Planning permissions
Tips for a maintainable structure
A well-planned permissions structure is easier to understand, reuse and adapt as your organisation grows. The Permissions Explorer gives you the flexibility to build one that fits your needs. The tips below will help you get there.
For bespoke advice on setting up permissions, contact Causeway Support.
Start with system groups
If your organisation is new to CausewayOne Asset Management, use the preconfigured system groups to get going. Add users to these groups to grant them access to the features they need, without any setup.
The system groups provide two access levels: Viewers (read) and Managers (create, read, edit, delete). As you grow, you can create custom groups with levels in between.
For example, an Editors group that lets users read and edit items, but not create or delete them.
Custom groups also let you narrow the scope of access. As your organisation develops its own designs and interfaces, you can create variations for each of your asset or activity types.
For example, replace the broad Defect Managers group with focused ones like Bollard Defect Managers and Postbox Defect Managers.
Use interfaces to target many designs
Set permissions on an interface to apply them to every design that implements it. This keeps access consistent across related designs as you add more. You can still grant extra permissions on individual designs where needed.
For example, grant an Asset Viewers group read access to the Asset Heads interface, implemented by all asset designs.
See Set DoDI permissions for how design and interface permissions combine.
Link attributes often store items of other designs/interfaces. Make sure groups can access those too, or the linked items won't load.
Hide sensitive data
You may want a group to access items while hiding sensitive attributes.
-
To hide attributes for all items of a design/interface, set their permission to No access. See Set DoDI permissions.
-
To restrict access to specific items based on their data, use access policies.
For example, let a contractor group view jobs but hide the Actual Cost attribute. Then use an access policy so they only see jobs for their team.
Item forms can also hide attributes, and you can grant different forms to different groups. However, this only affects how data is displayed, not who can access it. For genuine restriction, use permissions and access policies.
Recommended approach
For a new permissions setup:
-
Identify the job roles in your organisation, e.g. Highways Inspector, Waste Operative, Street Light Engineer.
-
Identify the permission groups needed for each role. Keep each group small and focused on one set of related permissions. This makes them easy to understand, audit and reuse across multiple roles, e.g. update highway assets, view waste routes, perform street light jobs.
-
Create groups first and set their permissions.
-
Create roles next and link the necessary groups to each.
-
Assign users to roles instead of multiple groups. Roles are easier to maintain as access requirements change over time.