===== Access Management ===== Zebrix Control provides a flexible and structured access management system, allowing permissions to be assigned according to a user’s role and the scope in which they are allowed to operate. Access management is based on three fundamental concepts: * **Users** – Individuals with an account in Zebrix Control. * **Roles** – A set of permissions defining the actions allowed. * **Groups** – The association of a role with a specific scope (location, equipment type, tags). A user’s final access level is the combination of their role permissions and the scope defined by the group(s) they belong to. ==== Best Practices ==== * Apply the **principle of least privilege** * Create roles aligned with business functions (Technician, Manager, Supervisor…) * Use groups to segment access by area or responsibility ==== Roles ==== Roles define **what a user can do** within the application. Menu: **Administration > Roles** For each module (Equipment, Alarm, Incident, Location…), you can authorize: * View * Create * Edit * Delete * Execute commands (for equipment) {{ :en:config:pasted:20250204-091128.png?800 }} A role defines the allowed actions, but not the scope where they apply. ==== Groups ==== Groups associate a role with a specific operational scope. Menu: **Administration > Groups** A group contains: * A role * One or more users * Scope restrictions {{ :en:config:pasted:20250204-091333.png?600 }} ==== Types of Scope Limitations ==== === Geographic Limitation === A group can be restricted to one or several locations. Example: A **Proximity Île-de-France** group may only operate on equipment located in Paris. === Equipment Type Limitation === A group can be limited to specific equipment types or product ranges. If no filter is defined, the role applies to all equipment within the selected geographic scope. === Tag Limitation === Access can also be restricted to equipment associated with specific tags. This enables fine-grained segmentation (VIP equipment, Critical systems, Specific department…). ==== User Belonging to Multiple Groups ==== A user may belong to multiple groups. In that case: * Permissions are cumulative * Scopes are combined The user’s effective access corresponds to the union of all permissions granted by their groups.