User Permissions

The user permissions implemented by InfoWorks ICM are designed to prevent users from accidentally making changes to data they should not be editing.

A set of simple user access permissions can be applied at database level, group and individual action level.

With access permissions activated the following types of InfoWorks ICM user are available:

Note: Because permissions are assigned at group level and not to a specific software product, every role will be available for selection, even if it does not necessarily apply to your software product.

Database Owner - a database owner has full administrative powers over the database:
- The creator of the database automatically becomes a Database Owner
- There can be more than one Database Owner
- Only Database Owners can create Model Groups at the top level of the database
- Only Database Owners can copy Model Groups and then paste them at the top level
- Only Database Owners can appoint Model Group Owners. This is true even if the Model Group is a sub-group of an existing Model Group.
Model Owner - a Model Owner of a Model Group has full edit and delete powers over that model group:
- Only Database Owners can create Model Groups at the top level of the database. Model Owners can create additional Model Groups within the group they own.
- By default, Model Groups at the top level have no Owners.
- Ownership of Model Groups is recursive. Owners of a Model Group will also have full edit and delete powers over "child" Model Groups contained within the Model Group.
Model Viewer - a Model Viewer has read-only access to the database. A Model Viewer cannot carry out any editing but may be able to carry out other operations that do not alter the underlying data.
A Model Viewer can re-run simulations that have previously been run successfully, and create and use:

Collection Asset Owner - a Collection Asset Owner has full edit and delete powers over Collection objects in that Asset Group:
- Only Database Owners can create Asset Groups at the top level of the database. Asset Group Owners can create additional Asset Groups within the group they own.
- By default, Asset Groups at the top level have no Owners.
- Ownership of Asset Groups is recursive. Owners of an Asset Group will also have ownership of Asset Groups within the Asset Group
- A Collection Asset Owner cannot delete an Asset Group if it contains Distribution objects (unless the user is also a Distribution Asset Owner of the group) or Asset Network objects (unless the user is also an Asset Network Owner of the group) .
- A Collection Asset Owner cannot create or edit Distribution objects (unless the user is also a Distribution Asset Owner of the group) or Asset Network objects (unless the user is also an Asset Network Owner of the group) in the Asset Group.

Collection Asset User a Collection Asset User has edit powers over Collection database items, but cannot create or delete collection items or carry out any actions that will modify network preferences.

The actions that cannot be carried out by the Collection Asset User are:

save coordinate system for the GeoPlan (the coordinate system for the current GeoPlan may be modified, but will revert to the previous setting for the next session)
change the default GIS layers that open with the GeoPlan (current layers may be modified)
save changes to properties and themes for the GeoPlan as default for the network
save changes to long section properties as default for the network
edit long section tracing settings
save default settings for Street Find tool (settings may be modified, but will revert to the default settings for the next session)
save settings for node/pipe renaming options (options can be viewed and renaming can be carried out)
modify the Oracle SRID value used by the Open Data Import/Export Centre
edit Pipe Shape settings for the network
edit Standards and Choice Lists for the network
edit Custom Scheduling for the network
edit Report Template location
edit Special/Unknown node names

Collection Asset Viewer - a Collection Asset Viewer has read-only access to Collection objects in the database. A Collection Asset Viewer cannot carry out any editing on collection objects but may be able to carry out other operations that do not alter the underlying data.

A Collection Asset Viewer can create and use:

Distribution Asset Owner - a Distribution Asset Owner has full edit and delete powers over Distribution objects in that Asset Group.
- Only Database Owners can create Asset Groups at the top level of the database. Asset Group Owners can create additional Asset Groups within the group they own.
- By default, Asset Groups at the top level have no Owners.
- Ownership of Asset Groups is recursive. Owners of an Asset Group will also have ownership of Asset Groups within the Asset Group
- A Distribution Asset Owner cannot delete an Asset Group if it contains Collection objects (unless the user is also a Collection Asset Owner of the group) or Asset Network objects (unless the user is also an Asset Network Owner of the group).
- A Distribution Asset Owner cannot create or edit Collection objects in the Asset Group (unless the user is also a Collection Asset Owner of the group) or Asset Network objects (unless the user is also an Asset Network Owner of the group) in the Asset Group.

Distribution Asset User a Distribution Asset User has edit powers over Distribution database items, but cannot create or delete distribution items or carry out any actions that will modify network preferences.

The actions that cannot be carried out by the Distribution Asset User are:

save coordinate system for the GeoPlan (the coordinate system for the current GeoPlan may be modified, but will revert to the previous setting for the next session)
change the default GIS layers that open with the GeoPlan (current layers may be modified)
save changes to properties and themes for the GeoPlan as default for the network
save changes to long section properties as default for the network
save default settings for Street Find tool (settings may be modified, but will revert to the default settings for the next session)
save settings for node/pipe renaming options (options can be viewed and renaming can be carried out)
modify the Oracle SRID value used by the Open Data Import/Export Centre
edit Custom Scheduling for the network
edit Report Template location
edit Special/Unknown node names

Distribution Asset Viewer - a Distribution Asset Viewer has read-only access to Distribution objects in the database. A Distribution Asset Viewer cannot carry out any editing on distribution objects but may be able to carry out other operations that do not alter the underlying data.

A Distribution Asset Viewer can create and use:

Asset Network Owner - an Asset Network Owner has full edit and delete powers over Asset Network objects in that Asset Group.
- Only Database Owners can create Asset Groups at the top level of the database. Asset Group Owners can create additional Asset Groups within the group they own.
- By default, Asset Groups at the top level have no Owners.
- Ownership of Asset Groups is recursive. Owners of an Asset Group will also have ownership of Asset Groups within the Asset Group
- An Asset Network Owner cannot delete an Asset Group if it contains Collection objects (unless the user is also a Collection Asset Owner of the group) or Distribution objects (unless the user is also a Distribution Asset Owner of the group).
- An Asset Network Owner cannot create or edit Collection objects in the Asset Group (unless the user is also a Collection Asset Owner of the group) or Distribution objects (unless the user is also a Distribution Asset Owner of the group) in the Asset Group.

Asset Network User an Asset Network User has edit powers over Asset Network database items, but cannot create or delete asset network items or carry out any actions that will modify network preferences .

The actions that cannot be carried out by the Asset Network User are:

save coordinate system for the GeoPlan (the coordinate system for the current GeoPlan may be modified, but will revert to the previous setting for the next session)
change the default GIS layers that open with the GeoPlan (current layers may be modified)
save changes to properties and themes for the GeoPlan as default for the network
save changes to long section properties as default for the network
save default settings for Street Find tool (settings may be modified, but will revert to the default settings for the next session)
save settings for node/pipe renaming options (options can be viewed and renaming can be carried out)
modify the Oracle SRID value used by the Open Data Import/Export Centre
edit Custom Scheduling for the network
edit Report Template location
edit Special/Unknown node names

Asset Network Viewer - an Asset Network Viewer has read-only access to Asset Network objects in the database. An Asset Network Viewer cannot carry out any editing on asset network objects but may be able to carry out other operations that do not alter the underlying data.

An Asset Network Viewer can create and use:

Database User - a Database User is a user with no specific role specified for a group and has read-only access to the database.

Model Owners, Asset Owners and Asset Users are also Database Users and have read-only access to groups that they do not own. The level of restriction on viewing of data depends on the Default permission setting in the Users and Permissions Dialog:

View all data - operations that can be carried out are as above for Mode/Asset Viewer
View group contents only - the user can see objects in the tree but cannot open them. Only the properties of the objects can be viewed.

Live Owner - a Live Owner of a Live Group has full edit and delete powers over all items of a selected Live Group.

Only Database Owners can create Live Groups at the top level of the database. Live Owners can create additional Live Groups and Model Groups within the group they own.

By default, Live Groups at the top level have no Owners.

Ownership of Live Groups is recursive. Owners of a Live Group will also have full edit and delete powers over "child" Live Groups and Model Groups contained within the Live Group.

In addition Live Owners can perform all the tasks relating to manifests and manifest deployments detailed for the Live Control Room Manager role below.

There are three other Live roles further restricting powers that users may have over Live Groups. These are:

Live Control Room Manager - A Live Control Room Manager has edit powers in both ICMLive Configuration Manager and ICMLive Operator Client. The difference between Live Control Room Manager and Live Owner is that the Live Owner has full edit privileges over all items in a Live Group whereas a Live Control Room Manager can only edit manifest and manifest deployment objects contained in that Live Group.
A Live Control Room Manager can:
- edit manifests and manifest deployments contained in the selected live group.
- change the mode of operation of manifests contained in the selected live group.
- change the alert full model run trigger in the Operator Client for manifests and manifest deployments contained in the selected live group.
- generate manual runs in the Operator Client for manifests and manifest deployments contained in the selected live group.
- change action statuses within manifests contained in the selected live group.
- deploy and underploy manifest deployments contained in the selected live group.
Live User - a Live User has edit powers over Live Group items, but cannot create or delete Live Group items or carry out any actions that will modify network preferences. Please note that if Live Users can edit manifests and manifest deployments (for example, edit parameters in the Run Schedule grid of the Setup tab of the Manifest) they are not allowed to perform specific tasks on these objects such as those listed below.
The actions that cannot be carried out by the Live User are:

TSDB functionality is only available if the TSDB option is enabled on your licence.
- edit and delete time series database objects. Actions related to Time Series Database objects are permissioned separately. See TSDB roles below.
- change the mode of operation of manifests contained in the selected live group.
- change the alert full model run trigger in the Operator Client for manifests and manifest deployments contained in the selected live group.
- generate manual runs in the Operator Client for manifests and manifest deployments contained in the selected live group.
- change action statuses within manifests contained in the selected live group.
- deploy and undeploy manifest deployments contained in the selected live group.
Live Viewer - a Live Viewer of a Live Group has read-only access to that Live Group in the database. A Live Viewer cannot carry out any editing on Live Group objects but may be able to carry out other operations that do not alter the underlying data.

For an overview of the differences between the available Live roles, please refer to ICMLive User Permissions.

TSDB functionality is only available if the TSDB option is enabled on your licence.

TSDB Owner - a TSDB Owner of a Model Group has full edit and delete powers over time series database objects contained in that group ( Model Group).

TSDB Editor - a TSDB Editor of a ModelGroup can edit time series database objects contained in that group ( Model Group), but cannot add or delete data streams.

TSDB User - a TSDB User of a Model Group can create user edits for time series database objects contained in that group ( Model Group). These user edits may be used in runs but they cannot be applied to the time series database.

TSDB Viewer - a TSDB Viewer of a Model Group can view (not edit) time series database objects contained in that group ( Model Group).

Please refer to the User Permissions at action level dialog topic for more information on these roles and how to implement them.

Note: User roles for a Model Group are viewed in the Properties Dialog of the group. Note that the properties dialog will only display user roles that have been specifically appointed to that group and will not display user roles of parent groups. For example, if parent Model Group A with owner 'user1' has a sub Model Group B, 'user1' will only appear in the properties dialog for A although 'user1' will also have full edit powers over B.

Using User Permissions

All changes to user permissions are made from within InfoWorks ICM.

You can check whether user permissions are activated or not on the InfoWorks ICM About Box. It will also tell you who the Database Owners are, and if the current user is a Database Owner.

When user permissions are activated, you can tell who owns a particular Model Group by right clicking on the group and choosing Properties from the popup menu. Then change to the Owners Page of the dialog.

Tip: The properties dialog of a "child" group will only display owners that have been specifically appointed to that group and will not display owners of any parent groups. Owners of parent groups will also have full edit rights over the child group.

Enabling User Permissions

User permissions are turned on or off for the current cloud or on-premise database using the Users and Permissions Dialog, displayed by selecting the Database managementUsers and permissions option on the File menu. Only a Database Owner can turn user permissions off.

Information about the current cloud or on-premise database is recorded in the registry. This information is retained between InfoWorks ICM sessions, so you continue working with the same database next time you start InfoWorks ICM. The registry information is only changed when you open a different cloud or on-premise database.

You can run more than one instance of InfoWorks ICM on the same machine, but all of the instances must be using the same database. If you try to work with two databases at once the registry keys will become confused and you will have problems in several areas like running simulations. The simulation engine is a separate program that looks in the registry to find information about the current database.

Details of the current database can be found in the InfoWorks ICM About Box.

Check the Implement users and permissions in this database in the dialog to enable user permissions.

There are a number of database-wide settings that, by default, can be edited by all database users. These global settings can be protected, allowing only edits by Database Owners to be saved. Check the Only database owners can change database-wide settings option to restrict editing of global settings to Database Owners. (This option is only enabled if user permissions are turned on.) With this option checked the OK button on the following dialogs will be disabled for all users that are not Database Owners:

Use the Default permission is: dropdown to set the default permission for all objects in the database for Database Users that do not have specific roles specified. The options are:

View all data - the user can open objects but has read-only access.
View group contents only - the user can see objects in the tree but cannot open them. Only the properties of the objects can be viewed.

You can check on the current status of User Permissions by looking at the InfoWorks ICM About Box.

Adding Users to the Database

Only a Database Owner can add or remove users from the database or change the privileges of a current user.

With user permissions activated, choose Database management then Users and permissions from the File menu. This displays the Users and Permissions Dialog.
To add a new user, type the user name in the Username box of the New User section and click the Add button.
InfoWorks ICM uses login names to identify users, so the name typed in must match the name the user uses to log in to the computer or network.
By default, users are added with Database User privileges. You can add, or remove, Database Owner privileges by checking or unchecking the tick box next to the user's name.
To remove a user from the list completely, highlight their name on the users list and then click the Remove button.

The Database Owner who is editing User Permissions cannot alter their own permissions. They will remain as a Database Owner.

Adding a Windows group as a Database User

It is possible to add a Windows group as a Database User. Users who are members of such a Windows groups will automatically inherit the roles assigned to the group for relevant groups in the tree, in addition to the roles assigned specifically for the user.

To add a Windows group as a user, type the group name within square brackets e.g. [User-Group-1]. All users and groups must be in the same domain, which is the domain of the computer.

Adding Owners to Model Groups

Users must be added to the database as Database Users before they can be given control of Model Groups.

Only a Database Owner can give users control over a Model Group.

To make an existing Database User a Model Group Owner

If no Explorer Window is open, choose New Explorer window from the Window menu to open an Explorer Window of the current database
Right click on the Model Group and choose Advanced, then Edit group permissions from the popup menu to display the Edit Group Permissions dialog OR Manage user permissions from the popup menu to display the Manage User Permissions Dialog.
Owners can be added or removed from these dialogs.

The Edit Group Permissions Dialog is used to view and set permissions on a selected model group for multiple users.

The Manage User Permissions Dialog is used to view and set permissions of a selected user for multiple model groups within the database.

A Model Group can have any number of owners. Owners have full rights over the group, and over other Model Groups contained within the group. Additional owners may also be added to "child" groups.

When Do Changes Take Effect

If a Database Owner makes changes to InfoWorks ICM user permissions, these changes will not be applied to users who are currently using the database until they exit InfoWorks ICM and open the application again.

Permissions for Existing Databases

When using an existing database for which permissions are currently disabled, any user can turn on User Permissions for that database.

The user turning on permissions for the first time is automatically added as a Database Owner. This prevents a situation where nobody has ownership of the database and all potential users are locked out.

Getting the database identifier

In the event that it is necessary to reset user permissions for a database, it is possible to grant a user administrator access to a database via an emergency reset file.

An emergency reset file can be obtained from Innovyze. In order to generate the reset file, database identifier and user name information will be required.

If the user has access to the database, the database identifier can be obtained by opening the database and looking in the Additional Information section of the About Box.

If the user does not have access to the database, the database identifier can be obtained by the following steps:

Select the menu option FileDatabase managementGet database identifier.
The Open/Create dialog is displayed from which you can choose the type of database - cloud, workgroup or standalone - you want the identifier for.
The appropriate Open Database Dialog is then displayed. Select the database for which the identifier is to be retrieved and click OK.
A standard file save dialog will be displayed. Select a location to save the identifier file to and click Save. The identifier.dat file will contain the identifier of the selected database.

Resetting Permissions

In the event that it is necessary to reset user permissions for a database, it is possible to grant a user administrator access to a database via an emergency reset file.

An emergency reset file can be obtained from Innovyze. In order to generate the reset file, database identifier and user name information will be required.

In order to apply the emergency reset file to a database and grant administrator access to a user:

Select the menu option FileDatabase managementEmergency permissions reset.
An information message will be displayed. Click OK.

Note: Ensure that the required user name (as shown in the Users and Permissions Dialog) and the database identifier are sent to Innovyze.

The relevant Open Database dialog will be displayed. Select the database to be reset and click OK.
A standard file open dialog will be displayed. Select the reset file to be used and click Open.

User Permissions

Using User Permissions

Enabling User Permissions

Adding Users to the Database

Adding a Windows group as a Database User

Adding Owners to Model Groups

When Do Changes Take Effect

Permissions for Existing Databases

Getting the database identifier

Resetting Permissions

Related Information