Users, or groups of users, are assigned to 'roles' with each role containing a set of security/access settings. The Security page of the Web Application - Administration tool is used to setup roles and it is where users and/or groups are assigned to each role.
A role is created to allow access to a defined set of features. It will determine what a user will see when they log on and how they can navigate through the system. One or more roles can be created and then individual users or groups can be assigned to a role according to the access levels required.
Each user that logs on to the Web Application can have a role assigned to them. If no role is explicitly granted, the 'Public' role will be automatically assigned. The 'Public' role is the default role and this role cannot be removed.
A 'User' is an individual who is given access to the Web Application by being assigned to one or more security roles.
A 'Group' is a collection of users who are given the same security access by being assigned to the same role. Each group name that is added to Role Based Security must be an existing domain group. The users that will have access will be those user names that have already been established under the specified domain group name.
- If AD groups are being used to set permissions, a unique AD group should be created for each different Role required.
- User accounts associated with one AD group should not be a member of any other AD group that is being used for Role Based Security.
Assigning Users/Groups to Multiple Roles
Users and groups can be assigned to multiple roles with a single user being able to belong to a maximum of 30 roles.
The effect of a multi-role logon is 'additive', that is, permissions or attributes will not be denied, only added. For example, if a user belongs to two roles, with 'Role A' allowing for Threshold modifications only and 'Role B' allowing for Database modifications only, when the user logs on, they can modify both Thresholds and Databases.
The 'Home' page attribute cannot be aggregated, therefore a 'Combined Home Page' configuration option is available. This option can be used to assign a 'Home' page for multi-role users. For details see the Setting Home Page for Users With Multiple Roles.