Users, Roles, Role nesting and LDAP groups
SmartSpace roles are much like directory service groups: they are named containers for collections of users, email addresses, user-groups and, in SmartSpace, other roles as well. SmartSpace roles also support multi-level nesting so it is straightforward to create specialized collections of users and user-groups where one role can inherit quite a complex set of users, groups and emails from the set of roles lower down in the tree.
Roles fulfill access control to a number of different access control functions for a SmartSpace application. Depending on the roles a particular user has access to:
- They determine who has access to different web-based features, including
- What preconfigured searches a user can see
- What properties a user can edit
- What Web Forms a user can see
- When Business rules are licensed, they determine which notifications (that appear on the web map) a user is allowed to receive. When a role is “notified” of an event, either a notification message is forwarded to the web map and/or an email is sent (if there are any email addresses included in the role (and its parents)).
Some further practical examples of how users and roles can be configured in practice.
- Assign an email address to a Role. If a notification is sent to a Role and any email addresses are assigned to that Role then an email notification will be sent to the Role.
- Assign a Role to another Role. Say we have two Roles: Supervisors and Operators. If Supervisors is a member of Operators then:
- If a user is assigned the Supervisors role then they also inherit the Operators role.
- If a notification is sent to the Operators role then it is also sent to the Supervisors role and all its members.
Note the inverse is not true: a member of Operators is not member of Supervisors and a notification sent to Supervisors is not sent to Operators.
- Assign a directory service group to a Role (with or without email notifications). If a user is a member of the group, or one of its child groups, then the user inherits the Role. If a notification is sent to the Role then all members of the group receive the notification and, if email notifications are enabled, all users receive an email.
- A single notification in a single event handler can result in a mix of emails and web map notifications depending on the role configuration. It is also possible to notify a single email address directly in an Event Handler.
With the introduction of support for OpenID Connect, an external authentication authority can handle login and provide user ID and roles to SmartSpace Web. See the details on using OpenID Connect in your installation guide.
Default Roles in SmartSpace
SmartSpace is supplied with the following roles which control access to different parts of SmartSpace Web:
- System.Operator: members of the System.Operator role can access the Tag and Battery Status screen and the Sensor Status screen.
- System.Manager: members of the System.Manager role can access the Roles screen and the Shifts screen.
- Ubisense.SmartSpace.Administrator: if Reports engine developer is licensed, members of the Ubisense.SmartSpace.Administrator role can view all reports and create and edit new ones.
These roles are nested: System.Manager is a member of System.Operator; and Ubisense.SmartSpace.Administrator is a member of System.Manager. This means that the permissions are inherited so that by default the different roles can access screens in SmartSpace Web as follows:
| Report Creation | HMI Creation | Roles | Shifts | Tags | Sensors | |
|---|---|---|---|---|---|---|
| System.Operator |
|
|
|
|
|
|
| System.Manager |
|
|
|
|
|
|
| Ubisense.SmartSpace.Administrator |
|
|
|
|
|
|
From SmartSpace 3.7, additional default roles are available that enable finer control of access to different parts of SmartSpace Web including the Automated tag association feature from Location rules. These new permissions do not change the System.Operator, System.Manager and Ubisense.SmartSpace.Administrator roles. The additional roles are organized as follows:
| Role | Has members... | Allows you to... |
|---|---|---|
| System.Web.AssociationAdmin | System.Operator |
|
| System.Web.AssociationViewer | System.Web.AssociationAdmin | View the Association screen in SmartSpace Web |
| System.Web.HMIAdmin | Ubisense.SmartSpace.Administrator | Create HMIs, and add roles to control access |
| System.Web.ReportAdmin | Ubisense.SmartSpace.Administrator | Create reports and their constituent parts, add roles to reports |
| System.Web.RolesAdmin | System.Manager |
|
| System.Web.RolesViewer | System.Web.RolesAdmin | View roles |
| System.Web.SensorsAdmin | System.Operator |
|
| System.Web.SensorsViewer | System.Web.SensorsAdmin | View the status of sensors |
| System.Web.ShiftsAdmin | System.Manager |
|
| System.Web.ShiftsViewer | System.Web.ShiftsAdmin | View shifts, shift patterns, and overrides |
| System.Web.TagsAdmin | System.Operator |
|
| System.Web.TagsViewer | System.Web.TagsAdmin | View the Tags screen in SmartSpace Web |