REST Roles and Permissions

Roles and permissions provide fine gained access to all of the REST APIs.

Developer Permissions

In ServiceMobility releases prior to 3.12, developers would access the REST APIs using the customerid and customercode URL parameters. Using these parameters would provide unrestricted access to all of the APIs - essentially administrator access. Another issue was that only a single instance of these values could be created, so if different areas of the organization needed to access the APIs they would share the same credentials.

Starting with release 3.13, you can create one or more developer tokens each with their own set of permissions. This allows fine-grained control over what each developer is allowed to do within the system. A developer token, regardless of permissions, can not be used to created another developer token, only administrators can create developer tokens.

Mobile Worker Permissions

Mobile workers who are using the ServiceMobility mobile application exclusively only require a valid user account that is configured as a mobile worker. Mobile workers do not require any other specific permissions. The reason is that the ServiceMobility ESB acts as security proxy for the user ensuring that only the data assigned to them is sent to the mobile device and the ESB will only process uploaded transactions from the user that is assigned to them.

Therefore, when adding a mobile worker they do not require any roles to be assigned to them.

Related pages:

Role REST API

On this page:

Default Roles

Permissions

Group	Permission ID	Description
Accounts	account:delete	Allows accounts to be deleted
	account:read	Allows account objects to be read
	account:write	Allows account objects to be created or updated
Account Locations	accountloc:delete	Allows account Location objects to be deleted The list of account locations that can be deleted is further restricted to those in work centers the logged in user is allowed to mange.
	accountloc:read	Allows Account Location objects to be read The list of account locations that can be viewed is further restricted to those in work centers the logged in user is allowed to manage.
	accountloc:write	Allows Account Location objects to be created or updated The list of account locations that can be updated is further restricted to those in work centers the logged in user is allowed to manage.
Alert	alert:create	Allows alerts to be created
Asset	asset:delete	Allows assets to be deleted The list of assets that can be deleted is further restricted to those in work centers the logged in user is allowed to mange.
	asset:read	Allows assets to be read The list of assets that can be viewed is further restricted to those in work centers the logged in user is allowed to manage.
	asset:write	Allows assets to be created or updated
Field-Fields	flexfield:delete	Allows Flex-Field definitions to be deleted
	flexfield:read	Allows Flex-Field definitions to be read
	flexfield:write	Allows Flex-Field definitions to be created or updated
Flex-Forms	flexform:delete	Allows Flex-Form definitions to be deleted
	flexform:read	Allows Flex-Form definitions to be read
	flexform:write	Allows Flex-Form definitions to be created or updated
Gantt	gantt:read	Allows the Gantt chart to be read The Gantt view is further restricted to the work centers the logged in user has access to
	plannermap:read	Allows the logged in user to view the planner map
Reports	report:geolocation	Allows access to the GEO Location Report
	report:timesheet	Allows access to the Time Sheet Report The report is further restricted to the work centers the logged in user has access to manage
	report:timesheetsummary	Allows access to the Time Sheet Summary Report The report is further restricted to the work centers the logged in user has access to manage
System Categories	syscat:delete	Allows system categories and activities to be deleted Some system categories have reserved codes that can not be deleted from the system. Please refer to the system category documentation for specific details.
	syscat:read	Allows the logged in user to view the system category management section In order for the system to run, every user has read access to all system categories. This permissions is simply controlling whether or not the System Category Management section in the Nexus UI is visible.
	syscat:write	Allows system categories to be created and updated Each system category can impose further rules on write access. Please refer to the system category documentation for specific details.
Timecard	timecard:approve	Allows the logged in user to approve a user's timecard The feature is further restricted to the work centers the logged in user has access to manage
	timecard:decline	Allows the logged in user to decline a user's timecard The feature is further restricted to the work centers the logged in user has access to manage
	timecard:read	Allows the logged in user to view a user's timecard
	timecard:reopen	Allows the logged in user to re-open a user's timecard The feature is further restricted to the work centers the logged in user has access to manage
User Management	user:changepassword	Allows the logged in user to change (set) a user's password It is not recommended to allow another user (even admin) to specifically set a user's password. The preferred way is to use the reset password feature. This will prevent the admin from ever knowing a user's password.
	user:delete	Allows the logged in user to delete a user from the system
	user:read	Allows the logged in user to view all user's in the system
	user:resetpassword	Allows the logged in user to reset a user's password. When a user's password is reset, and email it sent to the user with a link instructing them to reset their password.
	user:write	Allows the logged in user to create and update a user object
	user:assignroles	Allows assigning and removing security roles from users. This permission should only be assigned to an administrator.
Work Center Management	workcenter:read	Allows viewing the list of available work centers
	workcenter:delete	Allows the logged in user to delete a work center from the system
	workcenter:assignmanager	Allows the logged in user to assign other user's as manager for a work center
	workcenter:write	Allows the logged in user to create and update work centers
Work Order Management	workorder:delete	Allows the logged in user to delete a work order The list of work orders that can be deleted is further restricted to those in work centers the logged in user is allowed to manage.
	workorder:read	Allows the logged in user to view work orders The list of work orders that can be viewed is further restricted to those in work centers the logged in user is allowed to manage.
	workorder:write	Allows the logged in user to create or update a work order within the system The list of work orders that can be updated is further restricted to those in work centers the logged in user is allowed to manage.

Default Roles

ServiceMobility is installed with several default roles with default permissions. Except for the admin role and of the other default roles can me modified or deleted.

Admin Role

Any user assigned to this role will have unrestricted access to the system and all data. If you are currently logged in with admin role the system will prevent you from removing yourself from the role. This is to prevent you from possibly being locked out of the system.

The default admin role can not be deleted.

Manager Role

The Manager role has the following default permissions.

account:read,write,delete
accountloc:read,write,delete
workorder:read,write,delete
gantt:read
plannermap:read
report:timesheet,timesheetsummary,geolocation
user:read,write,delete,resetpassword,changepassword
workcenter:read,write,delete,assign managers
flexfield:read,write,delete
flexform:read,write,delete
syscat:read,write,delete

Planner Role

The Planner role has the following default permissions.

account:read,write
accountloc:read,write
workorder:read,write
gantt:read
plannermap:read
report:timesheet,timesheetsummary,geolocation
user:read,write,resetpassword
work center:read
flexfield:read
flexform:read
syscat:read