InfraLink relies on the concept of Roles to grant Permissions to registered Users. Each Role is a set of Permissions. The Role definitions (i.e., the list of Permissions the Role includes) are global, as they are configured at the Instance level. The Instance Administrator must have global permission to create and/or modify User Role definitions. (Note: this permission is different from the Permissions to assign Roles to User Accounts).
The InfraLink Instance Administrator defines User Roles based on the intended use of the Instance, its User categories, security policies, and other factors. While new Roles may be created and existing Roles may be modified at any time, it is a best practice to plan and define some core User Roles prior to creating User Accounts.
This article provides guidance on the following features and functionality related to User Roles:
Understanding Global and Contract-Level Permissions and Roles
InfraLink provides two ways of partitioning data within the system: 1) by kind of data (e.g. System Elements, Locations, Cases, etc.) and 2) by Contract. In addition to representing full or partial scope of a business arrangement, an InfraLink Contract acts as a security container. This structure allows the Instance Administrator to restrict access based on Users' contract/project associations.
To ensure configuration consistency and effective management of infrastructure-related information, certain data objects defined and maintained in InfraLink are global. That is, they require global privileges assigned at the InfraLink Instance level, not at the individual Contract level. On the other hand, maintenance records and other project-specific data objects are maintained at the Contract level and do not require global privileges. The infrastructure owner may be assigned a global Role to access all such objects across all Contracts, while individual contractors rely on Contract-specific Roles to access the objects pertaining to their respective projects only.
Typical Role Assignments
Non-administrative User Accounts typically have
- a global-level User Role (e.g., Global - Basic User) assigned, which provides access to the instance's basic global definitions; and
- at least one contract-level User Role (e.g., Technician, Engineer) for each Contract/project they support.
User Roles Grid View
User Roles are created, edited, and viewed via the User Roles grid view, which employs the standard viewing pane layout. To access the User Roles grid view:
- From the top-level navigation toolbar, select the Configure menu.
- Select Roles to open the User Roles grid view.
Filters - Filters along the left side of the view allow users to refine the User Account records displayed within the grid view.
Role Details Panel
Selecting a Role from the User Roles grid view, will open the corresponding Role details panel along the right side of the viewing pane. The Role details panel will display the Role's name, description, scope (i.e., global- or contract-level), active users, and a list of included Permissions.
The "Active Users" count is displayed as an active link. Selecting that count will navigate you to the Accounts grid view, filtered by the particular Role. This function may be especially beneficial when reviewing the Users who are granted elevated (administrative) privileges. After reviewing the list of Active Users, use your browser's back button to navigate back to the Role details panel.
Creating a User Role
Typically, you create a new Role to support a particular category of Users. For example, you would create an "Inventory Manager" Role to provide the Permissions necessary for receiving, tracking, and managing warehouse materials/spares. To create a new User Role:
- From the top-level navigation toolbar, select the Configure menu.
- Select Roles to open the User Roles grid view.
- Apply filters, as needed, to make sure that the User Role you intend to create does not already exist, perhaps, by another name and/or combined with other privileges.
- Select the Create button, at the top of the grid view, to open the New Role form.
- Name the new User Role, entering a concise, yet descriptive, name. This name will appear when Roles are listed, including within the dialog used to assign Roles to Users. Therefore, it is critical for the name to properly communicate the purpose of the Role and the kind of Permissions it includes.
- Provide a Description of the new Role, including additional information you and/or other administrators may need to properly select the Role when assigning it to Users in the future and/or when updating Role definitions.
- Define the new Role's Scope, selecting either global or contract-level. (See the explanation above.)
Check the box next to each of the Permissions to be included within the new User Role. Permissions are displayed in a hierarchical list:
- Permissions are listed by data record type. Checking the box next to the listed data record type will automatically include all related functionality Permissions.
- Clicking the downward arrow next to the data record type will expand the list to display more granular permission options.
- Expand the hierarchical list when you wish to select and include only certain functionality (e.g., read-only) Permissions.
Click OK when all necessary parameters are specified.
- The new User Role is saved to the User Roles dictionary and listed in the User Roles grid view.
Editing a User Role
From time to time an Instance Administrator may need to update an already defined Role to grant additional Permissions or revoke existing Permissions from all Users associated with that Role.
To edit an existing User Role:
- From the top-level navigation toolbar, select the Configure menu.
- Select Roles to open the User Roles grid view.
- Apply filters, as needed, to find the User Role you wish to edit.
- Select the Edit button, at the top of the grid view, to open the Edit Role "Name" form.
- Edit the Name, Description, Scope, and/or Permissions as needed.
- Click the OK button to save your changes.
Important when Editing Roles
When editing an existing Role, keep in mind that any new Permissions will be immediately granted and any removed Permissions will be immediately revoked from all Users already associated with that User Role. Carefully consider the security and usability implications before editing the Permissions included in an existing Role.
- Use the Active Users count (i.e., link) from the Role details panel to review the active User Accounts associated with an existing User Role.
Note: If an impacted user has an active InfraLink session when Permissions are added/removed from a Role, the user must refresh their browser to see the Permission changes.
Deleting a User Role
Sometimes, an existing User Role may become obsolete. For example, you may have defined the User Role "Manager" to include a broad range of Permissions, including service management and inventory management Permissions. Later, you realize that you need to grant the service management and inventory management Permissions to different Users. In this situation, you would create two new Roles, say "Service Manager" and "Inventory Manager", thus making the previously created "Manager" Role obsolete. At that point, it would be beneficial to delete the "Manager" Role to avoid confusion and, more importantly, avoid granting unnecessarily broad Permissions to a User Account.
To delete an existing User Role:
- From the top-level navigation toolbar, select the Configure menu.
- Select Roles to open the User Roles grid view.
- Apply filters, as needed, to find the User Role you wish to edit.
- Select the Delete button, at the top of the grid view.
- InfraLink will ask if you are sure you want to delete the selected entry.
Select Yes to delete the selected User Role.
When a User Role is deleted, all corresponding Permissions are immediately revoked from all User Accounts associated with that Role. To prevent disruption to Users' business functions, be sure to assign replacement Roles, as discussed in the above example, before you delete a User Role.
- Use the Active Users count (i.e., link) from the Role details panel to review the active User Accounts associated with a User Role prior to deleting it.