The number of users or seats is not limited with a ManagingEnergy subscription. The Subscription Manager within the subscribing organization can set up a new user, or change the level and extent of any user's access to the system. The user interface is security-trimmed so that each user can be set up to see only those parts of the system relevant to his/her job. Some users will only view reports and dashboards, others will enter billing data, others will use the analytical features.
ManagingEnergy provides a sophisticated way to restrict user access and functionality.
It is quite possible to share accounts among users, but there is no advantage, since there is no additional charge for more accounts. In addition, when multiple people share one user account the Change Log (audit trail) functionality is compromised. The Change Log relies on the user name to associate users with data changes.
Security Domains are areas of ManagingEnergy functionality which can be either allowed or denied to a user. Can the user access the Opportunities Tab within the Conservation & Renewal Module? Can s/he modify Roles, create a new User, delete a Facility, or reset the Baseline under Advanced Analysis? The ability to perform any of these operations depends on the user having adequate Permissions within a particular Security Domain.
The job of assigning specific Security Domain permissions to individual users would be very tedious and prone to mistakes. Roles, which are pre-defined sets of Security Domain permissions, make the job much easier.
Roles are named and defined in plain language, in a way that they are easily understood. A Utility Invoice Clerk would have the ability to view account details and to add or modify utility invoice records, but not to see equipment and opportunity details or perform any analysis. A Top Executive would be able to view dashboards and print high-level performance reports, but could be limited to not have access to meter readings, invoice details, or buildings systems. Within either of these role definitions, the underlying matrix of Security Domains and Permissions is quite elaborate. However once the Roles are properly defined and tested, any number of users can be assigned to each role without having to go through the details again.
Once the Roles are properly defined and tested, any number of Role Assignments can be made to any number of Users without having to go through the details again. In addition, a change in the Role definition will immediately change the security privileges of all users assigned the Role. Users will often be assigned more than one Role.
Roles are a useful way to reduce training and support requirements. Even if your organization does not consider the information in ManagingEnergy to be sensitive or confidential, you don't necessarily want all users to have access to all information and every feature of the system. Role-based permissions lead to security-trimming, which removes inaccessible features from the user interface and thereby simplifies the system for most users.
ManagingEnergy provides a set of Standard Roles, enough for most users. If you find you need another role for your particular situation, and are intimidated by the setup process, contact the Help Desk for assistance.
Security in Operation
Any system object is a member of a Security Domain. When a User tries to access an object within the system (Read it, Modify it, Create a new one, or Delete it), ManagingEnergy first checks to see that the User has the required Permission within the applicable Security Domain. If not, the operation is denied. If the answer is Yes, ManagingEnergy then checks whether the Permission applies for the Data Context that they are trying to access. If that check also passes, the operation is allowed to proceed.