*
Concepts
*
Tasks
 

Site Profiles

This topic explains how to create and select security profiles for users in multi-site environments.
Note: Before you build security profiles for a multi-site installation, you need to understand site hierarchies and how they work. For more information, see Sites and Hierarchies, and Sharing and Partitioning Data Between Sites.

Contents

When to Use Site Profiles
Home Site Profile
Top Site Profiles
Objects Always Owned by the Top Site
Objects Whose Site Ownership is Determined by Site Type
Other Site Profiles

When to Use Site Profiles

In a multi-site implementation, you will typically select both a default profile and specific profiles for the user’s home site and for any other site in the enterprise they might access.
Many of the lists and tables in APM can display objects from multiple sites. The user's site-specific security profiles will determine which objects appear in the lists. For example, security profiles that provide “read-only” or “full” access to assets on all sites will allow the user to see assets owned by all sites in any table that has the option to view assets owned by “this site and below” or “this site and above”. A profile with the setting of “none” for assets on other sites would mean that only the assets owned by the home site would appear in the list, regardless of the viewing option selected.
For example, a user selecting the asset to work on for a work order will see a list of assets, in either a list or a selector dialog. Site-based security profiles will control which assets appear in the list based on the site that owns each asset.
Users might be able to see secondary information that is owned by other sites from objects owned by a site to which they have access. For example, work orders might be created from a standard job owned by another site, and assets that have been transferred might reference work orders owned by other sites.
In the case of an asset that is transferred from one site to another, when an asset is transferred, its work order history might reference objects from all of the sites that have owned it. A user who has authority to view the asset on the site that currently owns it can also view the entire work order history list, regardless of the site that owns each work order in the list. However, the user must have at least read-only security on the site that owns the work orders in order to open them.
Note: Access to the enterprise object is not controlled by site security settings. For information on securing Enterprise, see Restricting Access to Enterprise.
Note: Security on Calculation State and other Calculation classes only works when used on general profiles. It does not work on Site profiles.

Home Site Profile

The home site profile is the security profile for the site which the user normally accesses. For example, if a user normally works at the Plant 1 site, you should set the Plant 1 site security to the user’s home site profile.

Top Site Profiles

In APM, certain objects might be owned by the top site in your site hierarchy. Some objects (such as administration value lists) are always owned by the top site. Other objects might be owned by the top site, depending on how you have set up your site types.
The security profile that a user has for the top site in their hierarchy will control their access to objects owned by that site. For example, if you have a security profile that is read-only for the top site, administration value lists will have read-only access in the user’s home site. This is probably an appropriate setting for many users.
However, some users might need the ability to edit or create new objects for some top site objects (for example the user might need to create new Work Types). If you leave these classes with read-only access in the security profile for the top site, they will be visible at the user’s home site, but the user will not be able to edit them, or to create new objects for that class. On the other hand, you might need to prevent some users from having even read-only access to some top site objects.
If you need to provide special access/restrictions on objects owned at the top site, you can create a separate profile for the Top Site in your hierarchy.
Note: You might also need to provide access to these objects in the user’s home site profile.

Objects Always Owned by the Top Site

Objects automatically owned by the top site include:
Maintenance value lists (for example, work types and maintenance groups)
Inventory value lists (for example, ABC classifications, and resource categories)
Procurement value lists (for example, extra charges and FOB points)
Accounting value lists (for example, GL accounts and labor rate types)
Financial periods
International value lists (for example, exchange rates and countries)
Site types

Objects Whose Site Ownership is Determined by Site Type

Site ownership is determined by the site type for the following objects:

Foundation Objects
Employees
Resources

Maintenance Objects
Assets
Asset activity reports
Asset transfer documents
Indicator templates
Maintenance schedules
PM routes
Projects
Standard documents
Standard tasks and jobs, and job and task templates
Work orders
Work requests

Analyses
Asset prioritization analyses
Current practice reviews
Maintenance task analyses and MTA templates
RBI analyses
RCM2 analyses and templates

Materials
Contracts
Invoices
Purchase orders
Requests for quotation
Requisitions
Resource Transactions
Supplier resources
Suppliers
Transaction entry forms
Warehouses

Asset Health
Asset health calculations
Asset health report definitions

Other Site Profiles

In a multi-site implementation, you might want to restrict a user’s access to sites other than their home site. In this case, you might create an “Other Sites” security profile with a lower access level. You can create the profiles such that an employee who logs in with these settings will only see objects (such as assets and work orders) from their home site. Objects from other sites will not be visible. Or, you can create an “Other Sites” profile that allows a user to have read-only access to objects from other sites.
As with any security profile, you can override the default access level for any class, action, attribute, relationship, or view in the system.
For example, depending on how your site types are set up some objects might only be owned at certain sites in the hierarchy (that are not the user’s home site or top site). For example, if your hierarchy has three levels, Suppliers might be owned at the second level. If you create only one Other Sites profile and turn off suppliers, the user will not be able to see any suppliers at all. If this is the case, you should create a separate profile for the sites at the 2nd level that provides appropriate security for Suppliers.