Share
 
 

User Permissions

The user permissions implemented by InfoWorks ICM are designed to prevent users from accidentally making changes to data they should not be editing.

A set of simple user access permissions can be applied at database level, group and individual action level.

With access permissions activated the following types of InfoWorks ICM user are available:

Note: Because permissions are assigned at group level and not to a specific software product, every role will be available for selection, even if it does not necessarily apply to your software product.
  • Database Owner - a database owner has full administrative powers over the database:
    • The creator of the database automatically becomes a Database Owner
    • There can be more than one Database Owner
    • Only Database Owners can create Model Groups at the top level of the database
    • Only Database Owners can copy Model Groups and then paste them at the top level
    • Only Database Owners can appoint Model Group Owners. This is true even if the Model Group is a sub-group of an existing Model Group.
  • Model Owner - a Model Owner of a Model Group has full edit and delete powers over that model group:
    • Only Database Owners can create Model Groups at the top level of the database. Model Owners can create additional Model Groups within the group they own.
    • By default, Model Groups at the top level have no Owners.
    • Ownership of Model Groups is recursive. Owners of a Model Group will also have full edit and delete powers over "child" Model Groups contained within the Model Group.
  • Model Viewer - a Model Viewer has read-only access to the database. A Model Viewer cannot carry out any editing but may be able to carry out other operations that do not alter the underlying data.

    A Model Viewer can re-run simulations that have previously been run successfully, and create and use:

  • Collection Asset Owner - a Collection Asset Owner has full edit and delete powers over Collection objects in that Asset Group:
    • Only Database Owners can create Asset Groups at the top level of the database. Asset Group Owners can create additional Asset Groups within the group they own.
    • By default, Asset Groups at the top level have no Owners.
    • Ownership of Asset Groups is recursive. Owners of an Asset Group will also have ownership of Asset Groups within the Asset Group
    • A Collection Asset Owner cannot delete an Asset Group if it contains Distribution objects (unless the user is also a Distribution Asset Owner of the group) or Asset Network objects (unless the user is also an Asset Network Owner of the group) .
    • A Collection Asset Owner cannot create or edit Distribution objects (unless the user is also a Distribution Asset Owner of the group) or Asset Network objects (unless the user is also an Asset Network Owner of the group) in the Asset Group.
  • Collection Asset User a Collection Asset User has edit powers over Collection database items, but cannot create or delete collection items or carry out any actions that will modify network preferences.

    The actions that cannot be carried out by the Collection Asset User are:

    • save coordinate system for the GeoPlan (the coordinate system for the current GeoPlan may be modified, but will revert to the previous setting for the next session)
    • change the default GIS layers that open with the GeoPlan (current layers may be modified)
    • save changes to properties and themes for the GeoPlan as default for the network
    • save changes to long section properties as default for the network
    • edit long section tracing settings
    • save default settings for Street Find tool (settings may be modified, but will revert to the default settings for the next session)
    • save settings for node/pipe renaming options (options can be viewed and renaming can be carried out)
    • modify the Oracle SRID value used by the Open Data Import/Export Centre
    • edit Pipe Shape settings for the network
    • edit Standards and Choice Lists for the network
    • edit Custom Scheduling for the network
    • edit Report Template location
    • edit Special/Unknown node names
  • Collection Asset Viewer - a Collection Asset Viewer has read-only access to Collection objects in the database. A Collection Asset Viewer cannot carry out any editing on collection objects but may be able to carry out other operations that do not alter the underlying data.

    A Collection Asset Viewer can create and use:

  • Distribution Asset Owner - a Distribution Asset Owner has full edit and delete powers over Distribution objects in that Asset Group.
    • Only Database Owners can create Asset Groups at the top level of the database. Asset Group Owners can create additional Asset Groups within the group they own.
    • By default, Asset Groups at the top level have no Owners.
    • Ownership of Asset Groups is recursive. Owners of an Asset Group will also have ownership of Asset Groups within the Asset Group
    • A Distribution Asset Owner cannot delete an Asset Group if it contains Collection objects (unless the user is also a Collection Asset Owner of the group) or Asset Network objects (unless the user is also an Asset Network Owner of the group).
    • A Distribution Asset Owner cannot create or edit Collection objects in the Asset Group (unless the user is also a Collection Asset Owner of the group) or Asset Network objects (unless the user is also an Asset Network Owner of the group) in the Asset Group.
  • Distribution Asset User a Distribution Asset User has edit powers over Distribution database items, but cannot create or delete distribution items or carry out any actions that will modify network preferences.

    The actions that cannot be carried out by the Distribution Asset User are:

    • save coordinate system for the GeoPlan (the coordinate system for the current GeoPlan may be modified, but will revert to the previous setting for the next session)
    • change the default GIS layers that open with the GeoPlan (current layers may be modified)
    • save changes to properties and themes for the GeoPlan as default for the network
    • save changes to long section properties as default for the network
    • save default settings for Street Find tool (settings may be modified, but will revert to the default settings for the next session)
    • save settings for node/pipe renaming options (options can be viewed and renaming can be carried out)
    • modify the Oracle SRID value used by the Open Data Import/Export Centre
    • edit Custom Scheduling for the network
    • edit Report Template location
    • edit Special/Unknown node names
  • Distribution Asset Viewer - a Distribution Asset Viewer has read-only access to Distribution objects in the database. A Distribution Asset Viewer cannot carry out any editing on distribution objects but may be able to carry out other operations that do not alter the underlying data.

    A Distribution Asset Viewer can create and use:

  • Asset Network Owner - an Asset Network Owner has full edit and delete powers over Asset Network objects in that Asset Group.
    • Only Database Owners can create Asset Groups at the top level of the database. Asset Group Owners can create additional Asset Groups within the group they own.
    • By default, Asset Groups at the top level have no Owners.
    • Ownership of Asset Groups is recursive. Owners of an Asset Group will also have ownership of Asset Groups within the Asset Group
    • An Asset Network Owner cannot delete an Asset Group if it contains Collection objects (unless the user is also a Collection Asset Owner of the group) or Distribution objects (unless the user is also a Distribution Asset Owner of the group).
    • An Asset Network Owner cannot create or edit Collection objects in the Asset Group (unless the user is also a Collection Asset Owner of the group) or Distribution objects (unless the user is also a Distribution Asset Owner of the group) in the Asset Group.
  • Asset Network User an Asset Network User has edit powers over Asset Network database items, but cannot create or delete asset network items or carry out any actions that will modify network preferences .

    The actions that cannot be carried out by the Asset Network User are:

    • save coordinate system for the GeoPlan (the coordinate system for the current GeoPlan may be modified, but will revert to the previous setting for the next session)
    • change the default GIS layers that open with the GeoPlan (current layers may be modified)
    • save changes to properties and themes for the GeoPlan as default for the network
    • save changes to long section properties as default for the network
    • save default settings for Street Find tool (settings may be modified, but will revert to the default settings for the next session)
    • save settings for node/pipe renaming options (options can be viewed and renaming can be carried out)
    • modify the Oracle SRID value used by the Open Data Import/Export Centre
    • edit Custom Scheduling for the network
    • edit Report Template location
    • edit Special/Unknown node names
  • Asset Network Viewer - an Asset Network Viewer has read-only access to Asset Network objects in the database. An Asset Network Viewer cannot carry out any editing on asset network objects but may be able to carry out other operations that do not alter the underlying data.

    An Asset Network Viewer can create and use:

  • Database User - a Database User is a user with no specific role specified for a group and has read-only access to the database.

Model Owners, Asset Owners and Asset Users are also Database Users and have read-only access to groups that they do not own. The level of restriction on viewing of data depends on the Default permission setting in the Users and Permissions Dialog:

  • View all data - operations that can be carried out are as above for Mode/Asset Viewer
  • View group contents only - the user can see objects in the tree but cannot open them. Only the properties of the objects can be viewed.
  • Live Owner - a Live Owner of a Live Group has full edit and delete powers over all items of a selected Live Group.

    Only Database Owners can create Live Groups at the top level of the database. Live Owners can create additional Live Groups and Model Groups within the group they own.

    By default, Live Groups at the top level have no Owners.

    Ownership of Live Groups is recursive. Owners of a Live Group will also have full edit and delete powers over "child" Live Groups and Model Groups contained within the Live Group.

    In addition Live Owners can perform all the tasks relating to manifests and manifest deployments detailed for the Live Control Room Manager role below.

There are three other Live roles further restricting powers that users may have over Live Groups. These are:

  • Live Control Room Manager - A Live Control Room Manager has edit powers in both ICMLive Configuration Manager and ICMLive Operator Client. The difference between Live Control Room Manager and Live Owner is that the Live Owner has full edit privileges over all items in a Live Group whereas a Live Control Room Manager can only edit manifest and manifest deployment objects contained in that Live Group.

    A Live Control Room Manager can:

    • edit manifests and manifest deployments contained in the selected live group.
    • change the mode of operation of manifests contained in the selected live group.
    • change the alert full model run trigger in the Operator Client for manifests and manifest deployments contained in the selected live group.
    • generate manual runs in the Operator Client for manifests and manifest deployments contained in the selected live group.
    • change action statuses within manifests contained in the selected live group.
    • deploy and underploy manifest deployments contained in the selected live group.
  • Live User - a Live User has edit powers over Live Group items, but cannot create or delete Live Group items or carry out any actions that will modify network preferences. Please note that if Live Users can edit manifests and manifest deployments (for example, edit parameters in the Run Schedule grid of the Setup tab of the Manifest) they are not allowed to perform specific tasks on these objects such as those listed below.

    The actions that cannot be carried out by the Live User are:

    TSD functionality is only available if the TSD option is enabled on your licence.

    • Edit and delete time series data (TSD) objects. Actions related to TSD objects are permissioned separately. See TSD roles below.
    • Change the mode of operation of manifests contained in the selected live group.
    • Change the alert full model run trigger in the Operator Client for manifests and manifest deployments contained in the selected live group.
    • Generate manual runs in the Operator Client for manifests and manifest deployments contained in the selected live group.
    • Change action statuses within manifests contained in the selected live group.
    • Deploy and undeploy manifest deploymentscontained in the selected live group.
  • Live Viewer - a Live Viewer of a Live Group has read-only access to that Live Group in the database. A Live Viewer cannot carry out any editing on Live Group objects but may be able to carry out other operations that do not alter the underlying data.

    • For an overview of the differences between the available Live roles, please refer to ICMLive User Permissions.

    TSD functionality is only available if the TSD option is enabled on your licence.

  • TSD Owner - a Time Series Data (TSD) Owner of a Model Group has full edit and delete powers over TSD objects contained in that group ( Model Group).
  • TSD Editor - a TSD Editor of a ModelGroup can edit TSD objects contained in that group ( Model Group), but cannot add or delete data streams.
  • TSD User - a TSD User of a Model Group can create user edits for TSD objects contained in that group ( Model Group). These user edits may be used in runs but they cannot be applied to the TSD object.
  • TSD Viewer - a TSD Viewer of aModel Group can view (not edit) TSD objects contained in that group ( Model Group).

Please refer to the User Permissions at action level dialog topic for more information on these roles and how to implement them.

Note: User roles for a Model Group are viewed in the Properties Dialog of the group. Note that the properties dialog will only display user roles that have been specifically appointed to that group and will not display user roles of parent groups. For example, if parent Model Group A with owner 'user1' has a sub Model Group B, 'user1' will only appear in the properties dialog for A although 'user1' will also have full edit powers over B.

Using user permissions

All changes to user permissions are made from within InfoWorks ICM.

You can check whether user permissions are activated or not on the InfoWorks ICM About Box. It will also tell you who the Database Owners are, and if the current user is a Database Owner.

When user permissions are activated, you can tell who owns a particular Model Group by right clicking on the group and choosing Properties from the popup menu. Then change to the Owners Page of the dialog.

Tip: The properties dialog of a "child" group will only display owners that have been specifically appointed to that group and will not display owners of any parent groups. Owners of parent groups will also have full edit rights over the child group.

Enabling user permissions

User permissions are turned on or off for the current cloud or on-premise database using the Users and Permissions Dialog, displayed by selecting the Database managementUsers and permissions option on the File menu. Only a Database Owner can turn user permissions off.

Information about the current cloud or on-premise database is recorded in the registry. This information is retained between InfoWorks ICM sessions, so you continue working with the same database next time you start InfoWorks ICM. The registry information is only changed when you open a different cloud or on-premise database.

You can run more than one instance of InfoWorks ICM on the same machine, but all of the instances must be using the same database. If you try to work with two databases at once the registry keys will become confused and you will have problems in several areas like running simulations. The simulation engine is a separate program that looks in the registry to find information about the current database.

Details of the current database can be found in the InfoWorks ICM About Box.

Check Implement users and permissions in this database in the dialog to enable user permissions.

There are a number of database-wide settings that, by default, can be edited by all database users. These global settings can be protected, allowing only edits by Database Owners to be saved. Check the Only database owners can change database-wide settings option to restrict editing of global settings to Database Owners. (This option is only enabled if user permissions are turned on.) With this option checked the OK button on the following dialogs will be disabled for all users that are not Database Owners:

Use the Default permission is: dropdown to set the default permission for all objects in the database for Database Users that do not have specific roles specified. The options are:

  • View all data - the user can open objects but has read-only access.
  • View group contents only - the user can see objects in the tree but cannot open them. Only the properties of the objects can be viewed.

You can check on the current status of User Permissions by looking at the InfoWorks ICM About Box.

Adding users to the database

Only a Database Owner can add or remove users from the database or change the privileges of a current user.

  1. With user permissions activated, choose Database management then Users and permissions from the File menu. This displays the Users and Permissions Dialog.
  2. To add a new user, type the user name in the Username box of the New User section and click the Add button.

    InfoWorks ICM uses login names to identify users, so the name typed in must match the name the user uses to log in to the computer or network.

  3. By default, users are added with Database User privileges. You can add, or remove, Database Owner privileges by checking or unchecking the tick box next to the user's name.
  4. To remove a user from the list completely, highlight their name on the users list and then click the Remove button.

The Database Owner who is editing User Permissions cannot alter their own permissions. They will remain as a Database Owner.

Adding a Windows group as a Database User

It is possible to add a Windows group as a Database User. Users who are members of such a Windows groups will automatically inherit the roles assigned to the group for relevant groups in the tree, in addition to the roles assigned specifically for the user.

To add a Windows group as a user, type the group name within square brackets e.g. [User-Group-1]. All users and groups must be in the same domain, which is the domain of the computer.

Adding Owners to Model Groups

Users must be added to the database as Database Users before they can be given control of Model Groups.

Only a Database Owner can give users control over a Model Group.

To make an existing Database User a Model Group Owner

  1. If no Explorer Window is open, choose New Explorer window from the Window menu to open an Explorer Window of the current database
  2. Right click on the Model Group and choose Advanced, then Edit group permissions from the popup menu to display the Edit Group Permissions dialog OR Manage user permissions from the popup menu to display the Manage User Permissions Dialog.
  3. Owners can be added or removed from these dialogs.

The Edit Group Permissions Dialog is used to view and set permissions on a selected model group for multiple users.

The Manage User Permissions Dialog is used to view and set permissions of a selected user for multiple model groups within the database.

A Model Group can have any number of owners. Owners have full rights over the group, and over other Model Groups contained within the group. Additional owners may also be added to "child" groups.

When do changes take effect?

If a Database Owner makes changes to InfoWorks ICM user permissions, these changes will not be applied to users who are currently using the database until they exit InfoWorks ICM and open the application again.

Permissions for existing databases

When using an existing database for which permissions are currently disabled, any user can turn on User Permissions for that database.

The user turning on permissions for the first time is automatically added as a Database Owner. This prevents a situation where nobody has ownership of the database and all potential users are locked out.

Getting the database identifier

In the event that it is necessary to reset user permissions for a database, it is possible to grant a user administrator access to a database via an emergency reset file.

An emergency reset file can be obtained from Innovyze. In order to generate the reset file, database identifier and user name information will be required.

If the user has access to the database, the database identifier can be obtained by opening the database and looking in the Additional Information section of the About Box.

If the user does not have access to the database, the database identifier can be obtained by the following steps:

  • Select the menu option FileDatabase managementGet database identifier.
  • The Open/Create dialog is displayed from which you can choose the type of database - cloud, workgroup or standalone - you want the identifier for.
  • The appropriate Open Database Dialog is then displayed. Select the database for which the identifier is to be retrieved and click OK.
  • A standard file save dialog will be displayed. Select a location to save the identifier file to and click Save. The identifier.dat file will contain the identifier of the selected database.

Resetting Permissions

In the event that it is necessary to reset user permissions for a database, it is possible to grant a user administrator access to a database via an emergency reset file.

An emergency reset file can be obtained from Innovyze. In order to generate the reset file, database identifier and user name information will be required.

In order to apply the emergency reset file to a database and grant administrator access to a user:

  • Select the menu option FileDatabase managementEmergency permissions reset.
  • An information message will be displayed. Click OK.

    • Note: Ensure that the required user name (as shown in the Users and Permissions dialog) and the database identifier are sent to Innovyze.
  • The relevant Open Database dialog will be displayed. Select the database to be reset and click OK.
  • A standard file open dialog will be displayed. Select the reset file to be used and click Open.
Parent topic: On-premise and Cloud Databases

Related Information

Was this information helpful?