to view and set permissions on a selected model group for multiple users.
The Manage User Permissions Dialog is used to view and set permissions of a selected user for multiple model groups within the database.
A Model Group can have any number of owners. Owners have full rights over the group, and over other Model Groups contained within the group. Additional owners may also be added to "child" groups.
When Do Changes Take Effect
If a Database Owner makes changes to InfoAsset Manager user permissions, these changes will not be applied to users who are currently using the master database until they exit InfoAsset Manager and open the application again.
Permissions for Existing Databases
When using an existing database for which permissions are currently disabled, any user can turn on User Permissions for that database.
The user turning on permissions for the first time is automatically added as a Database Owner. This prevents a situation where nobody has ownership of the database and all potential users are locked out.
Getting the database identifier
In the event that it is necessary to reset user permissions for a master database, it is possible to grant a user administrator access to a database via an emergency reset file.
An emergency reset file can be obtained from Innovyze. In order to generate the reset file, database identifier and user name information will be required.
If the user has access to the database, the database identifier can be obtained by opening the master database and looking in the Additional Information section of the About Box.
If the user does not have access to the database, the database identifier can be obtained by the following steps:
- Select the menu option File | Master database settings | Get database identifier....
- The Open Master Database Dialog will be displayed. Select the master database for which the identifier is to be retrieved and click OK.
- A standard file save dialog will be displayed. Select a location to save the identifier file to and click Save. The identifier.dat file will contain the identifier of the selected master database.
Resetting Permissions
In the event that it is necessary to reset user permissions for a master database, it is possible to grant a user administrator access to a database via an emergency reset file.
An emergency reset file can be obtained from Innovyze. In order to generate the reset file, database identifier and user name information will be required.
In order to apply the emergency reset file to a master database and grant administrator access to a user:
- Select the menu option File | Master database settings | Emergency permissions reset....
- An information message will be displayed. Click OK.
- The Open Master Database Dialog will be displayed. Select the master database to be reset and click OK.
- A standard file open dialog will be displayed. Select the reset file to be used and click Open.
Ensure that the required user name (as shown in the Users and Permissions Dialog) and the database identifier are sent to Innovyze.
Network role-based write permissions
In addition to the user permissions described above, there is another type of permission that can be granted to asset network users by database owners. These permissions apply to the whole master database or to a specific asset network only. Such permissions are associated with network roles, allowing database owners to place restrictions on certain users. Users can be prevented from creating and deleting network objects, as well as from writing to particular fields.
Tip Note that these network roles are applicable to asset network users only.
These permissions can only be implemented for databases where network roles have been enabled. This is achieved by enabling the Implement network roles for asset networks in this database option of the Users and Permissions Dialog. The assignment of one or more network roles per user is carried out by database owners in the Users and network roles Dialog, which is accessible via the Master database settings | Users and network roles... option of the File menu. Roles are configured in the Network roles and write permissions dialog that gets displayed when the Network roles... button is clicked in the Users and network roles dialog. All InfoAsset Manager data still remains visible to all users but with the use of these network roles, certain fields and the creation/deletion of network objects can be restricted.
