specs/models/M_USER_ROLE
User Role
A user role determines what data in the system a user has access to and what changes they are permitted to make. There are two broad categories of user roles:
- Admin roles - these users can log into the admin console and make changes according to their specific role type. The admin roles:
- Account Owner - Has full access rights to all assets and account-level settings, and manages users
- Administrator - Has full access rights to all assets
- Connector Supervisor - Can build apps, and manage all connectors and connector functions
- Station Supervisor - Can build apps, and manage all stations, machines, machine data sources, and devices
- Tulip Tables Supervisor - Can build apps and manage all Tulip Tables
- Application Engineer - Can build apps
- Viewer - Can only view assets
- Operators - these users can log in to the Tulip Player and run Tulip apps.
| Account | Apps | Tables | Stations | Display Devices | Machines | Connectors | Analyses | Completions | |||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Update Account Settings (Update Logo, etc,) | Create/Update/Delete Approval Types | Deactivate User, Update User Info | Add User | Assign Role | Edit Role | Create | Read | Update | Deactivate | Approve New Versions | Create | Read | Update | Deactivate | Create | Read | Update | Delete | Create | Read | Update | Delete | Create | Read | Update | Delete | OPC Connectors | SQL + HTTP Connectors | Create | Read | Update | Delete | Create | Read | Update | Delete | |||||||
| Create | Read | Update | Deactivate | Create | Read | Update | Deactivate | ||||||||||||||||||||||||||||||||||||
| Account Owner | X | X | X | X | X | X | X | X | X | X | x | X | X | X | X | X | X | X | X | X | X | X | X | X | X | X | X | X | X | X | X | X | X | X | X | X | X | X | X | X | X | ||
| Administrator | X | X | X | X | x | X | X | X | X | X | X | X | X | X | X | X | X | X | X | X | X | X | X | X | X | X | X | X | X | X | X | X | X | X | X | ||||||||
| Operator | X - On Player Only | X - with Sharable Link | X- on Player Only | X | X- on Player Only | ||||||||||||||||||||||||||||||||||||||
| Application Engineer | X | X | X | X | x | X - with Sharable Link | X | X | X | X | X | X | |||||||||||||||||||||||||||||||
| Station Supervisor | X | X | X | X | x | X | X | X | X | X | X | X | X | X | X | X | X | X | X | X | X | X | X | X | X | X | X | ||||||||||||||||
| Tulip Table Supervisor | X | X | X | X | x | X | X | X | X | X - with Sharable Link | X | X | X | X | X | X | |||||||||||||||||||||||||||
| Connector Supervisor | X | X | X | X | x | X - with Sharable Link | X | X | X | X | X | X | X | X | X | X | X | X | X | X | |||||||||||||||||||||||
| Viewer | X | X | X | X - with Sharable Link | X | X | X | X | X | X | |||||||||||||||||||||||||||||||||
| Viewer w/ Player Access | X (Tulip + Player) | X | X | X | X | X | X | X | X | X | X |
Tests
| ID | Name |
|---|---|
| QA-T17 | User Management : 09 - Login to /player using new badge ID |
| QA-T173 | SAML : 05 - Operators should not be allowed to login to Factory on SAML |
| QA-T177 | SAML : 08 - Operators whose role changes to Administrator in SAML should be promoted to Administrator in Tulip |
| QA-T178 | SAML : 07 - Administrators whose role changes to Operator in SAML should be demoted to Operator in Tulip |
| QA-T260 | User Roles : 01 - Account Owners can add other Account Owners |
| QA-T261 | User Roles : 03 - Account Owners can edit other users' profiles |
| QA-T262 | User Roles : 02 - Account Owners can create users |
| QA-T263 | User Roles : 04 - Account Owners should be able to deactivate/reactivate users |
| QA-T264 | User Roles : 05 - Administrators should not be able to manage users |
| QA-T265 | User Roles : 06 - Tulip Table Supervisors should not be able to manage connectors |
| QA-T266 | User Roles : 07 - Tulip Table Supervisors should not be able to manage the shop floor |
| QA-T267 | User Roles : 08 - Viewers should be unable to modify data in Tulip |
| QA-T308 | 09: User permissions get checked when viewing video |
| QA-T332 | LDAP Tulip Managed : 02 - Users can log in via LDAP |
| QA-T636 | Workspaces : 01 - Login with different roles |
| QA-T655 | LDAP Tulip Managed : 02 / Operators can't log into Factory via LDAP |
| QA-T708 | User Roles : 05 - Administrator role |
Requirements
| ID | Requirement |
|---|---|
| 28 | Provide a method for defining privileges to Master Data access and modification by role at element level. Eg. configuration of role or user group for a App or App component and what privileges they have such as view, comment, edit, approve, etc. |
| 34 | System date and time cannot be changed by users during normal operation and production execution. Only admin with appropriate privileges can change system date and time. |
| 47 | Manage access to system administration and maintenance functions to users with appropriate privileges |
| 810 | Provide managed authorized access to all records and electronic signatures including data, information, configurations, and data files. |
| 821 | Ability to define access security levels for records and electronic signatures. Ie. user groups and user roles and their associated priveleges to system resources and data |
| 842 | Support specific number of concurrent users as defined by customer license agreements and SLAs |