The user permissions implemented by InfoAsset Manager are designed to prevent users from accidentally making changes to data they should not be editing.
A set of simple user access permissions can be applied at database level, group and individual action level.
With access permissions activated the following types of InfoAsset Manager user are available:
- Database Owner - a database owner has full administrative powers over the database:
- The creator of the database automatically becomes a Database Owner.
- There can be more than one Database Owner.
- Only Database Owners can create Asset Groups at the top level of the database.
- Only Database Owners can copy Asset Groups and then paste them at the top level.
- Only Database Owners can appoint Asset Group Owners. This is true even if the Asset Group is a sub-group of an existing Asset Group.
- Model Owner - a Model Owner of a Model Group has full edit and delete powers over that model group:
- Only Database Owners can create Model Groups at the top level of the database. Model Owners can create additional Model Groups within the group they own.
- By default, Model Groups at the top level have no Owners.
- Ownership of Model Groups is recursive. Owners of a Model Group will also have full edit and delete powers over "child" Model Groups contained within the Model Group.
- Model Viewer - a Model Viewer has read-only access to the database. A Model Viewer cannot carry out any editing but may be able to carry out other operations that do not alter the underlying data.
A Model Viewer can re-run simulations that have previously been run successfully, and create and use:
- Collection Asset Owner - a Collection Asset Owner has full edit and delete powers over Collection objects in that Asset Group:
- Only Database Owners can create Asset Groups at the top level of the database. Asset Group Owners can create additional Asset Groups within the group they own.
- By default, Asset Groups at the top level have no Owners.
- Ownership of Asset Groups is recursive. Owners of an Asset Group will also have ownership of Asset Groups within the Asset Group
- A Collection Asset Owner cannot delete an Asset Group if it contains Distribution objects (unless the user is also a Distribution Asset Owner of the group) or Asset Network objects (unless the user is also an Asset Network Owner of the group).
- A Collection Asset Owner cannot create or edit Distribution objects (unless the user is also a Distribution Asset Owner of the group) or Asset Network objects (unless the user is also an Asset Network Owner of the group) in the Asset Group.
- Collection Asset User a Collection Asset User has edit powers over Collection database items, but cannot create or delete collection items or carry out any actions that will modify
network preferences.
The actions that cannot be carried out by the Collection Asset User are:
- Save coordinate system for the GeoPlan (the coordinate system for the current GeoPlan may be modified, but will revert to the previous setting for the next session).
- Change the default GIS layers that open with the GeoPlan (current layers may be modified).
- Save changes to properties and themes for the GeoPlan as default for the network.
- Save changes to long section properties as default for the network.
- Edit long section tracing settings.
- Save default settings for Street Find tool (settings may be modified, but will revert to the default settings for the next session).
- Save settings for node/pipe renaming options (options can be viewed and renaming can be carried out).
- Modify the Oracle SRID value used by the Open Data Import/Export Centre.
- Edit Pipe Shape settings for the network.
- Edit Standards and Choice Lists for the network.
- Edit Custom Scheduling for the network.
- Edit Report Template location.
- Edit Special/Unknown node names.
- Collection Asset Viewer - a Collection Asset Viewer has read-only access to Collection objects in the database. A Collection Asset Viewer cannot carry out any editing on collection objects but may be able to carry out other operations that do not alter the underlying data.
A Collection Asset Viewer can create and use:
- Distribution Asset Owner - a Distribution Asset Owner has full edit and delete powers over Distribution objects in that Asset Group.
- Only Database Owners can create Asset Groups at the top level of the database. Asset Group Owners can create additional Asset Groups within the group they own.
- By default, Asset Groups at the top level have no Owners.
- Ownership of Asset Groups is recursive. Owners of an Asset Group will also have ownership of Asset Groups within the Asset Group
- A Distribution Asset Owner cannot delete an Asset Group if it contains Collection objects (unless the user is also a Collection Asset Owner of the group) or Asset Network objects (unless the user is also an Asset Network Owner of the group).
- A Distribution Asset Owner cannot create or edit Collection objects in the Asset Group (unless the user is also a Collection Asset Owner of the group) or Asset Network objects (unless the user is also an Asset Network Owner of the group) in the Asset Group.
- Distribution Asset User a Distribution Asset User has edit powers over Distribution database items, but cannot create or delete distribution items or carry out any actions that will modify
network preferences.
The actions that cannot be carried out by the Distribution Asset User are:
- Save coordinate system for the GeoPlan (the coordinate system for the current GeoPlan may be modified, but will revert to the previous setting for the next session).
- Change the default GIS layers that open with the GeoPlan (current layers may be modified).
- Save changes to properties and themes for the GeoPlan as default for the network.
- Save changes to long section properties as default for the network.
- Save default settings for Street Find tool (settings may be modified, but will revert to the default settings for the next session).
- Save settings for node/pipe renaming options (options can be viewed and renaming can be carried out).
- Modify the Oracle SRID value used by the Open Data Import/Export Centre.
- Edit Custom Scheduling for the network.
- Edit Report Template location.
- Edit Special/Unknown node names.
- Distribution Asset Viewer - a Distribution Asset Viewer has read-only access to Distribution objects in the database. A Distribution Asset Viewer cannot carry out any editing on distribution objects but may be able to carry out other operations that do not alter the underlying data.
A Distribution Asset Viewer can create and use:
- Asset Network Owner - an Asset Network Owner has full edit and delete powers over Asset Network objects in that Asset Group.
- Only Database Owners can create Asset Groups at the top level of the database. Asset Group Owners can create additional Asset Groups within the group they own.
- By default, Asset Groups at the top level have no Owners.
- Ownership of Asset Groups is recursive. Owners of an Asset Group will also have ownership of Asset Groups within the Asset Group
- An Asset Network Owner cannot delete an Asset Group if it contains Collection objects (unless the user is also a Collection Asset Owner of the group) or Distribution objects (unless the user is also a Distribution Asset Owner of the group).
- An Asset Network Owner cannot create or edit Collection objects in the Asset Group (unless the user is also a Collection Asset Owner of the group) or Distribution objects (unless the user is also a Distribution Asset Owner of the group) in the Asset Group.
- Asset Network User an Asset Network User has edit powers over Asset Network database items, but cannot create or delete asset network items or carry out any actions that will modify
network preferences
.
The actions that cannot be carried out by the Asset Network User are:
- Save coordinate system for the GeoPlan (the coordinate system for the current GeoPlan may be modified, but will revert to the previous setting for the next session).
- Change the default GIS layers that open with the GeoPlan (current layers may be modified).
- Save changes to properties and themes for the GeoPlan as default for the network.
- Save changes to long section properties as default for the network.
- Save default settings for Street Find tool (settings may be modified, but will revert to the default settings for the next session).
- Save settings for node/pipe renaming options (options can be viewed and renaming can be carried out).
- Modify the Oracle SRID value used by the Open Data Import/Export Centre.
- Edit Custom Scheduling for the network.
- Edit Report Template location.
- Edit Special/Unknown node names.
- Asset Network Viewer - an Asset Network Viewer has read-only access to Asset Network objects in the database. An Asset Network Viewer cannot carry out any editing on asset network objects but may be able to carry out other operations that do not alter the underlying data.
An Asset Network Viewer can create and use:
- Database User - a Database User is a user with no specific role specified for a group and has read-only access to the database.
Model Owners, Asset Owners and Asset Users are also Database Users and have read-only access to groups that they do not own. The level of restriction on viewing of data depends on the Default permission setting in the Users and Permissions Dialog:
- View all data - operations that can be carried out are as above for Mode/Asset Viewer
- View group contents only - the user can see objects in the tree but cannot open them. Only the properties of the objects can be viewed.
- Live Owner - a Live Owner of a Live Group has full edit and delete powers over all items of a selected Live Group.
ICMLive functionality is only available if the ICMLive option is enabled on your licence.
Only Database Owners can create Live Groups at the top level of the database. Live Owners can create additional Live Groups and Model Groups within the group they own.
By default, Live Groups at the top level have no Owners.
Ownership of Live Groups is recursive. Owners of a Live Group will also have full edit and delete powers over "child" Live Groups and Model Groups contained within the Live Group.
In addition Live Owners can perform all the tasks relating to manifests and manifest deployments detailed for the Live Control Room Manager role below.
There are three other Live roles further restricting powers that users may have over Live Groups. These are:- Live Control Room Manager - A Live Control Room Manager has edit powers in
InfoWorks ICM Ultimate,
ICMLive Configuration Manager and
ICMLive Operator Client. The difference between Live Control Room Manager and Live Owner is that the Live Owner has full edit privileges over all items in a Live Group whereas a Live Control Room Manager can only edit manifest and manifest deployment objects contained in that Live Group.
A Live Control Room Manager can:
- Edit manifests and manifest deployments contained in the selected live group.
- Change the mode of operation of manifests contained in the selected live group.
- Change the alert full model run trigger in the Operator Client for manifests and manifest deployments contained in the selected live group.
- Generate manual runs in the Operator Client for manifests and manifest deployments contained in the selected live group.
- Change action statuses within manifests contained in the selected live group.
- Deploy and underploy manifest deployments contained in the selected live group.
- Live User - a Live User has edit powers over Live Group items, but cannot create or delete Live Group items or carry out any actions that will modify
network preferences. Please note that if Live Users can edit manifests and manifest deployments (for example, edit parameters in the Run Schedule grid of the
Setup tab of the Manifest) they are not allowed to perform specific tasks on these objects such as those listed below.
The actions that cannot be carried out by the Live User are:
- Edit and delete time series data (TSD) objects. Actions related to
TSD objects are permissioned separately. See TSD roles below.
TSD functionality is only available if the TSD option is enabled on your licence.
- Change the mode of operation of manifests contained in the selected live group.
- Change the alert full model run trigger in the Operator Client for manifests and manifest deployments contained in the selected live group.
- Generate manual runs in the Operator Client for manifests and manifest deployments contained in the selected live group.
- Change action statuses within manifests contained in the selected live group.
- Deploy and undeploy manifest deploymentscontained in the selected live group.
- Edit and delete time series data (TSD) objects. Actions related to
TSD objects are permissioned separately. See TSD roles below.
- Live Viewer - a Live Viewer of a Live Group has read-only access to that Live Group in the database. A Live Viewer cannot carry out any editing on Live Group objects but may be able to carry out other operations that do not alter the underlying data.
- Live Control Room Manager - A Live Control Room Manager has edit powers in
InfoWorks ICM Ultimate,
ICMLive Configuration Manager and
ICMLive Operator Client. The difference between Live Control Room Manager and Live Owner is that the Live Owner has full edit privileges over all items in a Live Group whereas a Live Control Room Manager can only edit manifest and manifest deployment objects contained in that Live Group.
- TSD Owner - a Time Series Data (TSD) Owner of a Asset Group has full edit and delete powers over TSD objects contained in that group ( Asset Group).
TSD functionality is only available if the TSD option is enabled on your licence.
- TSD Editor - a TSD Editor of a AssetGroup can edit TSD objects contained in that group ( Asset Group), but cannot add or delete data streams.
- TSD User - a TSD User of a Asset Group can create user edits for TSD objects contained in that group ( Asset Group). These user edits may be used in runs but they cannot be applied to the TSD object.
- TSD Viewer - a TSD Viewer of aAsset Group can view (not edit) TSD objects contained in that group ( Asset Group).
Using user permissions
All changes to user permissions are made from within InfoAsset Manager.
You can check whether user permissions are activated or not on the InfoAsset Manager About Box. It will also tell you who the Database Owners are, and if the current user is a Database Owner.
When user permissions are activated, you can tell who owns a particular Asset Group by right clicking on the group and choosing Properties from the popup menu. Then change to the Owners Page of the dialog.
Enabling user permissions
User permissions are turned on or off for the current
on-premise database using the
Users and Permissions dialog, displayed by selecting the Database management
Users and permissions option on the File menu. Only a
Database Owner can turn user permissions off.
Information about the current on-premise database is recorded in the registry. This information is retained between InfoAsset Manager sessions, so you continue working with the same database next time you start InfoAsset Manager. The registry information is only changed when you open a different on-premise database.
You can run more than one instance of InfoAsset Manager on the same machine, but all of the instances must be using the same database. If you try to work with two databases at once the registry keys will become confused and you will have problems in several areas like running simulations. The simulation engine is a separate program that looks in the registry to find information about the current database.
Details of the current database can be found in the InfoAsset Manager About Box.
Check Implement users and permissions in this database in the dialog to enable user permissions.
There are a number of database-wide settings that, by default, can be edited by all database users. These global settings can be protected, allowing only edits by Database Owners to be saved. Check the Only database owners can change database-wide settings option to restrict editing of global settings to Database Owners. (This option is only enabled if user permissions are turned on.) With this option checked the OK button on the following dialogs will be disabled for all users that are not Database Owners:
- User Defined Flags Dialog
- User Defined Field Names Dialog
- Default Logo Dialog
- Shared Custom Actions Dialog
- Standards and Choice Lists Dialog
- Pipe Shapes Dialog
Use the Default permission is: dropdown to set the default permission for all objects in the database for Database Users that do not have specific roles specified. The options are:
- View all data - the user can open objects but has read-only access.
- View group contents only - the user can see objects in the tree but cannot open them. Only the properties of the objects can be viewed.
You can check on the current status of User Permissions by looking at the InfoAsset Manager About Box.
Adding users to the database
Only a Database Owner can add or remove users from the database or change the privileges of a current user.
- With user permissions activated, choose Database management then Users and permissions from the File menu. This displays the Users and Permissions dialog.
- To add a new user, type the user name in the Username box of the New User section and click the Add button.
InfoAsset Manager uses login names to identify users, so the name typed in must match the name the user uses to log in to the computer or network.
- By default, users are added with Database User privileges. You can add, or remove, Database Owner privileges by checking or unchecking the tick box next to the user's name.
- To remove a user from the list completely, highlight their name on the users list and then click the Remove button.
The Database Owner who is editing User Permissions cannot alter their own permissions. They will remain as a Database Owner.
Adding a Windows group as a Database User
It is possible to add a Windows group as a Database User. Users who are members of such a Windows groups will automatically inherit the roles assigned to the group for relevant groups in the tree, in addition to the roles assigned specifically for the user.
To add a Windows group as a user, type the group name within square brackets e.g. [User-Group-1]. All users and groups must be in the same domain, which is the domain of the computer.
Adding Owners to Asset Groups
Users must be added to the database as Database Users before they can be given control of Asset Groups.
Only a Database Owner can give users control over a Asset Group.
To make an existing Database User a Asset Group Owner
- If no Explorer Window is open, choose New Explorer window from the Window menu to open an Explorer Window of the current database
- Right click on the Asset Group and choose Advanced, then Edit group permissions from the popup menu to display the Edit Group Permissions dialog OR Manage user permissions from the popup menu to display the Manage User Permissions dialog.
- Owners can be added or removed from these dialogs.
The Edit Group Permissions dialog is used to view and set permissions on a selected asset group for multiple users.
The Manage User Permissions dialog is used to view and set permissions of a selected user for multiple asset groups within the database.
A Asset Group can have any number of owners. Owners have full rights over the group, and over other Asset Groups contained within the group. Additional owners may also be added to "child" groups.
When do changes take effect?
If a Database Owner makes changes to InfoAsset Manager user permissions, these changes will not be applied to users who are currently using the database until they exit InfoAsset Manager and open the application again.
Permissions for existing databases
When using an existing database for which permissions are currently disabled, any user can turn on User Permissions for that database.
The user turning on permissions for the first time is automatically added as a Database Owner. This prevents a situation where nobody has ownership of the database and all potential users are locked out.
Getting the database identifier
In the event that it is necessary to reset user permissions for a database, it is possible to grant a user administrator access to a database via an emergency reset file.
An emergency reset file can be obtained from Innovyze. In order to generate the reset file, database identifier and user name information will be required.
If the user has access to the database, the database identifier can be obtained by opening the database and looking in the Additional Information section of the About Box.
If the user does not have access to the database, the database identifier can be obtained by the following steps:
- Select the menu option FileDatabase managementGet database identifier.
- The Open/Create dialog is displayed from which you can choose the type of database - workgroup or standalone - you want the identifier for.
- The appropriate Open Database dialog is then displayed. Select the database for which the identifier is to be retrieved and click OK.
- A standard file save dialog will be displayed. Select a location to save the identifier file to and click Save. The identifier.dat file will contain the identifier of the selected database.
Resetting permissions
In the event that it is necessary to reset user permissions for a database, it is possible to grant a user administrator access to a database via an emergency reset file.
An emergency reset file can be obtained from Innovyze. In order to generate the reset file, database identifier and user name information will be required.
In order to apply the emergency reset file to a database and grant administrator access to a user:
- Select the menu option FileDatabase managementEmergency permissions reset.
- An information message will be displayed. Click OK.
- The relevant Open Database dialog will be displayed. Select the database to be reset and click OK.
- A standard file open dialog will be displayed. Select the reset file to be used and click Open.
Network role-based write permissions
In addition to the user permissions described above, there is another type of permission that can be granted to asset network users by database owners. These permissions apply to the whole database or to a specific asset network only. Such permissions are associated with network roles, allowing database owners to place restrictions on certain users. Users can be prevented from creating and deleting network objects, as well as from writing to particular fields.
These permissions can only be implemented for databases where network roles have been
enabled. This is achieved by enabling the Implement network roles for asset networks in this database option of the
Users and Permissions Dialog. The assignment of one or more network roles per user is carried out by database owners in the
Users and network roles Dialog, which is accessible via the Database managementUsers and network roles option of the File menu. Roles are configured in the
Network roles and write permissions dialog that gets displayed when the Network roles button is clicked in the Users and network roles dialog. All
InfoAsset Manager data still remains visible to all users but with the use of these network roles, certain fields and the creation/deletion of network objects can be restricted.