Skip to main content

Users and Groups

This feature of the Asset Manager is only available if the logged-in user has the Administrator role.

The Asset Manager has a permission system that controls access to both the application's features and the data itself. This requires users and groups, which are managed within the Asset Manager's own database.

User accounts are used to authorize individuals to work with the Asset Manager (authentication). Groups are used to grant or deny rights to members (authorization). These rights relate either to the application’s functionality or to working with data.

Rules of the Authorization Model
  • There are two standard groups that cannot be deleted but can be renamed:
    • Asset Manager Users, ID: {​​​​​00000000-0000-0000-0000-000000000000}​​​​​
    • Asset Manager Administrators, ID: {​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​ffffffff-ffff-ffff-ffff-ffffffffffff}​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​
  • Membership in the Asset Manager Users group is a prerequisite for logging in to Asset Manager at all. This also applies to members of the Asset Manager Administrators group. By default, members of the Asset Manager Users group have full access to all objects in the navigation tree until a different permission is assigned to them. They do not have permissions in the Backstage menu for:
    • Users and Groups
    • Constants
    • Translations
  • Members of the Asset Manager Administrators group have full access to all areas; no further permissions are checked.
  • As long as there are no entries in the __user table or there are no members of the Asset Manager Administrators group, all users are administrators (to resolve the chicken-and-egg problem).
  • When a new user is created, they are automatically added to the Asset Manager Users group to ensure they can log in.
  • Permissions are read when the application starts and remain in effect until the Asset Manager is restarted.
  • Permissions are assigned at the group level and apply exclusively to the use of data. Possible permissions are:
    • Read-only (0): Data can be read.
    • Create/Update (1): Data can be read, created, or updated.
    • Full Control/Delete (2, default): Data can be read, created, updated, or deleted.
    • Access denied (256) : An object is not visible (including all “child objects”). Access denied is the highest-level permission, which overrides all other permissions.
  • Permissions within the navigation tree are not inherited, with the exception of “Access denied.”
  • If a user belongs to multiple groups with different permissions, the permission with the highest value takes precedence.
  • Users are always created in the format Domain\User or Computer\User.

The following video shows how to...

  • create, edit, and delete users.
  • create, edit, and delete groups.
  • edit group memberships.

Active Directory Integration

When using this form of integration, it is assumed that all involved components (Asset Manager Server and all Asset Manager Clients) are located within a Microsoft Windows domain with Active Directory.

In contrast to the description above, two local groups on the Asset Manager Server can also be used for user authentication. These groups are used to determine whether the requesting user belongs to the Asset Manager Users or Asset Manager Admins group. The following rules apply:

  • If the user is a member of the local Asset Manager Admins group, they are an Asset Manager Administrator.
  • If the user is a member of the local Asset Manager Users group, they are an Asset Manager User.
  • If the user is a member of both groups, they are an Asset Manager Administrator.
  • If the user is not a member of either group, access is denied.

To enable AD integration, the following section of the appsettings.json configuration file must be modified:

[...]
{
    "ActiveDirectoryGroupSecurity": {
    "Enabled": true,
    "LocalAdminGroup": "Asset Manager Admins",
    "LocalUserGroup": "Asset Manager Users",
    "MaintenanceCronString": "0 0 * * *"
  }
[...]
  • Enabled: Enables AD integration
  • LocalAdminGroup: Name of the local admin group on the server
  • LocalUserGroup: Name of the local user group on the server
  • MaintenanceCronString: A cron string that specifies the interval at which internal Asset Manager users should be synchronized with the group memberships of the local groups. This ensures that only internal Asset Manager users who also exist in Active Directory are present. Additionally, the internal groups of Asset Manager Users and Asset Manager Admins are updated based on the group memberships.

Activating AD integration also changes the internal behavior of the Asset Manager. While internal Asset Manager users and groups can be managed within the application without integration, the integration automatically adjusts user memberships at runtime. As a result, the scope of user and group management functions changes as follows:

  • Users cannot be added, edited, or deleted, as this is done automatically via the group memberships of the local groups.
  • Memberships in the Asset Manager Users or Asset Manager Admins groups cannot be changed, as this is done automatically via the group memberships of the local groups.

In addition, internal Asset Manager groups and their memberships can still be maintained. 

Back to top