About User Roles & Security Groups

A person’s usability within FlowWorks is determined by two things: 1) the Role(s) they have been assigned; and 2) the Security Group(s) to which they belong. By carefully configuring Role-types and Security Groups, the proper mix of capabilities and access can be provided to a user, permitting them to perform their assigned functions.

Important: Please read this article carefully before creating new users, to ensure security of your entire user network is well maintained!

In this topic:

Notable Definitions

The following terms are used throughout this topic. For ease of clarification, they are listed here for your reference.


An organization subscribed to FlowWorks software services.


An individual working under a client, who logs-in to FlowWorks using their own log-in credentials.


A user’s assigned function(s) and responsibilities in FlowWorks. Roles are useful for limiting or extending a user’s accessibility to any of FlowWorks' tools (such as F.A.C.E and Alarming) and administrative functions (such as creating and managing user accounts).

Security Group

A set of permissions that dictate the visibility & accessibility of Sites & Channels, and custom-made resources (including GIS layers, custom apps and custom screens).

Overall Structure / Interplay of User Roles and Security Groups

Shown below is a diagram of how User Roles and Security Groups contribute to the overall settings of an individual user.

A client of FlowWorks can have from one to many individual users. The flowchart shown above demonstrates that a single user must be assigned a Role and be part of a Security Group, although each user can be assigned more than one of each. Every Role-type dictates the tools and administrative privilege a user has access to; a Security Group determines the scope of a user’s visibility of (and accessibility to) Sites, Channels, and custom resources.

About User Roles

User roles determine the permissions that are appended to a user account. A single user can have more than one Role.

Important: A role does not ‘inherit’ the privileges of the role below it - although Group Admin is the highest role that can be assigned, privileges from the roles below it do not carry over. Hence, a user must be given the Group Admin role plus all the roles below, to have full access to FlowWorks.

As described in the table, each role comes with its own host of permissions for certain tools, features and functions. Choose all the roles that apply to a respective user in order to provide sufficient access.

Important notes about User Roles

  • A role does not inherit the characteristics of any role-types below it. For example, the attributes of the ‘User’ role do not carry over to that of ‘Group Administrator’. For a Group Administrator to be fully capable of using any of the tools in FlowWorks, he/she must also be given the additional role of User. This ‘quark’ allows greater flexibility for security and access.
  • With that said, it is also possible to create a user with a ‘Group Administrator’ role-type, who not also having the ‘User’ role-type, can only create and manage other accounts but cannot fully use the features and functions offered by FlowWorks.

To find out how to assign a Role to a new user, please see topic "Creating a New User". To learn how to modify a user's Role(s), see topic "Editing an Existing User".

Types of User Roles

The chart below describes the different types of roles that can be assigned to FlowWorks users. Remember, a user can be assigned more than one of these roles for greater accessibility to features and control.

About Security Groups

Security Groups give Group Administrator(s) the ability to maintain granular control over their network of Sites, Channels, tools and custom resources.

Referring to the image above: when a new Client is created, all of its user accounts fall into the ‘Parent’ Security Group, where universal permissions apply to all user accounts (individual user Roles still apply). By default, the parent Security Group entails the widest network of Sites, Channels and custom resources to which a User is permitted access (an Administrator can modify this). Sub-groups are extensions of Parent Groups and are used to break-up permissions of a Parent Group.

By default, each Client has a Parent Security Group and each new User is automatically placed in this group. Parent Security Groups can have numerous Sub-groups, and Sub-groups can have numerous 2nd, 3rd, 4th (etc.) sub-groups as well. No matter which Security Group a user is placed in, all user Role settings still apply.

Note: All User Role settings remain active in Security Groups.

Group Administrators can modify the settings of each Security Group and organize users into their appropriate Groups, accordingly - this is useful for sub-dividing accessibility to Sites, Channels tools and custom resources.

Important Notes about Security Groups

  • If a user is assigned to a Sub-group, the settings of that Group will take precedence over the settings of the Parent Security Group.
  • Permissions in one Group folder do not automatically propagate to other folders - permissions must be set up manually for each Group folder.
  • It is possible to build a security structure that becomes cumbersome to manage and maintain. It is recommended that the Group Administrator(s) invest some time in planning the necessity of permitting / restricting access to Sites, Channels, tools and custom apps prior to creating Security Groups and assigning users thereto.

To find out how to create a new Security Group and manage existing Security Groups, please see topics, "Managing Security Groups".

Have more questions? Submit a request


Article is closed for comments.