User Groups

User Group Management in Weissr

Weissr’s User Group Management is designed to provide flexible, role-based control over user access and permissions within the system. By organizing users into groups and assigning them specific permissions, administrators can efficiently manage who has access to key features, data, and workflows.

User groups in Weissr follow a role-based permission model, meaning most permissions are tied to user groups (roles), which can include access to specific features, modules, or areas within the platform. However, it is also possible to assign permissions directly to individual users when needed, offering a high level of customization for user access control.

There are three main types of permissions within Weissr:

• Global Permissions: Apply across the entire platform.

• Node-based Permissions: Regulate access to specific nodes within Capex Management or Capex Strategy.

• Special Permissions: Include specific approvals and other unique capabilities.

User group assignments can be managed manually within Weissr or handled automatically through integration with the organization’s Identity and Access Management (IAM) system, typically using Single Sign-On (SSO). This allows for streamlined management, ensuring that users automatically receive the correct permissions based on their role within the organization.

The following sections provide a detailed guide to working with user groups in Weissr, including how to create, edit, assign, and audit user groups and permissions, whether you're managing users internally or integrating external user groups through IAM systems.

The user groups tab within the administration.

Internal vs. External User Groups

In Weissr, user groups are categorized as either Internal or External, based on how users are assigned to them.

Internal User Groups

Internal user groups are created and managed directly within Weissr. These groups are typically used by organizations that handle user credentials internally without integrating Single Sign-On (SSO) systems, or in scenarios where Weissr manages group assignment even when users authenticate via SSO.

• Use case: Ideal for organizations that either don’t use SSO or want to control group membership directly within Weissr, regardless of their login method.

External User Groups

External user groups are mapped to groups in the organization's Identity and Access Management (IAM) system. These groups are managed by an external identity provider (e.g., Azure AD/Entra, OneLogin). Most organizations using Weissr rely on external user groups, allowing them to control user group assignments centrally through their IAM system, which governs access to Weissr.

• External Provider: Each external user group must be associated with an identity provider, specifying which provider (e.g., Azure AD) the group belongs to.

• External Mapping: Each external user group is mapped to a corresponding group in the IAM system using an external mapping name. For proper synchronization, this name must exactly match the group name in the IAM.

Key Differences

• Internal User Groups: These are managed entirely within Weissr and can only be assigned to users through Weissr's interface.

• External User Groups: Managed externally through an IAM system and assigned to users via SSO integration and group mapping.

Internal user groups don't require an External Provider or External Mapping, while External user groups must have both to function properly.

Creating and Editing a User Group

Creating a User Group

1. In the User Groups list, click on + Add User Group.

2. In the pop-up window, provide the following details:

   • Name: The name of the user group.

   • Description (optional): A brief description of the group’s purpose.

   • If the group is managed through an IAM system, the following fields are required:

     • External Provider: Select the identity provider (e.g., Azure AD).

     • External Mapping: Specify the external mapping name, which must match the group name in the IAM system.

   • Color: Choose a color to visually distinguish this user group.

Editing an Existing User Group

1. In the User Groups list, click on Action next to the user group you want to edit.

2. Select Edit to modify the group’s details.

User Group Colors and Visibility

User Group Colors

In Weissr, user group colors are typically assigned based on the type of permissions the group provides. This color-coding helps administrators quickly distinguish between groups that manage roles, node access, or approval permissions.

Examples of color assignments:

• Role-based Groups (Green): User groups that define roles, such as "Admin," "Project Manager," or "Viewer," can be assigned blue. This makes it easy to spot users who have specific roles or responsibilities within the system.

• Node Permission Groups (Blue): Groups that control access to specific nodes or areas within Weissr (e.g., regional teams or department-specific access) can be given a green color, ensuring that administrators can quickly see who has access to certain nodes or organizational units.

• Approval Permission Groups (Orange): Approval groups, which grant users authority to approve workflows or decisions, can be marked with orange. This allows admins to instantly identify which users hold key approval powers in different processes.

This strategic color-coding not only simplifies the user group list but also improves the overall visibility of user permissions across the system, making it easier to manage and audit access levels.

User Group Visibility

User group memberships for each user are visible directly in the User List, giving administrators an at-a-glance view of each user’s group memberships and their associated permissions.

How this improves management:

• When viewing the user list, you can immediately see that a user belongs to a "Role-based" group (blue), a "Node Permission" group (green), and an "Approval" group (orange). This provides a complete snapshot of their permissions without needing to navigate through detailed menus.

• This feature is particularly useful for audits and troubleshooting, as it makes potential permission conflicts or gaps easier to detect.

Checking User Group Permissions

To view the permissions assigned to a specific user group:

1. Navigate to the User Group List.

2. Find the user group you want to review.

3. Click the Action button next to the user group.

4. Select Permissions from the menu to view all global and module-specific permissions associated with the user group.

5. For Capex Management properties, click on Selection in Capex Management Properties to view and configure which user-type properties the group is linked to.

6. To check node permissions for Capex Management or Capex Strategy projects, click either CM Node Permissions or CS Node Permissions, depending on the module the user group relates to.

Viewing and Manually Assigning User Groups to Users

In Weissr, administrators can view users within both internal and external user groups. However, assigning users to groups manually can only be done for internal user groups or groups without external mapping. Here's how to do both:

From the User Groups List (Viewing Users & Assigning Groups)

1. Navigate to the User Groups List.

2. Find the user group you want to manage. You can view members for both internal and external groups, but manual user assignment is available only for internal groups (or groups without external mapping).

3. Click the Action button next to the user group and select Users to view its current members.

4. If you are working with an internal user group, you can add new users by using the Select User field and choosing users by name.

5. The assigned user will receive updated permissions the next time they log in.

From the User List (Assigning User Groups)

1. In the User List, locate the user you want to assign to an internal group.

2. Click the context menu (three dots) next to the user and select User Groups.

3. In the pop-up, you’ll see the user’s current group memberships. Use the User Group Name field to select and assign new internal groups.

4. The user will receive updated permissions the next time they log in.

Importing User Group Assignments

If you prefer to work with bulk assignments, you can import user group assignments into Weissr. Learn more about importing user group assignments here.

User Group Audit Log

The User Group Audit Log provides a detailed record of key actions related to a specific user group, allowing you to track changes, assignments, and modifications. All log entries include the date and time of the action.

How to Check the User Group Audit Log

1. Navigate to the User Groups List.

2. Locate the user group you want to audit.

3. Click the Action button next to the user group.

4. Select Audit Log from the menu to view all logged actions.

Logged Actions

• User Assignments: Logs the user who assigned the user group to another user, along with the name of the assigned user.

• User Unassignments: Logs the user who unassigned the user group from another user, including the unassigned user's name.

• Group Creation: Records the name of the user who created the user group.

• Permission Assignments: Logs who assigned permissions to the user group.

• Permission Revocations: Records who revoked permissions from the user group.

• External Mapping Changes: Tracks updates to external mapping, including the old and new mappings.

What is Not Logged

The following changes are not tracked in the audit log:

• CM and CS Node Permissions: Node-specific permission changes in Capex Management (CM) or Capex Strategy (CS).

• Selection in Capex Management Properties: Adjustments to user type properties tied to the group.

• External Provider: Changes to the external provider assigned to the user group.

• Color: Updates to the user group’s color.