Authorizing users
- Bobby van ter Beek
- Ilonca Krabbenborg (Deactivated)
- Sergio Karijodinomo
1. General
Users in Workplace Management need to be given specific authorizations to access and use specific parts of Workplace Management. This ensures that a user can only see and edit objects or handle tasks for which they are deliberately authorized.
For example, end users can be authorized to create reservations only. Still, other users (considered ‘key users’) can also be authorized to create new buildings and areas to reserve.
Users are always authorized using ‘system groups’. A system group (which is also an object in WPM, just like the users) can give access to all elements within Workplace Management. For example:
Startboard and navigation menu options (e.g. create a new reservation, search assets, etc),
Objects
Object categories
Fields
Functions (no access, view or edit)
Tasks in a workflow (e.g. the task to handle a request).
Workplace Management comes with a predefined list of system groups. Examples of system groups are:
Create requests
View contacts
Edit Assets
Contract manager
The available system groups can be found via the administrator startboard. Each system group contains a description of the access this system group gives to a user.
A user can be assigned one or more system groups, either directly or through the use of user profiles. More information about user profiles, system groups, and related topics is provided below.
2. User profiles
Each user in Workplace Management needs a user profile to use the system. The user profile determines the navigation menu, the startboard, and some user interface settings and has a list of system groups that provide specific access to modules, functions, and overviews.
N.B.: By adding the relevant system groups to a user profile, the other settings (such as the startboard, navigation menu, and user interface settings) on the user profile are automatically determined.
2.2 Navigation menu and Startboard
As also seen in the screenshot above, the user profile determines the navigation menu and the startboard a user will see. For a general explanation of the navigation menu and startboard, see Navigation and startboard
Navigation menu
On a user profile, the 'Navigation menu' is either filled in with the default navigation menu (FMBNavigationMenu), or it is left empty. A user profile without a navigation menu occurs because end users often require a more portal-like look and feel without a navigation menu.
If the user profile gets the default navigation menu or no navigation menu is automatically determined by the system groups linked to the user profile. If a user profile only contains system groups related to end users (e.g. create reservation, create visitors, create requests), the user profiles navigation menu is left empty.
If any of the key user system groups is linked to the user profile, which does require a navigation menu, the default navigation menu is automatically linked to the user profile.
Which navigation menu options are actually visible to the user, depends on the system groups linked to the user (directly, via the default user profile or via additional user profiles).
Startboard
On a user profile, the 'Startboard' for every non-administrator profile is always set to the default Workplace Management startboard (WorkplaceManagementStartBoard). The administrator profile (the only profile available from the start) has its own startboard. Adding the administrator startboard options to the default user startboard as tabs would make that startboard very complex to navigate for new administrators. This is the main reason for having a separate startboard for administrators.
The buttons, overviews, and module-specific tabs a user sees on the startboard, depend on the system groups linked to the user (directly, via the default user profile or via additional user profiles), similar to the navigation menu options.
If a user has access to multiple modules with corresponding startboards tabs, you can change the default startboard tab. You can find this option (only available to users with multiple Startboard tabs) in the user profile, and there will be a dropdown menu: different startboard tab.
*Custom navigation menus and startboards are possible. Still, it is strongly advised not to use them, as any new module or menu option will not be available in these custom navigation menus or startboards. Only in very specific custom situations can a complete custom navigation menu and/or startboard be the better option.
2.3 Assigning user profiles
There is a difference between setting a default user profile for a user and assigning additional user profiles to a user.
In the field 'Default user profile', one default profile must be set. This user profile is used to determine the startboard, navigation menu, and profile-related user interface settings for this user (next to obviously applying the authorizations provided by the linked system groups).
It is also possible to use the button 'Assign additional user profiles' on a user to assign additional user profiles. A user profile assigned to a user as an additional user profile is only used to determine the additional authorizations applicable to the user provided by the linked system groups. However, all other settings of this profile are ignored, such as the startboard, navigation menu, and user profile user interface settings.
Adding additional user profiles can be useful if users have combined responsibilities. For example, a user may have a default reservation coordinator profile to manage reservations and also have additional responsibilities to manage contracts and create invoices. Therefore, this second profile is assigned via the 'Assign additional profiles' option. However, most users will probably only need one profile, and therefore only the default user profile is relevant.
2.4. Creating and managing user profiles
Unlike system groups, user profiles must be created on the customer level.
N.b: Within Workplace Management, there does exists a single default user profile designed for administrators, granting access to all options within the system.
The need for creating user profiles on the customer level stems from the highly customer-specific nature of these user profiles. User profiles represent unique system group combinations tailored to individual customer requirements.
For instance, one customer may require user profiles for their service desk employees who handle requests, create visitors, and manage purchase orders. On the other hand, another customer using the request module may have a service desk profile without the ability to create purchase orders, reflecting their specific usage needs.
For more information about how to actually create and assign the user profiles, see the chapter below: Authorizing users | 5. User profile management dashboard
2.5 Example user profile
Below is an example of how user profiles might be structured for a customer using the modules: Request, Reservations, and Contracts:
3. System groups
System groups in Workplace Management become available to assign after the corresponding module has been activated. For example, if the client does not use the requests module, then the group ‘Create requests' won’t be available to assign. The systems administrator first needs to activate all relevant modules to activate the relevant system groups via the module activations (See: Module activation)
If only a specific group is needed for a specific user, a system group can be assigned to a user directly (without the use of user profiles). Otherwise, user profiles are often a more manageable way of authorizing users, as you can combine system groups and thus assign a combination of system groups to users in one go via a user profile.
Assign system groups to a user directly is done via the user page, via the function ‘Assign group’:
3.1 Contextuel access
Another reason to assign system groups directly to users would be to give the user the specific authorizations that the system group provides but in the context of a building, area, or asset. This can, for instance, be used to give a user only edit rights on a specific building instead of all the buildings.
Giving a user the system group ‘3. edit buildings’ in general (via the user directly or via a user profile), will make sure the user can edit every building (assuming a full user license). But by enabeling ‘Contextuel access to buildings and areas’ (Module settings → Buildings and areas), a new tab becomes available on a building, in which a user can be given some of the view and edit system groups related to buildings, areas and assets. The access that this system group enables then only applies to this context (e.g., this building). For more information on this subject, see:
Contextual access to building and areas
Master data: Buildings and areas module activation and information
Master data: Assets module activation and information
3.2 Default system group (9. access)
Each user in the system will always automatically get the system group ‘9. access’. This system group does not actually provide any access. but every user must have at leaste one systemGroup assiged to them directly, otherwise it is not possible to use the system (due to technical reasons). Do not remove this default group.
3.3 System groups assigned to a user are like keys on a key chain
It does not matter in which way a user has system groups linked to it:
SystemGroups linked to a user profile that the user has as the default user profile
System groups linked to a user profile that the user has as additional user profiles
System groups directly linked to the user
All these system groups are added together (like keys on a keychain) when determining if a user has access to menu options, tabs, functions, modules, etc. Just like the keys on a keychain, if any of the system groups gives access, the users have access to the related part of the system. The only way to prevent a user from having access to a specific part of the system is to make sure they do not have any system group assigned that gives this access.
4. Minimum license needed
As mentioned in User licenses , the user license establishes the maximum capabilities a user can have. However, the specific functionalities available are determined by the authorizations assigned to the user. More on authorizing users can be found in : Authorizing users .
To ensure logical access control, system groups (used to authorize users) are configured with a field indicating the minimum user license required for users to utilize the group's functionalities as intended.
For example, let's consider the ‘GOB-G007 Editing buildings’ system group, which requires a full user license. Therefore, to effectively utilize this system group, a user must possess a ‘full user’ license. If a user only holds a "Requestor" or "Limited User" license, they would still be unable to edit buildings and would have view-only access.
The table below describes what (commonly used) license type suffices depending on the “: Minimum license required”:
Minimum license required setting | What license type does the user need to make use of this group? |
|---|---|
Requestor | Requestor, Limited user, or Full user |
Limited user | Limited user, or Full user |
Full user | Full user |
Note: Since users may belong to multiple system groups, the minimum user license required for the user will be determined by the highest license needed among all the assigned system groups.
N.b: Assigning a system group to a user that has a higher minimum license needed than the user has, will result in a warning shown when assigning the group to the user. It will not stop the user from using the parts of the group that might be accessible based on the current license. For example, a reservation coordinator with a limited user license can still view the reservable objects but cannot edit them.
4.1 Automated check when assigning a system group or profile to a user
When assigning a system group directly or via a profile to a user, it will automatically be verified if the user's license type matches the minimum required license type for the groups assigned or all groups within that profile. If the user license is insufficient, a warning is given:
5. User profile management dashboard
The 'User profile management dashboard' is an easy way for the systems administrator to create, manage, and assign user profiles to users. This option can be found on the administrator startboard for level 2 and 3 administrators:
This dashboard has the following overviews:
Available user profiles:
Displays all the user profiles already created for this customer.
Includes options to easily create a new user profile and to assign the profiles to users (as the default user profile or additional user profile).
Required system groups not yet assigned to a user profile:
Shows all available system groups that have not been assigned to any user profile but are mandatory to be assigned.
For each system group, it is determined if the group must be assigned to at least one user or not. This determination is based on whether the module related to this system group is used. Not having this group assigned to any user will make it impossible to use the complete process (e.g., without any user assigned a service desk group, creating requests will give errors as no user can be assigned to pick up those requests).
System groups can be assigned directly to selected user profiles or to all existing user profiles. For example, if the reservation module is going live and all the users already use WPM for requests, the ‘Create reservations’ system group can be assigned to every user profile in one go.
Optional groups not yet assigned to a user profile:
Similar to the previous overview, these groups are not mandatory (e.g., most of the ‘View’ groups). It is not mandatory to have a user only have access to view catalog items if other users already have access to edit (and thus create) them.
The same options to assign the system groups to profiles are available in this overview as in the previous one.
All active system groups:
Provides an overview of all available system groups based on the enabled modules.
This overview does not exclude any system groups already assigned to users.
The same options to assign the system groups to profiles are available in this overview as in the previous one.
Note: this dashboard is used to manage the profiles that are created in the client environment. Baseline profiles, such as the ‘Administrator Workplace Management’ profile are not available here. These profiles should not be edited.
5.1 Creating a new profile via the user profile management dashboard
To create a user profile, click the ‘Create user profile’ button in the available user profiles.
In the next screen, enter a profile name and description
In the include ‘Select system groups’, select the groups you want to add the profile. To determine what groups need to be added to a user profile you can use fill in the authorization matrix together with the client. For more information, please read: Authorizing users | 6. User profile and Authorization matrix.
When assigning groups we follow the standard access rules. This means that giving users the group Edit buildings automatically also allows them to view and create buildings.
There is no need to give a user profile more system groups than necessary. Only assign the groups that are needed for the profile. E.g. if a supplier is allowed to add assets to a request it is sufficient to add the group “view assets”. The group “edit assets” would give them the right to also edit all assets (you do not want this). Similar, the group ‘edit assets’ already has the options to also view all assets by default, so no need to give users both system groups, if the user should be able to edit assets.
After you have created all the user profiles, check the include ‘Required groups to be assigned’. This include should be empty. All groups in this include need to be assigned for all modules to work correctly. Most groups in this include obtaining a workflow task and are needed to correctly run through a workflow.
6. User profile and Authorization matrix
6.1 User profile matrix
The user profile matrix can be found on the administrator's startboard. The user profile matrix shows an overview of all active system groups and can be used to compose different user profiles the client desires. By exporting the overview to Excel, the consultant and the client can determine which user profiles are needed and which system groups need to be added to which user profile. Via the user profile management dashboard, these user profiles can be created.
Use the user profile matrix
Press the ‘User profile matrix’ button on your startBoard;
Click the arrow at the top right to download the full list to excel;
If you don’t make a selection, the full report is downloaded;
If you only want to download a selection, first select the lines you want to export before pressing the download button;
After downloading the matrix, we can open the sheet in Excel.
Together with the client, we go over these groups and possible profiles. Based on what the user profiles are used for, we can decide what groups are needed in each profile;
After the client approves the Excel file, the user profiles can be created.
6.2 Authorization matrix
The authorization matrix can be found on the administrator's startboard. The authorization matrix shows an overview of all client's user profiles with all system groups included. Via this matrix, you always have an up-to-date authorization matrix available to see which profile has which access rights (based on the assigned system groups)