AX1815

Web Security Manager

Using the Security Manager in the Web Client, you can assign users to subsystems and roles. This feature provides a browser-based, easy-to-use interface for managing role and subsystem assignments.

Example Security Manager in the Web Client

In Axiom security, subsystems and roles are used as follows:

• Subsystems are used to organize a system into certain "areas" of access. Axiom product suites use subsystems to define security boundaries by product, such as Capital Planning and Budgeting. Custom systems can optionally use subsystems to define security boundaries by any categorization, such as by facility.

• Roles are used to assign permissions to users. You can define permissions on a role, and then all users assigned to that role inherit the permissions. Roles can be associated with a particular subsystem, or they can be "global" roles.

NOTE: The functionality of this page is limited to assigning users to subsystems and roles. This page does not support creating or deleting users, roles, or subsystems, nor does it support editing security permissions. For full security functionality, you must use the security features of the Desktop Client.

To access the web Security Manager:

1. In the Web Client, click the Syntellis icon in the Navigation bar. From the Area menu, select System Administration.

   

2. From the Navigation menu, select Tools > Security Manager.

   

   NOTE: The Security Manager is only available to administrators, subsystem administrators, and users with the Administer Security permission.

Security Manager overview

The left-hand pane of the Security Manager displays the users in your system. Once you have selected a user, that user's subsystem and role assignments display in the right-hand pane. You can use the right-hand pane to add, edit, or remove assignments.

To find users for which you want to manage assignments, you can do the following:

• View only enabled users: Select Show Enabled Users Only to hide disabled user accounts. To view all users again, clear this check box.

  

• View users in a specific subsystem: To filter the user list by subsystem, select a subsystem from the Subsystem drop-down list. The page updates to only show users that are assigned to the selected subsystem. To show all users again, select Show All from the Subsystem drop-down list.

  

  NOTE: If your system does not use the subsystem feature, then this option is not present.

• Find a specific user: Type into the search box and then press the Enter key to find a specific user. The user's first name, last name, and email address are considered for the search. To show all users again, clear the search text and press the Enter key.

  

The user list shows 100 users per page. You can use the page controls at the bottom of the list to move to specific pages in the list.

IMPORTANT: If you make any changes in the Security Manager, you must click the Save button at the top of the page in order to commit those changes. Any changes that are not explicitly saved will be lost when you navigate away from the page or close the browser tab. Note that the page does not prompt you about unsaved changes when you attempt to leave the page.

Managing subsystem assignments for a user

Use the Subsystem Assignments section in the right-hand pane to assign the selected user to one or more subsystems, or to remove a subsystem assignment. Once a user is assigned to a subsystem, you can edit that assignment to add or remove roles in the subsystem.

NOTE: If your system does not use subsystems, then this section does not apply and is not present on the page.

To assign a user to one or more subsystems and subsystem roles:

1. In the left-hand pane of the Security Manager, select the user. You can use the features described in the previous section to find the user that you want to work with.

   Once a user has been selected, that user's current role and subsystem assignments display in the right-hand pane. In the following example, the user does not yet belong to any subsystems.

   

   In the Subsystem Assignments section, click Add User to Subsystems.

2. In the Add To Subsystem dialog, select the toggle switch next to the subsystems that you want the user to be assigned to, then click OK. If the toggle switch shows green, the user will be assigned to that subsystem.

   

   If the user already belongs to one or more subsystems, those subsystems show with a gray check mark next to the subsystem name. You can only add the user to subsystems that they do not already belong to. This dialog cannot be used to remove subsystem assignments.

   After you click OK, the selected subsystems now display in the Subsystem Assignments section. You can now edit these assignments as needed to add subsystem roles.

   

3. Click the pencil icon for the subsystem where you want to add role assignments.

4. In the Manage Subsystem Roles dialog, select the toggle switches next to the roles that you want the user to be assigned to, then click OK. If the toggle switch shows green, the user will be assigned to that subsystem.

   This dialog displays all roles that are associated with the selected subsystem.

   

   After you click OK, the subsystem assignment updates to show the assigned subsystem roles for the user.

   

5. Click Save to commit the subsystem and role assignments. Changes to this page are not committed until they are saved.

Once a user has been assigned to a subsystem and subsystem roles, you can later modify the role assignments, or you can remove the user from the subsystem as needed.

• To modify subsystem role assignments: Click the pencil icon on the subsystem to open the Manage Subsystem Roles dialog, then use the toggle switches to add or remove role assignments as needed.

• To remove a user from a subsystem: Click the trash can icon on the subsystem to remove the user from the subsystem. The user will also be automatically removed from all of the subsystem's roles.

Remember to click the Save button after making any modifications to subsystem and subsystem role assignments.

Managing global role assignments for a user

Use the Global Role Assignments section in the right-hand pane to assign the selected user to one or more global roles, or to remove a role assignment. Global roles are roles that are not associated with a subsystem.

NOTE: If your system does not use subsystems, then the word "global" does not display on this section, because there is no need to differentiate between global roles and subsystem roles.

To assign a user to one or more global roles:

1. In the left-hand pane of the Security Manager, select the user. You can use the features described previously to find the user that you want to work with.

   Once a user has been selected, that user's current role and subsystem assignments display in the right-hand pane. In the following example, the user does not belong to any global roles.

   

2. In the Global Role Assignments section, click Add User to Global Role.

   If your system does not use subsystems, then the section is titled Role Assignments and the action is Add User to Role.

3. In the Add Global Role dialog, select the toggle switch next to the roles that you want the user to be assigned to, then click OK. If the toggle switch shows green, the user will be assigned to that role.

   If your system does not use subsystems, then this dialog is titled Add Role.

   

   If the user already belongs to one or more roles, those roles show with a gray check mark next to the role name. You can only add the user to roles that they do not already belong to. This dialog cannot be used to remove role assignments.

   After you click OK, the selected roles now display in the Global Role Assignments section.

   

4. Click Save to commit the role assignments. Changes to this page are not committed until they are saved.

To remove a user from a global role:

• Click the trash can icon on the role assignment. Remember to click Save after making any changes.

Limitations for subsystem administrators

If you are a subsystem administrator, the Security Manager page has some limitations. These limitations are consistent with the behavior of the Security Management dialog in the Desktop Client.

• The user list is limited to only showing users that belong to one of the subsystems that you administer.
• The subsystem list is limited to only showing subsystems that you administer. This applies to the Subsystem filter and the Add To Subsystem dialog.

This means that as a subsystem administrator, you are limited to managing users that already belong to one of the subsystems that you administer. If a user does not belong to any subsystems, or if a user belongs to a subsystem that you do not administer, then that user will not display in the web Security Manager. In this case, if the user needs to be assigned to your subsystem, a system administrator or a user with the Administer Security permission must make this assignment.