Security
Another important part of building an app in the Vizion Platform is security. Security Roles are used to assign privileges to a user. Different Security Roles allow the administrator to determine a user’s access to view and modify data in the Vizion Platform.
In the Vizion Platform, a Security Role is fundamental to manage user privileges and system access. The core attributes of these roles include:
Role Composition: Security Roles are composed of various Security Groups, collectively shaping user access within the Platform to align with their specific job roles and responsibilities.
Security Groups control privilege types across various system elements such as Tabs, Trackor Types, Dashboards, Administration tools, and Audit & Logs.
Privilege Types: Security Roles encompass five principal privilege types: Read, Add, Edit, Delete, and None, each defining different levels of user interaction within the system.
Security roles in the Vizion Platform are essential for ensuring that users have appropriate access in the system, tailored to their specific job requirements and responsibilities.
See complete information in the User Guide: Security Roles
Security Considerations
When setting up security in the Vizion Platform, it's important to think about a few key things. We want to make sure the system stays secure and that everyone gets just the right amount of access. Here's a detailed approach:
1. Identify the Users
User Roles: Identify different user roles in your organization, such as administrators, managers, regular employees, vendors, etc.
Access Needs: Determine the access needs for each role. For instance, administrators typically have full system edit access, while regular employees may only need read/edit access to specific Trackor Types.
2. Define Permissions for Each User Type
Granularity: Establish the level of granularity needed for each user type.
Differences in Access: Clearly define how access levels differ between roles.
For example, on the Equipment Checkout App there are Equipment Managers, who check equipment in and out and Renters, who can only see the asset list and availability.
3. Trackor Access
Access Level per Trackor Type: Define which Trackor Types each user role can access. This should align with their job functions.
Specific Restrictions: Consider any specific restrictions or special access requirements for sensitive Trackors.
4. Privilege Types – Decide which level of access for Trackor Types & Tabs for User’s
READ: Ability to View information
EDIT: Ability to Modify.
ADD: Ability to add records on a Trackor Type
DELETE: Ability to delete records from a Trackor Type
NONE: No access to a Trackor Type, Applet or Tab
When granting permissions, Read, Edit, Add, Delete are additive, while None is subtractive and overrides other privileges. For example, selecting Read + Edit will allow a User to see and make changes, but selecting Read + Edit + None will prevent a User from even being able to view.
5. Page Access
Portals: Define which portals are relevant to each user type, ensuring that the user can access all the Tabs and Applets that are included.
Mapping and Calendar: Determine who needs access to geographic data or calendar features for scheduling or tracking purposes.
6. Reports and Imports
Report Access: Decide who can view, create, and manage reports. This includes determining the visibility of certain data within reports.
Import Privileges: Assign who can import data into the system and what imports they can use. This is crucial for roles that involve data migration or bulk updates.
7. View & Filter Configurations
Globals: Set up Global Views and Filters for common access needs. Will different user roles have varied access and need different Views and Filters?
8. Menu Configurations
Menu Accessibility: Tailor the application menu to reflect the user’s role and access rights.
Simplifying Navigation: Customize menus to help users navigate the system efficiently, showing only relevant options.
Case Study: Security
The jobs of people who will use the Equipment Checkout App are:
Equipment Supervisor: Users with this assigned role can check equipment In and Out at the warehouse location, Log equipment condition, hours, name of renter, assign a repair technician, approve repair, add new types of equipment on the Master and individual assets, and add new renters and technicians.
Outside of the Administrator Role, this role will have the highest level of permissions within the Equipment Checkout program.
Equipment Manager: The person who checks equipment in and out at the warehouse location. Logs equipment condition, hours, name of renter.
Renter: This person can see the Asset list, including availability and calendar, and their own renter profile, including assigned Assets and rollup fields. They will not update any data.
Administrator: This person has full rights to build the application and manage users.
Let’s build the Security Role for Equipment Supervisor.
Build a Security Role: “Equipment Supervisor” | ||
|---|---|---|
1 | In the Menu, navigate to Admin Center > Users & Security > Security Roles. The Security Roles page will open. |  Security Roles in Menu |
2 | On this page, you will find all created Security Roles listed. If your Vizion Platform is new, you might only have the “Administrator” role listed. To create a new Security Role, press Add.
|  Add Security Role |
3 | Click on the Security Groups Tab. On this tab you will see a list of Security Group tokens listed by name, type and description. Each line has a set of available privileges. Note: Privilege choices will vary dependent of the Security Group “Type” value. |
|
4 | By default, having no boxes checked means the Privilege is not available for users of this Security Role. Privilege updates are necessary only for items where you intend to grant access; not all Tokens require them. | |
5 | Let’s start by providing access to our Trackor Types & Tabs for the following Trackor Types.
In many cases, we will reference the Trackor Type Name and not the Label when updating Security Group records. | |
6 | Let’s start with “Home Location” Trackor Type (Ex: Name = EC_HOME_LOCATION) Use the Quick Search to enter “EC_HOME_LOCATION” and search. Three items will return based on this naming convention listed by Types including “Trackor Type”, “Relation” and “Configured Tab”. |
|
7 | For our new Security Role called “Equipment Supervisor”, this role is able to create, delete and modify records on the “Home Location” Trackor Type. Let’s configure by updating the privileges. |
|
8 | For users who are assigned this Security Role, we would like for them to be able to Add new Home Location records, Edit existing records, Read existing records and Delete records that are no longer valid for this “Trackor Type”.
Notice Delete was not selected. We always like Assets to have an assigned parent “Home Location”. Therefore, this user can Edit and Add new relations, but cannot delete relations between parent and child. | |
9 | Press Apply to save changes. Save your work as you go, before you further navigate and search for items to configure within the Security Role. |
|
10 | Repeat these steps for other Trackor Types and Tabs listed above. Privilege selections can vary by Trackor Type based on your preferences and intent for assigned users of this role. |
|
11 | For the Equipment Supervisor role, pictured are the permissions assigned to the Trackor Types, Relations and Configured Tabs. Next we will configure other application settings for this new role. |
|
12 | Security Group Types such as:
should be configured when creating a new Security Role to ensure end users have access to functional tools within the Vizion Platform. Pictured on the right are configurations options selected for our new “Equipment Supervisor” role. But as mentioned earlier, settings applied on a role may vary depending on the desired level of access & visibility for your new role. |
|
13 | Also remember to assign any other pages, such as Dashboards, you have created where users of this Security Role should have access. Use the Quick-Search bar to search for page names. |
|
14 | Default Assignments (Optional) On the General Info tab of your Security Role, you see default assignments, which automatically grant access whenever something new is created. A non-Admin role (such as Equipment Supervisor) would not have full default privileges, instead, the administrator would grant to their role as needed. However, there might be some “Default Privs” that make sense to include, such as “Global View” and “Global Filter”. With this as default, whenever a new Global View or Filter is created, Users with this security role will automatically have access to the View and Filter (on Trackor Types they can access.) We recommend “Default Assignment” to not be used for Trackor Types, etc. as these should be reviewed for each specific Security Role and assigned on the “Security Groups” tab. |
|
| Next: Let’s review some of the other tabs and settings within our new Security Role “Equipment Supervisor”.
|
|
15 | Menu Applications Click on the checkbox representing the Menu this role should have. Ex: Equipment Checkout. A non-Admin user will not have some of the Administrative Menus such as “Info Center” or “Dev Center”. These icons in the left side-bar will not be visible. The only Menu the “Equipment Supervisor” will see is the “Equipment Checkout” menu. This ensures a more direct user experience as there will be fewer items to see. |
|
16 | Global Views & Global Filters There is a dedicated tab for both Global Views and Filters. For this Security Role, select the Views / Filters that users should have. Any existing Global View or Filter that is not selected will not be visible to the Users assigned to this Security Role. | |
17 | Global Portals Select which Portal Pages are applicable for this role to access. | |
18 | Run Reports Select which reports should user of this role be able to execute. | |
19 | Report Delivery Typically “Email”, “Email with Link” and “File” are selected for non-admin users. Selections made here will control the options users see when running a report. |
|
20 | Notifications Select which Notifications users of this role should receive. | |
21 | Notification Types This controls which types of notifications should be available for the users to opt into. Note: Make sure the Notification Type you select correlates with the Notification(s) selected on the previous step. | |
22 | Export Types Controls what type of export the users can run. Standard for non-admin users:
|
|
23 | Export Delivery Controls how the exports are delivered to the users.
| |
24 | Press Apply to save. |
|
Next: To test out the new “Equipment Supervisor” Security Role, use the “Login As” function to login to a User with this assigned Security Role in order to view the end-user experience. If necessary, create a new User dedicated for testing and assign it the “Equipment Supervisor” role. With that step complete, as an Admin, you are ready to use the “Login As” feature.
Testing the new Security Role via “Login As” | ||
|---|---|---|
| ||
1 | Video: Showcases the “Login As” feature thus allowing an Admin User to “Login” to a non-admin account in order to test and review the experience of the Security Role assigned User. Remember: Admin Users have access to all details in the Vizion Platform. Using the “Login As” allows you to view and test that this Security Role has the needed permissions, and also doesn’t have too many permissions. Use this testing opportunity to ensure the User Experience performs as you expect. It might be prudent to identify testing scenarios and scripts as part of any pre-release of a new Security Role you plan to assign to Users. |
|
2 | Items to Test when using “Login As”
| |
Now that the “Equipment Supervisor” role is complete, we can use the “Clone” function to copy this Security Role and rename it. Once the copied role is created, reduce the permissions to reflect the needed user experience of the new Security Role.
Note: “Cloning” a Security Role allows permissions to be copied. In many cases, it is faster and easier to simply reduce permissions from a copied role rather than creating a new role from scratch (as demonstrated in the previous segment). Be thoughtful when Cloning a role. What is the best existing Security Role to Clone from when considering your vision for your NEW Security Role?
Let’s create the “Equipment Manager” Security Role, which has similar but less permissions than the “Equipment Supervisor”, using this process.
Build a Security Role from a Clone of “Equipment Manager” | ||
|---|---|---|
1 | Video: Select an existing Security Role to copy and rename. Once created, adjust Security Group permissions and other details to set the permissions as appropriate for this role. |
|
2 | Note: Like any new Security Role, after you have initially configured the Cloned Role, conduct testing using the “Login As” feature. Ensure the user experience meets expectations and permissions are properly assigned. | |
Additional Customization
Remember to review and create Menus and View & Filters by role type.
Continue Training
