Appendix 3: AMS Security Permissions

At a high level, here are securities or permissions that need to be considered when setting up a user:

IMPORTANT: User refers to a fully functional employee that has a login and uses Cityworks. Employees can be added to the system that may be used to track costs or history, but who do not have a login and do not interact with Cityworks.

NOTE: Any pages on the Home page > PLL tab are used to configure Cityworks PLL and are not related to Cityworks AMS.

• Needs to be assigned a license to use certain apps (see Licensing Fields to see which apps require a license)
• Needs to be assigned to a plugin to easily select the plugin they want to work in from the Landing Page after logging in
• Needs to be assigned to a GIS Service Definition to use the map (can be assigned by user, group, or domain)
• Needs to be assigned to a Domain, which is the only way to associate a large number of users to asset groups
• Needs to be assigned to a Group to designate what level they can interact with the GIS (for example, highest permission would be able to edit asset attributes)
• Needs to be assigned to a Group that is assigned security rights to work activity templates to View/Add/Edit/Delete work activities in Respond.
• If this is not assigned, the Template drop-down list is empty in Respond for services requests, inspections, or work orders
• Also needs permissions given in Employee Relates or Employees to Create/Cancel/Close/Edit After Close work activities in Respond
• If a user is associated with a Group that has the Add permission on a service request/inspection/work order template, but doesn’t have the individual Create permission assigned, they are unable to add a work activity in Respond
• If they are a domain or Cityworks administrator, they must be assigned as such

Here is a graphic that illustrates the dynamic between domains, groups, and users:

For more a more in-depth analysis on domains, groups, and individual permissions or securities that need to be assigned and where they can be configured in Cityworks, continue reading:

Domains

A domain is a distinct group with shared work activities and resources. You may have a single domain or multiple domains depending on how your organization wants to organize security and access to information. Users can be assigned to more than one domain. Each domain has its own request templates, work order templates, employees, etc.

• Domain administrator(s) designated to configure the necessary settings for the domain should be assigned. See Add or Edit a Domain Administrator for more information.
• A user needs to be assigned a Domain on the Employees page > Details panel > General tab > Domains field to give them access to everything created for that domain. See Add or Edit an Employee for more information.

Places you can associate domains in Cityworks

Domains can be used to give an entire domain access to asset groups, service definitions, or plugin profiles.

• Employees
• You can associate a domain to a user. See Associate an Employee to Domains for more information.
• Asset Groups are a way to categorize asset types
• You need to associate a domain to an asset group. See Add or Edit an Asset Group for more information.
• Service Definitions aggregates multiple service resources, like map services, geocode services, geometry services, print tasks, and route tasks, together.
• You can associate a domain to a service definition. See Associate Domains, Groups, and Employees to a Service Definition for more information.
• Plugin Profiles: You can customize the user interface of apps you are licensed for using Style. Profiles are where your customizations for the plugin are stored. By selecting a Profile in the app (i.e., Respond), you can view the customizations (that were made using Style) for a specific group of users who are enabled to use that profile by defining them on the Plugins page in Admin.
• You can associate a domain to a plugin profile. See Define a Profile for more information.
• Preferences:
• Some preferences affect a domain and some affect all of Cityworks. See Configure Domain Preferences and Working in Multiple Domains for more information.
• Domains can be assigned a customized menu. See Customize Menus for more information.
• Domains can be assigned to custom map tools. See Define Map Tools for a Plugin for more information.
• Domains can be assigned queries for the mobile apps. See Add Queries To the Mobile Inbox for more information.
• In Crew Manager, domains can be assigned which crews they can view. See Crew Manager for more information.

Groups

Groups is used to define user groups for the domain and set the group's security for GIS rights. Users may belong to multiple groups. If a user belongs to multiple groups that have different security rights, the user is assigned the security rights with greatest access.

• A user needs to be assigned a group. See Groups for more information on each GIS right that can be selected for a group.

Places you can associate groups in Cityworks:

Groups can be used to give a group of users access to work activity templates, service definitions, or plugin profiles.

• Employees
• You can associate a group to a user. See Associate an Employee to Groups for more information.
• Service request, work order, and inspection template security: In order for a user to see, create, update, delete, view costs, and more on a template in Respond, they must be assigned to a group that has permissions to do so.

• You need to add groups to template security. See Configure Work Order Template Security, Configure Service Request Template Security, or Configure Custom Inspection Template Security

IMPORTANT: Standard inspections inherit the template security settings from the work order template they are created from.

• Service Definitions aggregates multiple service resources, like map services, geocode services, geometry services, print tasks, and route tasks, together.
• You can associate a group to a service definition. See Associate Domains, Groups, and Employees to a Service Definition for more information.
• Plugin Profiles: You can customize the user interface of apps you are licensed for using Style. Profiles are where your customizations for the plugin are stored. By selecting a profile in the app (i.e., Respond), you can view the customizations (that were made using Style) for a specific group of users who are enabled to use that profile by defining them on the Plugins page in Admin.
• You can associate a group to a plugin profile. See Define a Profile for more information.
• Groups can be assigned a customized menu. See Customize Menus for more information.
• In Crew Manager, groups can be assigned which crews they can view. See Crew Manager for more information.
• Groups can be assigned to custom map tools. See Define Map Tools for a Plugin for more information.
• Groups can be assigned queries for the mobile apps. See Add Queries To the Mobile Inbox for more information.

User

While some security and permissions can be given to large groups, some has to be done on an individual basis.

• Employees is used to add users or update their details
• Licenses must be assigned to users to access certain apps/plugins or functionality in Cityworks. See Assign Licensing to an Employee for more information.
• Assign users to drop-down lists or permissions to perform actions on work activities, see Assign Permissions to an Employee for more information.
• Groups can be assigned to a user on either the Groups page, or the Employees page. See Associate an Employee to Groups for more information on assigning a user to a group on the Employees page.
• Administrators is used to designate a user as a Cityworks administrator. They have rights to add and edit users, make changes on behalf of a domain or other users, manage roles and permissions, edit work management activities after they have been closed, and other administrative tasks. See Administrators for more information.
• Users can be designated as domain administrators to configure the necessary settings for the domain. See Add or Edit a Domain Administrator for more information.
• The Employee Relates page is used to populate the employee drop-down lists in Cityworks for certain employee fields on service requests, work orders, tasks, projects, inspections/tests, and/or Storeroom. Also, many permissions configurable in Employee Details > Permissions can be configured from the Employee Relates page. This allows the domain admin to assign user access to Cityworks functions quickly while managing multiple users.
• To assign users to drop-down lists, see Add Employees to Fields in Cityworks for more information.
• To assign users permissions to perform actions on work activities, see Assign Permissions to Employees.
• To assign users pages in Admin you want a non-admin to have access to, see Give Employees Access to Pages in Admin.
• Licensing allows you to track the number and type of users by designating which users have access to various parts of Cityworks.
• You can assign users to licenses on the Licensing page. See Assign Licensing for more information.
• Plugins
• You can add a plugin to a user’s landing page. See Associate Employees to a Plugin for more information.
• Service Definitions aggregates multiple service resources, like map services, geocode services, geometry services, print tasks, and route tasks, together.
• You can associate a user to a service definition. See Associate Domains, Groups, and Employees to a Service Definition for more information.
• Plugin Profiles: You can customize the user interface of apps you are licensed for using Style. Profiles are where your customizations for the plugin are stored. By selecting a Profile in the app (i.e., Respond), you can view the customizations (that were made using Style) for a specific group of users who are enabled to use that profile by defining them on the Plugins page in Admin.
• You can associate a user to a plugin profile. See Define a Profile for more information.
• Users can be assigned to custom map tools. See Define Map Tools for a Plugin for more information.
• Users can be assigned queries for the mobile apps. See Add Queries To the Mobile Inbox for more information.

Revoke Tokens

In case of an emergency or an inactive user, you can deactivate a user's token to log them out of Cityworks. See Deactivate a User for more information.

GIS Services

Each GIS Service Resource calls outside of the maps using the Security Type settings. See Configure Service Resource Security for more information.

Respond

There are additional preferences or permissions that may need to be assigned to set up a Respond user.

Permissions Assigned in the Respond App

• Permission to view or edit a dashboard can be assigned in Respond. See Add Permissions in the Respond 5.8 Guide for more information.
• Permissions to view, edit, or own a query in the Query Editor can be assigned in Respond. See Edit a Query, Share a Query, and Transfer Ownership of a Query in the Respond 5.8 Guide for more information.
• The menu can be customized to limit what pages a user can navigate to. See Customize Menus in the Respond 5.8 Guide for more information.
• Security rights to View, Add, Update, Delete, or View Cost can be assigned to users for an individual work order. See Add Security Rights in the Respond 5.8 Guide for more information.

OpX

There are additional preferences, permissions, and/or licenses that may need to be assigned to set up an OpX user.

IMPORTANT: To access Budget Admin, the user must be a domain administrator.

Preferences:

Projects and contracts must be enabled in Preferences.

• The Enable OpX Project Permissions preference in Admin must be turned on to enable projects. If the OpX permissions have not been enabled, users cannot view projects on the Home page. See Configure Global Preferences for more information.
• The Enable OpX Contract Permissions preference in Admin must be turned on to enable contracts. If the OpX permissions have not been enabled, users cannot view contracts on the Home page. See Configure Global Preferences for more information.

Licenses:

To assign permission for users to use projects, contracts, or budgets, an additional license to the OpX Web App license needs to be applied to the user.

• The OpX Web App and OpX Projects check boxes must be selected for individual users in Admin. If OpX Projects has not been selected, the user cannot view the Projects panel on the Home page. See Licensing for more information.
• The OpX Web App and OpX Contracts check boxes must be selected for individual users in Admin. If OpX Contracts has not been selected, the user cannot view the Contracts panel on the Home page. See Licensing for more information.
• The OpX Web App and OpX Budgets check boxes must be selected for individual users in Admin. If OpX Budgets has not been selected, the user cannot view the Budgets panel on the Home page. See Licensing for more information.

Permissions Assigned in the OpX App

• In the OpX app, permissions can be assigned to a user, group, or domain for a project or contract. See Permissions in the OpX 3.3 Guide for more information.
• The menu can be customized to limit what pages a user can navigate to. See Customize Menus in the OpX 3.3 Guide for more information.

Storeroom

There are additional preferences, and/or permissions that may need to be assigned to set up a Storeroom user.

IMPORTANT: The user must be a domain administrator to configure material, suppliers, or storeroom in Storeroom.

Preferences

• The Enable Storeroom preference in Admin must be turned on to enable Storeroom for your site. See Configure Global Preferences for more information.
• If you want to allow negative stock in Storeroom, the Allow Negative Stock in Storeroom preference must be turned on. See Configure Global Preferences for more information.

Domains

Security is established within each domain by the Storeroom domain administrator, who sets up the storerooms and Storeroom groups. Storeroom user are assigned to a group and each group is granted Storeroom permissions consistent with their responsibilities for issuing, receiving, auditing, and/or transferring materials within the specified storeroom(s).

• A Domain Admin needs to be assigned to a storeroom domain in Admin. Storeroom domains and storerooms are created in Admin as well. See Storeroom Functions in Admin in the Storeroom 3.2 Guide for more information.

Permissions Assigned in the Storeroom App

• Groups need to be created in Storeroom to assign permissions to issue, receive, transfer, audit material, and more security settings. See Groups in the Storeroom 3.2 Guide for more information.
• Permission to view or edit a dashboard can be assigned in Storeroom. See Add Permissions in the Storeroom 3.2 Guide for more information.
• Permissions to view, edit, or own a query in the Query Editor can be assigned in Storeroom. See Edit a Query, Share a Query, and Transfer Ownership of a Query in the Storeroom 3.2 Guide for more information.
• The menu can be customized to limit what pages a user can navigate to. See Customize Menus in the Storeroom 3.2 Guide for more information.