IWMS Roles & Security Recommendations

IWMS Roles & Security Recommendations

Prepared for: [CLIENT NAME]

Prepared by: Robert Stephen Consulting, LLC

Contents

IWMS Security Roles Background Recommendations 1

Introduction 2

Background Information 2

Roles 2

Audiences 2

Assigning Processes to Roles 2

Security Groups 2

Security Group Levels 2

Users 2

User Sync 2

Manual Users 2

Assigning Roles to Users 2

Assigning Processes to Users 2

Introduction

This report is intended to assist [CLIENT NAME] and RSC during the implementation process of the IWMS System by providing recommendations and guidance for populating the IWMS security and roles data. [CLIENT NAME] should provide as much direction as possible and deliver existing standards to RSC for incorporation. RSC’s recommendations are based on previous successes and best practices. The recommendations may be altered to best fit the needs of [CLIENT NAME]. A sign-off of these recommendations will be required to provide the best possible standard to adhere to.

Background Information

Background information is required to provide a smooth implementation of a IWMS system. This information is the backbone of good reporting and if researched and implemented correctly can provide years, if not decades, of useful Facilities information. Understanding the desired reports and information necessary to accomplish your facilities goals is the basis for solid decisions surrounding the population of background information.

The following is an outline of some of the recommendations for [CLIENT NAME].

Roles

Archibus is a role-based application, where users are assigned a role that gives them access to the parts of the application necessary for their job. From a security standpoint, roles define how the users are able to view and edit information about your organization. This allows organizations to quickly assign access to sets of users who have the same job or role all at once.

Audiences

When creating roles consider your main audiences, which determines what level of reporting and insight the users need into the application. Usual audiences are C-Level, Manager, Individual Contributor, and Staff at Large.

Audience

Access

C and V Level

High Level Dashboards

Manager and Director

Mid-Level Reporting and Data Editing

Individual Contributor

Data Editing

Staff at Large

Data Lookup and Requesting

Assigning Processes to Roles

Within these roles, particularly individual contributor, you will want to consider the types of work that is done based on the modules your organization is using within Archibus. For example, Maintenance, Moves, Drawing Management, and Real Estate may need separate roles that have different processes assigned to them. Individual contributors for Space and Moves are often referred to as “Space Captains” and for Maintenance are often referred to as “Craftspeople”, but you should use the terms recognized by your organization.

Processes are the groups of views and reports that can be assigned together. Archibus supplies these views, reports, and processes out of the box, but they can of course like everything else in Archibus be edited to fit your organization’s needs.

Security Groups

Security Groups are a setting that determines to which Archibus information a user has access. Security groups can control the tasks that a user can see, the database fields a user can view and edit, actions that a user can take on a view. For example, you can establish that only users in the Finance security group can view and edit the fields in the Employees table holding salary data, only users in the Finance security group have access to the Analyze Finances process of the Maintenance domain, only certain users have edit privileges for the Space Console, and so on. The Archibus system also uses security groups to control the groups that can review documents of the document library; that is to say, the Archibus Security Users table validates the Document Review Group field.

Establishing a Privacy Policy

If you are in a jurisdiction that has restrictions on stored personal information, you will need to review this when considering what information you can bring into Archibus. Restrictions are usually related to social security number, home phone number, home address, home zip code and IP address. This information is not required to use Archibus, nor does Archibus have forms to collect any of this information out of the box. If this information is required for your telecommunications or emergency preparedness data, please review the relevant laws and company’s privacy rules before bringing that information into Archibus and consider posting a privacy policy for employees and contractors to sign.

Please advise RSC on any of such policies so that secure data can only be viewable by the appropriate role, and do not bring personal data that is not required into Archibus.

Security Group Levels

The two types of security groups, edit rights and view rights, are set at the field level in Archibus. If your security policy determines that only the real estate team should see the tenant name for leased buildings for example, you can create and assign a view security group for that field. Security groups can then be assigned to the role, or to individual users who need access.

Recommendations

Please discuss with RSC the type of data you wish to have in Archibus and the security concerns you have, as our recommendations are very dependent on the organization and the data. If you do not have major concerns over particular data fields, our recommendation is to control access through roles primarily instead of adding security groups. Security groups can always be implemented later in the deployment.

VPA

The Virtual Private Archibus (VPA) restriction allows you partition your data so that users can only see/edit data that is relevant to them. This is especially useful in large organizations that want to only see the data related to their region of the globe, or organizations where each department runs independently and should not edit what belongs to another department (ex: equipment management).

There are many options for implementing VPA, please discuss your needs with RSC to see if this is an option that would be useful in your organization. Restrictions can be done to almost any logic and are assigned at the role level, but even those restrictions can look at the employee information to restrict to that employee (for example, each employee is restricted to their own department).

Users

User Sync

RSC recommends creating a user sync to accompany the employee sync so that user records do not need to be manually created with a staff-at-large role and linked to the employee records. User records in Archibus are linked to the employee record through the email address. If your organization uses Single Sign-On (SSO) all users can have access to Archibus automatically without any further setup, and will only need to be assigned a role manually if they require additional access. If your organization does not utilize SSO, then you will need to assign users their passwords when they need access. The user record will be removed automatically when the employee record is archived after their departure.

Manual Users

If you need additional users added to Archibus who are not in your employee source data, they can be added manually. This is a common way to add vendors to the database. RSC will supply you with an Archibus view to add these users and their corresponding employee records. RSC uses a sync mode field as part of the employee sync to determine if a user should be removed if they are not found in the employee source, by setting that field to “no update” you are telling the sync to ignore the record. When a manual user departs simply set their employee and user records to “update” and the sync will archive them like any other record.

Assigning Roles to Users

After an employee starts, users with admin access can assign them an appropriate role. Alternatively, if you have a particular department or employee title who you know should receive a specific Archibus role, that can also be added automatically within the user sync configuration.

Assigning Processes to Users

Each user can only have one role assigned to them, but at the user level you can also assign additional processes to give particular users extra access. This allows for additional flexibility within the application.

Roles and Security Questionnaire

This questionnaire is intended to guide you to create roles for your Archibus installation.

To get started:

  1. Add all the modules you will be implementing under the “access” column.
  2. Do you have specific secure data fields? If yes, then add a security groups column and add the field name and ‘view’ or ‘edit’ to the roles that should have access
  3. Do you have specific needs to partition your data? If yes, then add a VPA column and describe those needs by role
  4. Start with adding a role for each audience and check the boxes next to what modules they need access to in their capacity
  5. Add additional roles where more than one are required for each audience. A common one is drafter is added as a separate individual contributor.

Remember your audiences:

Example: If you are staff at large and select space inventory you will just have access to look up building locations and floorplans.

Audience

Access

C-Level

High Level Reporting

Manager

Mid-Level Reporting and Data Editing

Individual Contributor

Data Editing

Staff at Large

Data Lookup and Requesting

Questionnaire:

Audience

Role

Access

Security Groups

VPA

C-Level

C-LEVEL

☒Space Inventory

☒Personnel and Occupancy

☒Space Chargeback

☒Move Management

☒Reservations

☒Hoteling

☒AutoCAD

   

Manager

MANAGER

☒Space Inventory

☒Personnel and Occupancy

☒Space Chargeback

☒Move Management

☒Reservations

☒Hoteling

☒AutoCAD

   

Individual Contributor

SPACE CAPTAIN

☒Space Inventory

☒Personnel and Occupancy

☒Space Chargeback

☒Move Management

☒Reservations

☒Hoteling

☒AutoCAD

   

Staff at Large

REQUESTOR

☒Space Inventory

☒Personnel and Occupancy

☒Space Chargeback

☒Move Management

☒Reservations

☒Hoteling

☒AutoCAD

   

Was this helpful?

0 / 0

Leave a Reply 0

Your email address will not be published. Required fields are marked *