Skip to main content

i4connected Knowledge Base

Understanding the hierarchical structure

Abstract

This article explains the tenant hierarchical structure used inside the i4connected portal and its levels.

This article explains a generic tenant hierarchical structure inside the i4connected portal. The i4connected hierarchy supports both a simple and a complex structure.

While the hierarchical structure may be split up into multiple product or service locations, most likely will also have multiple organizational structures, spread around its physical locations. The i4connected portal addresses this complex structure by providing the tools for defining the appropriate structure.

Due to the current security implementation, i4connected users can not see an entire hierarchical line, if they are assigned to Organizational Units or Areas, which are positioned deeper, in the hierarchy. By default, the users can only see the hierarchical node, to which they are directly assigned.

Although this is a good concept for avoiding the risk of data and sensitive information leaks, in a production company, for monitoring, building automation, and in general multi-user scenarios, transparent handling of the hierarchical line may be required.

Therefore, the system administrator can toggle on or off the feature.allowViewAncestors, available in the Settings table, of the i4connected Database.

feature_AllowViewAncestors.jpg

The global setting feature.allowViewAncestors

Important

To apply changes to the feature.allowViewAncestors setting, the i4connected server needs to be restarted, for the effective permissions to be recalculated.

When this setting is enabled, the users will be allowed to see the root node(s), of an Organizational Unit or Area, that is available deeper in the hierarchy. However, the visibility permission is not applied to the siblings of that entity.

Tip

For a better understanding, let's imagine a hierarchical structure built on multiple levels. A user that is directly assigned to the Root OU node, will be able to view the entire structure, as visible in the schema below.

schema_1.jpg

Example of a complex hierarchical structure

Another user, that is assigned to the Molding unit, will only be, by default, allowed to see the entity to which he/she is directly assigned, along with that entity's descendants:

Poor_user.jpg

Hierarchy view, with the feature.allowViewAncestors setting disabled

After enabling the feature.allowViewAncestors setting, the user will be allowed to see the Root OU node, along with the Production node, the Molding node, and its descendants, as visible in the schema below:

with_the_setting.jpg

Hierarchy view, with the feature.allowViewAncestors setting enabled

When having the feature.allowViewAncestors setting enabled, the root node(s) visibility, will be applied in the following contexts:

  • the Sites list / Areas list / Organizational Units list;

  • the Consumption overview panel;

  • the user's Entity Tree view;

  • the Object Filter list(s), accessible in the Analysis Module panels;

Important

It is generally recommended to assign permissions for hierarchical entities management, on a hierarchical level, rather than on a global level. As described by the previous articles, when permission is enabled on a global level, the user is authorized to manage all the visible entities.

Since the feature.allowViewAncestors setting provides i4connected users, with the authorization to view entities, available on a higher level, than the ones to which a user is directly assigned, that user will also be allowed to manage these higher entities, up to the root, if management rights are provided on a global level.