Document toolboxDocument toolbox

REST Roles and Permissions

Roles and permissions provide fine gained access to all of the REST APIs. 

Developer Permissions

In ServiceMobility releases prior to 3.12, developers would access the REST APIs using the customerid and customercode URL parameters. Using these parameters would provide unrestricted access to all of the APIs - essentially administrator access. Another issue was that only a single instance of these values could be created, so if different areas of the organization needed to access the APIs they would share the same credentials. 

Starting with release 3.13, you can create one or more developer tokens each with their own set of permissions. This allows fine-grained control over what each developer is allowed to do within the system. A developer token, regardless of permissions, can not be used to created another developer token, only administrators can create developer tokens.

Mobile Worker Permissions

Mobile workers who are using the ServiceMobility mobile application exclusively only require a valid user account that is configured as a mobile worker. Mobile workers do not require any other specific permissions. The reason is that the ServiceMobility ESB acts as security proxy for the user ensuring that only the data assigned to them is sent to the mobile device and the ESB will only process uploaded transactions from the user that is assigned to them. 

Therefore, when adding a mobile worker they do not require any roles to be assigned to them. 

 

Related pages:

On this page:

Permissions

Group Permission IDDescription 
Accounts account:delete
  • Allows accounts to be deleted
  account:read
  • Allows account objects to be read
  account:write
  • Allows account objects to be created or updated
Account Locationsaccountloc:delete
  • Allows account Location objects to be deleted

The list of account locations that can be deleted is further restricted to those in work centers the logged in user is allowed to mange.

 accountloc:read
  • Allows Account Location objects to be read

The list of account locations that can be viewed is further restricted to those in work centers the logged in user is allowed to manage.

 accountloc:write
  • Allows Account Location objects to be created or updated

The list of account locations that can be updated is further restricted to those in work centers the logged in user is allowed to manage.

Alertalert:create
  • Allows alerts to be created
Assetasset:delete
  • Allows assets to be deleted
  • The list of assets that can be deleted is further restricted to those in work centers the logged in user is allowed to mange.
 asset:read
  • Allows assets to be read
  • The list of assets that can be viewed is further restricted to those in work centers the logged in user is allowed to manage.
 asset:write
  • Allows assets to be created or updated
Field-Fieldsflexfield:delete
  • Allows Flex-Field definitions to be deleted
 flexfield:read
  • Allows Flex-Field definitions to be read
 flexfield:write
  • Allows Flex-Field definitions to be created or updated
Flex-Formsflexform:delete
  • Allows Flex-Form definitions to be deleted
 flexform:read
  • Allows Flex-Form definitions to be read
 flexform:write
  • Allows Flex-Form definitions to be created or updated
Ganttgantt:read
  • Allows the Gantt chart to be read
  • The Gantt view is further restricted to the work centers the logged in user has access to
 plannermap:read
  • Allows the logged in user to view the planner map
Reportsreport:geolocation
  • Allows access to the GEO Location Report
 report:timesheet
  • Allows access to the Time Sheet Report
  • The report is further restricted to the work centers the logged in user has access to manage
 report:timesheetsummary
  • Allows access to the Time Sheet Summary Report
  • The report is further restricted to the work centers the logged in user has access to manage
System Categoriessyscat:delete
  • Allows system categories and activities to be deleted

Some system categories have reserved codes that can not be deleted from the system. Please refer to the system category documentation for specific details.

 syscat:read
  • Allows the logged in user to view the system category management section

In order for the system to run, every user has read access to all system categories. This permissions is simply controlling whether or not the System Category Management section in the Nexus UI is visible.

 syscat:write
  • Allows system categories to be created and updated

Each system category can impose further rules on write access. Please refer to the system category documentation for specific details.

Timecard

timecard:approve

  • Allows the logged in user to approve a user's timecard
  • The feature is further restricted to the work centers the logged in user has access to manage
 

timecard:decline

  • Allows the logged in user to decline a user's timecard
  • The feature is further restricted to the work centers the logged in user has access to manage
 

timecard:read

  • Allows the logged in user to view a user's timecard
 

timecard:reopen

  • Allows the logged in user to re-open a user's timecard
  • The feature is further restricted to the work centers the logged in user has access to manage
User Managementuser:changepassword
  • Allows the logged in user to change (set) a user's password

It is not recommended to allow another user (even admin) to specifically set a user's password. The preferred way is to use the reset password feature. This will prevent the admin from ever knowing a user's password.

 user:delete
  • Allows the logged in user to delete a user from the system
 user:read
  • Allows the logged in user to view all user's in the system
 user:resetpassword
  • Allows the logged in user to reset a user's password.

When a user's password is reset, and email it sent to the user with a link instructing them to reset their password.

 user:write
  • Allows the logged in user to create and update a user object
 user:assignroles
  • Allows assigning and removing security roles from users.

This permission should only be assigned to an administrator.

Work Center Managementworkcenter:read
  • Allows viewing the list of available work centers
 workcenter:delete
  • Allows the logged in user to delete a work center from the system
 workcenter:assignmanager
  • Allows the logged in user to assign other user's as manager for a work center
 workcenter:write
  • Allows the logged in user to create and update work centers
Work Order Managementworkorder:delete
  • Allows the logged in user to delete a work order

The list of work orders that can be deleted is further restricted to those in work centers the logged in user is allowed to manage.

 workorder:read
  • Allows the logged in user to view work orders

The list of work orders that can be viewed is further restricted to those in work centers the logged in user is allowed to manage.

 workorder:write
  • Allows the logged in user to create or update a work order within the system

The list of work orders that can be updated is further restricted to those in work centers the logged in user is allowed to manage.

Default Roles

ServiceMobility is installed with several default roles with default permissions. Except for the admin role and of the other default roles can me modified or deleted.

Admin Role

Any user assigned to this role will have unrestricted access to the system and all data. If you are currently logged in with admin role the system will prevent you from removing yourself from the role. This is to prevent you from possibly being locked out of the system.

The default admin role can not be deleted.

Manager Role

The Manager role has the following default permissions.

  • account:read,write,delete
  • accountloc:read,write,delete
  • workorder:read,write,delete
  • gantt:read
  • plannermap:read
  • report:timesheet,timesheetsummary,geolocation
  • user:read,write,delete,resetpassword,changepassword
  • workcenter:read,write,delete,assign managers
  • flexfield:read,write,delete
  • flexform:read,write,delete
  • syscat:read,write,delete

Planner Role

The Planner role has the following default permissions.

  • account:read,write
  • accountloc:read,write
  • workorder:read,write
  • gantt:read
  • plannermap:read
  • report:timesheet,timesheetsummary,geolocation
  • user:read,write,resetpassword
  • work center:read
  • flexfield:read
  • flexform:read
  • syscat:read