Role Based Security Safeguards

Several safeguards have been incorporated into the Prognosis Security feature to ensure that ALL users are not inadvertently locked-out of the system.

The following safeguards are designed specifically for Administration users when removing or changing Roles.

For Administrators with a Single Role

1.    The logged-on user is not permitted to remove Administration rights from the Role that they belong to. This can only be done by another user who belongs to a Role that has administrative rights.

2.    Deleting the user name of the logged-on user from the current Role is not permitted.

3.    Deleting the last user or group from the Role that the logged-on user belongs to is not permitted.

4.    Deleting the Role that the logged-on user belongs to is not permitted.

For Administrators with Multiple Roles

1.    The logged-on user is not permitted to remove the last Administration rights Role from all the Roles they belong to. The last Role can only be removed by another user who belongs to a different Role with Administration rights.

2.    Deleting the user name of the logged-on user from any Role is permitted as long as it follows the first rule.

3.    Deleting the last user or group from the Role that the logged-on user belongs to is permitted as long as it follows the first rule.

4.    Deleting the Role that the logged-on user belongs to is permitted as long as it follows the first rule.

Changing the Role of the currently logged-on user only becomes effective after the users logs out and then logs in again.

When Integrating Active Directory Users

If changing the company domain name in the Prognosis environment, this can impact users' access to the WebUI, and the application users' access to the SQL Reporting Solutions, including Reporting Advanced and Business Insight, if deployed.

There is a risk that users' access to the WebUI will be disabled, and the SQL Reporting solution will stop working after changing the domain name.

If you are planning to change your domain name, please contact your IR Account Manager for assistance from our Professional Services.

Here are some tips that may avoid any possible lockouts:

  • Add a local machine user that is not part of any domain to an Administration Role, see Steps 4 - 6 in Adding a Security Role
  • If changing the domain, add the new domain users first and test that users have access, before removing the old domain users, refer to Viewing Users, Groups and Roles


Provide feedback on this article