¶ Managing System Roles
System Roles in AMI Tracks Platform are there to help Administrators control access to data within the platform. Role enforncement takes place on all data access requests no matter what the source of the access request is. Role enforcement includes but is not limited to:
- All API Requests
- All UI Interaction
- ODATA and other reporting feeds
¶ Custom Roles:
In addition to the base system roles, additional role can be configured to increase the granularity of control across AMI Tracks Platform Applications.
To maintain System Roles within the platform locate the System Roles submenu under System Management.
¶ Listing all roles
You will be presented with a list of roles defined in your AMI Tracks Platform environment. As with most AMI Tracks Platform lists you can create or delete records from the list page:
¶ Creating or Updating a Role
Once you have selected a role or clicked the "Create New" icon at the top of the role list you will see the Record Detail for the role.
-
Name
The Name of the role. -
Description
A brief description of what the role is used for. Providing an overview of what access the role grants is a good practice to get into. -
Token Age
The maximum token age controls how frequently the access token associated with this role is refreshed.
¶ Role Inclusion
There are several ways to grant a role to a user, they are described as follows:
¶ User Access
Included and excluded users are granted or excluded from roles individually. Included users will always be granted the role, and excluded users will always be excluded from the role regardless of the other membership rules.
Multiple users can be added or removed form the lists simultaneously by selecting multiple user records in the popup that will display when you press the "new" icon on either the Included Users or Excluded Users tables.
¶ Directory Service Groups
If you have set up a directory service integration you can map AMI Tracks Platform roles directly based on Group memebership defined in your Directory Service Provider. (Micosoft Entra for example)
There are 2 ways to include users in a role by directory group:
1. All Directory Service Groups
If a user is a member of all the directory service groups listed in any of the Role Membership records then the user will have access to the role in AMI Tracks Platform.
2. Any Directory Service Groups
If a user is a member of any of the groups listed in the Any Directory Service Groups table they wil have access to the role in AMI Tracks Platform.
¶ Directory Service Roles
If you have set up a directory service integration you can map AMI Tracks Platform roles directly based on Role memebership defined in your Directory Service Provider. (Micosoft Entra for example)
There are 2 ways to include users in a role by directory role:
1. All Directory Service Roles
If a user is a member of all the directory service roles listed in any of the Role Membership records then the user will have access to the role in AMI Tracks Platform.
2. Any Directory Service Roles
If a user is a member of any of the directory service roles listed in the Any Directory Service Roles table they wil have access to the role in AMI Tracks Platform.