OT-BASE Asset Center comes with a sophisticated and flexible system to fine-tune access rights. All the magic happens within group definitions. You can define as many user groups as needed, and thereafter assign these groups to individual users.
In order to access the user group management, go to USERS/GROUPS.
You can add or edit a user group by clicking on the Add or Edit button. Thereafter, the following dialog is displayed:
The name of the user group. A user group must have a unique name. In the interest of usability you may want to use a name that hints to the roles and responsibilities of users that are members of this group. An example would be "Detroit Engineering" for a group that is configured for engineers in a plant located in Detroit. A situation where you cannot pick a group name of choice is if this is an LDAP group (see below), in which case the group name must match against the LDAP group name.
Check this box if you want the group's members to use Single Sign-On. In this case you don't need to manually add respective users to the internal user database in Asset Center. Instead, authentication is performed against an LDAP server. Members of the LDAP group will then have the access rights configured for this group, without needing individual user accounts.
General Device Inventory Access
Here you can configure general access to the device inventory:
- None means that members of this group will not be able to access the general device inventory.
- Read means that members of this group will be able to see all devices in the device inventory, but not necessarily modify any data.
- Read/Write means that members of this group will be able to see and modify all devices in the device inventory.
Extended Device Inventory Access
The extended device inventory access allows you to define additional access rights that only apply for dedicated parts of the device inventory. This way you can, as an example, assure that some users can only see devices at a particular location, or belonging to a particular device group. In a multi-site arrangement, extended access rights are used to make sure that local users can only access local asset information, while other users in a central function can access asset information from multiple, if not from all sites.
Use this field to configure the extent of the extended inventory access (None, Read, Read/Write).
Here you can define the scope of the extended permission in one or more of the three dimensions location, process function, and device group. Note that you can add multiple scope entries, making it easy to specify that members of this group have extended access rights in multiple locations, for example.
This field specifies if members of this group can access the change management workflow (WORKFLOWS/CHANGE MANAGEMENT).
Check this box for a user group who's members are entitled to authorize change requests.
Specifies if members of this group can access the user management (None, Read, Read/Write). You need to be particularly cautious in respect to the Read/Write setting, as this entitles users to re-configure access rights.
Specifies if members of this group can manually import asset data in the INVENTORY/IMPORT area (Yes, No).
Specifies if members of this group can modify master data such as location metadata, extended inventory fields, and hardware/software product metadata. Since it is easy to completely mess up an asset database by modifying master data the wrong way, it is recommended to strictly limit this capability to administrator-like user groups.
Specifies if members of this group have acces to the maintenance tab. Since the maintenance area has the configurations for OT-BASE it is recommended to strictly limit this capability to administrator-like user groups.