When configuring user roles, the best practice is to follow the principle of least privilege. User admin should assign new users just the privileges they need to operate within their role. The following use cases provide guidance in the decision process when assigning common roles. For a more comprehensive overview of the privileges afforded each role, see the tables in Appendix A.
Use the following list to determine what kind of roles a System Integrator requires in different scenarios.
- If the user manages all the devices in an organization, they need the Device Admin role.
- If the user can view all the devices in an organization but not delete them, they need the Device Op role.
- If the user can only view some of the devices in an organization, they need neither the Device Admin nor the Device Op role. Instead, use access groups to configure their specific permissions.
- If the user can access Desigo Optic remotely, they need the Remote Op, Remote Admin, or Remote Super User role.
- A user who can modify Desigo Optic needs the Remote Admin role.
- A user who is working with existing graphics and changing set points needs the Remote Op role.
- A user who requires administrative access needs the Remote Super User role.
- If the user manages access for other users in the organization, they need the User Admin role.
- If the user is only viewing or referencing other users, they need the User Op role.
- If the user is configuring other users in access groups, they need the User Op role.
- If the user wants to create sub-organization for building owners, they need the OrgAdmin role.
Use the following list to determine what kind of roles a Company Administrator needs in different scenarios:
- If the user can manage other users in an organization but cannot manage buildings or devices, they need the User Admin role.
- If the user needs to view users in the system but does not need to add or delete them, they need the User Op role.
NOTE: Only users with the User Op or User Admin roles can view the organization's audit log.
- If the user needs to view all devices in the building, their project, and their site information, they need the Device Op role.
- If the user needs to view sub-organization details, they need the Organization Op role.
Building owners can access site graphics and change set points, but they cannot view any buildings they do not own or engineer the system. Building owners need the Remote Op role. Use access groups to configure a Building Owner's privileges.
Access groups provide further control over access authorization, limiting users to a specific subset of devices or sites.