Best Practices for Permissions
Keep in mind the following when granting and propagating permissions:
Permissions granted to a user group are inherited by the users who belong to the group. This allows you to manage permissions at a user group level, by adding users to and removing users from the user group, as needed.
The most recent permission granted for a user or user group on a context or a piece of equipment is the current permission setting for that user or user group on that context or piece of equipment. For example:
If User1 is granted read (Read) permission to all equipment within Context4, and subsequently granted write (Write) permission to Line3 and all of its children in Context4, then within Context4, User1 has write (Write) permission to Line3 and all of its children, and read (Read) permission to all other equipment.
If User1 is granted write (Write) permission to Line3 and all its children in Context4, and subsequently granted read (Read) permission to all equipment in Context4, then within Context4, User1 has read (Read) permission for all equipment.
Granting the none (None) permission to a user group takes precedence over any read (Read) or write (Write) permission explicitly granted to a user in the group. Granting the none (None) permission to a user takes precedence over any read (Read) or write (Write) permission granted to a user group to which the user belongs.
Granting read (Read) permission to a user group results in users in the group having only read (Read) permission, even when a user in the group is explicitly granted write (Write) permission. When the user group is granted read (Read) permission, the write (Write) permission for the user group is automatically set to false. This false setting for the write (Write) permission is inherited by the users in the user group. To allow some users in the user group to have write (Write) permission, grant write (Write) permission to the user group, and grant read (Read) permission to individual users.
Write (Write) permission is automatically granted to the user who creates a new piece of equipment on the Equipment tab of Configuration and Setup. No other user or user group has read (Read) or write (Write) permission on that piece of equipment until the permission is granted to them. Administrators and Controls Engineers can always see all contexts and equipment, regardless of permission settings.
The Import and Export Equipment action is limited by the permissions granted to the current user who is performing the action.
Exporting includes only those contexts and the equipment within those contexts on which the current user has at least Read permission.
When importing, the current user must have write (Write) permission on the contexts into which equipment is being imported. For each piece of equipment listed in the spreadsheet, the current user must also be granted permission in both the Property Read and Property Write columns, either explicitly or as a member of a user group.
For more information, see Importing Equipment Information.
To remove a user’s or user group’s permission on certain contexts or equipment, grant them the none (None) permission for that context or equipment.
Was this helpful?