Getting Started with Roles, Users, and Processes

Last updated
Save as PDF

Getting Started with Roles, Users, and Processes

If you are starting from a blank database, you will need to establish security groups, roles, and users before you can log in using Archibus Web Central.

A quick way to do so is to use the tasks in the System / Archibus Administrator - User and Security process in Web Central.

Note : For assigned roles and processes to appear to a user upon sign-in, you need to apply the changes by running the appropriate view's Flush Cached User Accounts and Roles button, located in the upper right corner of the view. See the User Help topic Archibus Web Central User's Guide / Archibus Administrator - User and Security / User Management / Flush Cached User Accounts and Roles . Alternately, you can restart the application server.

If you have a large number of additions or changes to make, you may prefer to use the parallel process in the Smart Client. The Smart Client grid views have fewer actions but are easier for bulk-data entry.

Security Groups

Security Groups define the access rights you want to establish to sections of data or functionality. For instance, you might establish "RPLM" and "SPACE" security groups to keep edit and review rights for Real Property and Space information separate. You can use the SQL "like" operator -- "%" as a wildcard to match all groups with that prefix. "SPACE%" for instance, would match all groups beginning with the prefix "SPACE".

You must have at least one Security Group. At a minimum you can create one group with the group name "%" which grants access to all Security Groups.

Security Groups control access to certain commands. However, most commonly, Security Groups are used to control access to fields of data. Each field in the Archibus schema has an Edit Group and a Review Group. If the Edit Group is present, the user must be a member of that group to change a value in that field from any edit form. If the Review Group is present, the user must be a member of that group or they will not see that field at all.

Note: When the field is hidden, application views that have Java Script code that expect the field to be visible may run with errors.

Define you Security Groups with the Add or Edit Security Groups task.

Review and change the Security Group assignments to individual fields in the schema using the Smart Client's Define per-Field Group Security task.

Establishing Users

Establishing users involves first creating security groups, roles, and users and then granting the correct access to each role.

User Roles

You group security groups and Navigator processes and home page assignments by role, such as "RESERVATION ASSISTANT" or "RESERVATION HOST".

To do so, you use the Add or Edit User Roles view to define these roles. For information, see Working with User Roles

Security Group Assignments to Roles

Use the Assign Security Groups to Roles task to grant particular roles access to one or more security rroups.

Process Assignments to Roles

Use the Assign Processes to Roles or Users task to define what Navigator or Home Page appear to users of this role when they log in.

You can also assign processes directly to users, however, most sites prefer the role-based assignments as they are easier to manage. Changing the list of processes for a role automatically changes the list of processes for all users of that role.

Assign Users to Roles

Use the Edit Users task to create user account records and assign users to a role. See Archibus Users (afm_users) table .

Coordinating User and Employee Identities

The Archibus system spans two types of identity that are typically distinct.

Identity	Description
Employee identity	A user’s identity within the facility is kept in the Employees table, where all current employee and long-term contractors are listed. This information is sometimes downloaded from Human Resources (with the employee ID being attached to the end of the Employee Name primary key to keep the data unique), but is almost always added to and modified by the facilities department, since facilities must accommodate contractors, temps, and other personnel who need facility resources but that are not part of the Human Resources database. (The Archibus system also has separate lists for contractors, visitors, and Real Property and Lease Management contacts, but they are unaffected by the log in sequence.)
User identity	A user identity (typically managed by the IT department) determines whether or not they can log in. This is kept in the Archibus Users table. For sites with integrated security on an LDAP server or using a single-sign on identity server, this is kept in a central repository

Identity

Description

Employee identity

A user’s identity within the facility is kept in the Employees table, where all current employee and long-term contractors are listed. This information is sometimes downloaded from Human Resources (with the employee ID being attached to the end of the Employee Name primary key to keep the data unique), but is almost always added to and modified by the facilities department, since facilities must accommodate contractors, temps, and other personnel who need facility resources but that are not part of the Human Resources database. (The Archibus system also has separate lists for contractors, visitors, and Real Property and Lease Management contacts, but they are unaffected by the log in sequence.)

User identity

A user identity (typically managed by the IT department) determines whether or not they can log in. This is kept in the Archibus Users table. For sites with integrated security on an LDAP server or using a single-sign on identity server, this is kept in a central repository

Archibus has default scripts for helping you link the two identities using the email address, which is the usual common link between the two. You may wish to modify these scripts to suit your own site’s conventions; review the comments in the scripts for details. The following tasks of the System Administration / Archibus System Administration / Archibus Administrator - - User and Security process contain these scripts:

Task	Description
Synchronize User and Employee Identities	This updates the Email Address in both the Archibus Users and the Employees tables in one step. You can do the update on imported data -- a useful option if you are importing email addresses from an external system managed by IT
Create User Identities from Employees	This creates Archibus User identities for each of the selected Employee records in one step

When you log in to Archibus, the system first verifies that the user name and password that you supplied are present in the Archibus Users table. It then uses the email address from the Archibus Users table to look up any Employee record that user has. The program caches the Division, Department, Building, Floor, and Room Codes and Employee Name information so that it can be used in views and actions to personalize the data in the view (such as, to show rooms reserved by that person) or the action (such as, to automatically assign a new reservation to that person). You can review this cached information by using the Archibus Web Central My Profile command.