Roles and Profiles
- Julie Isebaert
- Sergio Karijodinomo
- Jelle Roelofs
Difficulty: expert
Content
Learning Objectives
After reading this article, you’ll be able to:
Understand Roles/Profiles set-up in Workplace
Select relevant roles per Workplace user
Create environment specific roles as per your needs
Roles and Profiles can be used to differentiate users, their rights and options in Workplace.
If a user has multiple roles assigned to him/her, the overall scope of the user will be the sum total/union of all individual roles.
How to access:
Go to Workplace back-end Studio
Login with your credentials
Select Users & Roles > Roles
The user permissions are stored in the session cache and refreshed every 15 minutes or upon re-login.
This means that changes to Roles & Permissions are applied after re-login, or when the user closes the tab (or the complete browser), waits for 15+ minutes, and re-opens the portal again.
Standard Roles
Every Workplace user is created with Default role. Either manually or through excel upload, any other role can immediately be assigned to a user.
“Default” role
The default role has a set of default permissions. Admins can manage the permissions of this default role.
Usually, end-users can see real-time data and can make & edit reservations
It's not possible to remove this role
Following permissions are configured for Default role | Feature in GO |
|---|---|
livedata.view | Live Data > View Room details |
reservations.view | Live Data > Create a reservation |
reservations.view | My Reservations |
replay.view | Replay |
reports.view | Dashboards |
kiosk.view | Kiosk mode |
locationcharts.view | View historical sensor data in location detail view |
Following permissions are usually added to Default role (or another one) | Feature in GO |
|---|---|
colleague.find | Find a Colleague |
“Admin” role is needed to access Studio (will only give access to current environment) and Device Control (for KioskApp and Workplace App)
! With great power comes great responsibility: make sure the Admin-user is aware of the Studio basics. Having access to Studio means being able to configure general Settings, Sensor Devices, User Management, Floor plan configuration etc => a basic training in Studio is needed before access can be given.
“Admin.devices” role only gives access to Studio Spaces and Studio Devices. All other settings are not available. This role is typically assigned to external hardware installation partners, who need access to Studio in regards to creation of devices, but should not be able to modify anything else.
“Reporter” role allows access to Dashboards
“Developer" role is typically assigned to users who have the rights to view/consume/integrate Workplace Rest API . These users might be external developers who work on integrating Workplace with their systems, and should not have access to Workplace touchpoints.
“Contentcontributor” role is required to create a Content Library (set up Custom Content)
“Contentadmin” role is required to publish/manage Custom Content
Environment Specific Roles
Depending on the needs in your environment, other roles can be added to the environment (select "Add New"), for example access to dashboards on Workplace Web (GO) can be restricted for a specific role.
Below listed Permissions list what is possible.
Role based reservation scope definition
Create a Workplace Role which restricts the user to see only a limited scope of locations, and to be able to make reservations only in those locations.
Step 1: Role definition
Add new role of Type "Reservation Restriction", and describe the reservation scope of a user by using any of the following 3 parameters:
location type
location scope
zone scope
Location Type - Each role can be defined for either
only rooms
only workplaces
only parking places
a combination of the above
Locations scope (buildings) - The locations in which the user is allowed to book a room or desk.
Zone scope - Rooms and workplaces can be linked to zones in Workplace under the Location Grouping settings. When a set of zones are enabled in a role, the user can only book rooms/workplaces linked to that zone.
Step 2: Role assignment
Workplace users are assigned a default role. When users are assigned with another role ABC, this role specific permissions shall be applicable to the users along with ‘Default’ role permissions.
An administrator can assign one or more roles to a user. If a user has multiple roles assigned to him/her, the overall reservation scope of the user will be the sum total/union of all individual roles. See Users and Groups for more information on user creation.
When a Reservation Restricted Role is assigned, the user can only book rooms/workplaces described within the role on Workplace touch points. Reservation requests for other locations will be blocked by Workplace.
Settings in IWMS | Settings in Workplace | Result in IWMS | Result in Workplace | |
|---|---|---|---|---|
No restriction / Allowed to book room X | No restriction / Allowed to book room X | -> | Allowed to book room X | Allowed to book room X |
No restriction / Allowed to book room X | Restriction set on room X | -> | Allowed to book room X | Not allowed to book room X |
Restriction set on room X | No restriction / Allowed to book room X | -> | Not allowed to book room X | Not allowed to book room X |
What does this look like for the user?
With Reservation Restrictions set in Workplace, the user will be able to
select a location on the live floorplan, which will open the room detail screen, but will
not see any availability data
not see the capacity information
not see the “check availability button” ~so will not be able to
use the Create a Booking feature, but the restricted areas will not be part of the search results
If a user is trying to book a resource that is outside of his/her reservation scope (set in IWMS), at the end of the reservation workflow, an error message is shown.
For more details please view the debug page.
Permissions
| Permission | Description | Related to |
1 | users.impersonate | Impersonate other users at API level (Used by Cobundu) | Other |
2 | kiosk.view | Use kiosk | GO |
3 | content.edit | Modify content | Device control |
4 | reservations.view | User reservation features | GO |
5 | reservations.confidential.view | View confidential reservations | GO |
6 | sensordata.export | Export raw sensor data | GO |
7 | reports.view | View reports | GO |
8 | users.edit | Modify users | Studio |
9 | livedata.view | View life data | GO |
10 | rest.view | View the REST API browser | GO |
11 | settings.edit | Modify global settings and connect to other systems | Studio |
12 | devices.edit | Modify devices (sensor, tag,…) | Studio |
13 | roles.edit | Modify roles & profiles | Studio |
14 | settings.saml | Modify SAML settings | Studio |
15 | colleague.find | Find a colleague | GO |
16 | kiosks.edit | Modify kiosks | Studio |
17 | contentrules.edit | Modify content rules | Studio |
18 | plans.edit | Modify plans | Studio |
19 | replay.view | Use replay | GO |
20 | locationcharts.view | View historical sensor data in location detail view | GO |
21 | pulsecount.edit | Reset Pulse Count per location (and decide to create ticket), see View By Other Pulse Count | GO |
22 | calendar.view | Use calendar features | GO |
23 | visitors.manage | Enables visitor management | GO |
24 | costcenter.mandatory | Make Cost Center selection mandatory for Services & Equipment reservation | GO |
25 | reservations.recurring | Use recurring reservations | GO |
Search