User group
User groups are configured with set of granted permissions. The granted permissions controls what operations that a User, which belongs to the group, is allowed to perform.
In an iCore system, every User belongs to at least one User group.
Properties
| Name | Type | Description |
|---|---|---|
| Name | String | The unique name of the User group. |
| Description | String | A brief description of the User group. |
| ID | Guid | The unique identifier of the User group (generated by the system). |
| System internal | Boolean | Specifies whether the entity is a built-in system entity (True) or a customized application entity created to meet the requirements of the business flows (False). A system entity is read-only and cannot be deleted since it may be used by system script(s). New system entities can only be added by certified iCore personnel. |
| Azure AD group identifier | String | The unique identifier of an Azure AD group. |
| Modified | DateTime | The date and time when the User group was last modified. Automatically generated by the system. |
| Created | DateTime | The date and time when the User group was created. Automatically generated by the system. |
Default User Groups
The following User groups are created by default in a new iCore system. The default groups can be modified or deleted, and new User groups can be created.
| User group | Authorization |
|---|---|
| Viewer | Members of this group can view tracking entities (Events, Logs, Jobs and Nodes) via the iCore Administrator tool. |
| User | Members of this group can view most entities and also create Events. |
| Administrator | Members of this group have full system administration rights. |
| Developer | Members of this group have full system administration rights, and are also authorized to manage Scripts and to use iCore Developer (iCore Developer requires a license). |
| Security administrator | Members of this group have full system security administration rights. |
Permissions
Permissions controls what operations that the Users that belongs to the User group is allowed to perform. The following tables contains an overview af all available permissions and how they are assigned to the default User groups in a new iCore System.
Entities
Permissions related to entity-management.
Abbrevations, in bold, used for entity-permissions: Create, Read, Update (Edit), Delete, - not assigned, * not available
| Entity / User group | Developer | Administrator | User | Viewer |
|---|---|---|---|---|
| Adapterflow | C R U D | C R U D | - R - - | - - - - |
| Application pool | C R U D | C R U D | - R - - | - - - - |
| Attached machine | C R U D | C R U D | - - - - | - - - - |
| Category | C R U D | C R U D | - R - - | - R - - |
| Component configuration | C R U D | C R U D | - R - - | - - - - |
| Counter | C R U D | C R U D | - R - - | - - - - |
| Cross-reference | C R U D | C R U D | C R U D | - - - - |
| Events and Jobs | C R - D | C R - D | C R - D | - R - - |
| Event configuration | C R U D | C R U D | - R - - | - - - - |
| Event definition | C R U D | C R U D | - - - - | - - - - |
| Filters | C R U D | C R U D | - R - - | - R - - |
| Imported assembly | C R U D | - R - - | - - - - | - - - - |
| Log | - R - - | - R - - | - R - - | - R - - |
| Node | C R U D | C R U D | - R - - | - R - - |
| Node attribute | C R U D | C R U D | - - - - | - - - - |
| Node type | C R U D | C R U D | - - - - | - - - - |
| Node type version | C R U D | C R U D | - - - - | - - - - |
| Partner | C R U D | C R U D | - R - - | - - - - |
| Partner attribute | C R U D | C R U D | - - - - | - - - - |
| Script | C R U D | - - - - | - - - - | - - - - |
| Server | C R U D | C R U D | - R - - | - - - - |
| Setting | C R U D | C R U D | - R - - | - - - - |
| Setting attribute | C R U D | C R U D | - - - - | - - - - |
| System Monitor | - R - - | - R - - | - R - - | - - - - |
| System queues | - R - D | - - - - | - - - - | - - - - |
| Timer | C R U D | C R U D | - R - - | - - - - |
| User | C R U D | C R U D | - R - - | - - - - |
| User group | - R - - | C R U D | - - - - | - - - - |
| Web API | C R U D | - R - - | - - - - | - - - - |
| Web service client 1 | C R * D | - R * - | - - * - | - - * - |
| Workflow | C R U D | - R - - | - - - - | - - - - |
Auditing
Permissions related to auditing.
Abbrevations, in bold, used for auditing-permissions: Read, Update (Edit), - not assigned, * not available
| Permission / User group | Security administrator | Developer | Administrator | User | Viewer |
|---|---|---|---|---|---|
| Audit configuration | - - | - - | R U | - - | - - |
| Audit log | - * | - * | R * | - * | - * |
System settings
Permissions related to system settings.
Abbrevations, in bold, used for system setting permissions: Read, Update (Edit)
| Permission / User group | Security administrator | Developer | Administrator | User | Viewer |
|---|---|---|---|---|---|
| System settings | - - | - U | - - | ||
| Advanced system settings | - - | R U | - - | ||
| Authentication provider configuration | - - | - - | R U |
Special permissions
| Permission / User group | Security administrator | Developer | Administrator | User | Viewer | User in User group with permission can |
|---|---|---|---|---|---|---|
| Purge deleted User | Yes | Yes | Permanently delete User. | |||
| Start/stop | Yes | Yes | Yes | Start and stop server. | ||
| Execute Component | Yes | Execute a Component in the Run Component tool (regardless of other permissions). | ||||
| Read Node data | Yes | Yes | Yes | Yes | ||
| Edit Node data | Yes | Yes | ||||
| Import | Yes | Yes | Import any entity to an iCore system (regardless of other permissions). For more information, see Remarks. | |||
| Export | Yes | Yes | Export any entity from an iCore system (regardless of other permissions). For more information, see Remarks. | |||
| Edit tracking page | Yes | Yes | Edit tracking page in an iCore system (regardless of other permissions). | |||
| Upgrade | Yes | Yes | Upgrade an iCore system (regardless of other permissions). For more information, see Remarks. | |||
| Set default filter | Yes | Yes | Set default filter in an iCore system (regardless of other permissions). | |||
| Attach/detach | Yes | Yes | Attach or detach an iCore system (regardless of other permissions). | |||
| Protected data access | Yes | View or update the values of a protected entity. | ||||
| Modify protectable | Yes | Modify the Protected property of a protectable entity. This permission implies permission "Protected data access". | ||||
| System protection | Yes | Update the Data protection settings of an iCore system. | ||||
| User password policy | Yes | Modify the User password policy of the system. | ||||
| Release other users lock | Yes | Release a Component definition lock created by any User. |
Remarks
When you upgrade an existing iCore system:
- "Read Node data" and "Edit Node data" permissions are granted according to the table.
- The other special permissions will be granted to all existing User groups.
The basic rule is that importing or exporting an entity requires that the User has full CRUD permissions on the entity in question. However, you can use the Import and Export permissions to "override" the permissions the user has on the entity. Doing so can be useful for example in a scenario where a User in a support role needs to be able to import entities (e.g. as a part of deploying integrations to an iCore system), without being granted the permission to edit the entities themselves.