Applies to version 2024.03 or higher
The security model in the IBSS platform has been enhanced to include app security rights as well as data model security rights. Roles are set up in Admin Portal > Setup > Roles & Data Security > the App Settings tab.
Note: To set up roles for your organisation or edit permissions, please contact IBSS support.
App Security vs Data Model Security
App security rights determine what a user with this role is allowed to do on the IBSS platform, whilst data model security rights determine what data the user can create, read, update, and delete in the IBSS platform.
Granting an app security right requires applying it to a building that is listed in the panel under Building permissions on the right.
Note: Admin Portal has this look starting with version 2023.01.
API Security Rights
Right |
APPLIESTO | Description |
|
|---|---|---|---|
| Visits | API.Visits.Approve |
yes | Can approve visits |
API.Visits.Deny |
yes | Can deny visits |
|
API.Visits.Cancel |
yes | Can cancel visits |
|
API.Visits.CheckIn |
yes | Can check in a visit |
|
API.Visits.CheckOut |
yes | Can check out of a visit |
|
| API.Visits.V2 | Enables access to V2 API that follows OData v4 model | ||
| API.Visits.Export | Can export visitors list | ||
| API.Visits.Import | Can import visitors list | ||
| Spaces | API.Spaces.CheckIn |
Can check into a space |
|
API.Spaces.CheckInOnBehalfOf |
Can check in on behalf of someone else |
||
API.Spaces.CheckOut |
Can check out of a space |
||
API.Spaces.Reserve |
Can reserve a space |
||
API.Spaces.Disable |
Can disable a space |
||
API.Spaces.Enable |
Can enable a space |
||
API.Spaces.ChangeTemperature |
Can control the temperature of a space |
||
API.Spaces.ChangeLighting |
Can control the lighting level of a space |
||
API.Spaces.ChangeAv |
Can control the AV of a space |
||
API.Spaces.ChangeBlinds |
Can control the blinds of a space |
||
API.Spaces.AdminBookableOnly |
Can book a space marked as AdminBookableOnly |
||
| API.Spaces.V2 | Enables access to V2 API that follows OData v4 model | ||
| Tasks | API.Tasks.Assign |
Can assign a task to a resolver |
|
API.Tasks.Reallocate |
Can re-allocate a task to another resolver |
||
API.Tasks.Cancel |
Can cancel a task |
||
API.Tasks.SetInProgress |
Can start a task |
||
API.Tasks.Unassign |
Can un-assign a task from a resolver |
||
API.Tasks.Resolve |
Can mark the task as resolved |
||
API.Tasks.ChangePriority |
Can change the priority of a task |
||
| API.Tasks.Notify | Can send out task notifications | ||
| API.Tasks.Export | Can export tasks | ||
| API.Tasks.Import | Can import tasks | ||
| V2 | yes |
✅ new in 2025.01 Enables access to V2 API that follows OData v4 model |
|
| Equipment | API.Equipment.Disable |
Can enable equipment |
|
API.Equipment.Enable |
Can disable equipment |
||
| V2 | yes |
✅ new in 2025.01 Enables access to V2 API that follows OData v4 model |
|
| Bookings | API.Bookings.BookOnBehalfOf |
no | Can book on behalf of someone else |
API.Bookings.BookLinkedSpaceWork |
Can book a linked space of class Work |
||
API.Bookings.BookLinkedSpaceSupport |
Can book a linked space of class Support |
||
API.Bookings.BookLinkedSpaceAmenity |
Can book a linked space of class Amenity |
||
API.Bookings.IgnoreTimeHorizon |
yes | Can ignore limitations of booking time horizon |
|
| API.Bookings.BookOutsideWorkingHours | [DEPRECATED, replaced by BookOutsidePolicySlots] Can book outside of working hours | ||
| API.Bookings.BookOutsidePolicySlots | yes | Can book outside the Bookable Slot that is set in booking policy | |
| API.Bookings.BookOutsideOfficeHours | yes | Can book outside of office hours | |
| API.Bookings.BookUnlimitedSpaces | yes |
Can book unlimited spaces If this permission is not granted, the role will be limited to book one space type for a certain period of time. For example:
|
|
| API.Bookings.IgnoreAllPolicyRestrictions | [DEPRECATED] Users of Roamer can ignore limitations of booking policy | ||
| API.Bookings.AssignCostCode | Can assign cost codes to bookings, this right shows the panel on the create/edit bookings page | ||
| API.Bookings.AddOnlineMeetingLink | Can add online meeting link | ||
| API.Bookings.V2 | Enables access to V2 API that follows OData v4 model | ||
| API.Bookings.Approve | Can Approve a Booking that requires approval | ||
| API.Bookings.Deny | Can Reject a Booking that requires approval | ||
| API.Bookings.BookRecurring | yes | Can create recurring bookings | |
| API.Bookings.Export | Can export bookings | ||
| API.Bookings.OverrideSetupTeardown | Can create, cancel, update Setup and Reset time slots for linked space bookings | ||
| API.Bookings.ShowPersonalInformation | Personal information will be shown irrespective of the Share Location setting | ||
| API.Bookings.BookOnBehalfAutoCheckinOption | Shows the auto check-in option checkbox in the Booking on behalf of someone else popup | ||
| API.Bookings.MoveSpace | yes |
✅ new in 2025.01 Can change location for the booking |
|
| API.Bookings.IgnoreMinMaxDuration | yes |
✅ new in 2025.01 Can ignore duration limitations set in the booking policy |
|
| ResolversCategories | API.ResolversCategories.V2 | Enables access to V2 API that follows OData v4 model | |
| IdentityProvider | API.IdentityProvider.SyncNow |
Can trigger an AAD sync |
|
| Users | API.Users.ResetPassword |
Can reset a user password |
|
API.Users.Search |
Can search for a user |
||
| API.Users.CheckPin |
Can view user PIN in Admin Portal > Manage > Users > User name > User Preferences as well in the payload.
|
||
| Files | API.Files.Read |
Can read server-side files |
|
API.Files.Create |
Can create server-side files |
||
API.Files.Update |
Can update server-side files |
||
API.Files.Delete |
Can delete server-side files |
||
API.Files.DeletePath |
Can delete a server-side file path |
||
API.Files.Download |
Can download files |
||
| Catering | API.Catering.AssignCostCode | Can assign cost code for catering | |
| API.Catering.Notify | no | Can send out catering notifications | |
| API.Catering.Approve | no | Can approve catering requests | |
| API.Catering.V2 | Enables access to Catering. Must be enabled for any of the Catering permissions to work. | ||
| API.Catering.MultipleOrders | Can create multiple catering orders | ||
| Devices | API.Devices.RestartDevice | Can restart device | |
| API.Devices.TerminateApp | Can terminate app | ||
| API.Devices.RestartApp | Can restart app | ||
| API.Devices.ClearCache | Can clear device cache | ||
| API.Devices.Navigate | Can force the app to go to a particular page | ||
| CostCodes | API.CostCodes.V2 | Enables access to V2 API that follows OData v4 model | |
| NotificationReminders | API.NotificationReminders.Enable | Enables existing notification reminder records for bookings and visits | |
| API.NotificationReminders.Disable | Disables existing notification reminder records for bookings and visits | ||
| TaskCategories | API.TaskCategories.V2 | yes | Can manage task categories |
| TaskTypes | API.TaskTypes.V2 | yes | Can manage task types per building and assign them to a task category |
| DataPoints | API.DataPoints.DataUpdate | Can view sensors' data updates | |
| TicketedEvents | Enable | yes |
✅ new in 2025.01 Can create an event |
| Disable | yes |
✅ new in 2025.01 Can disable an event |
|
| UserNotifications | V2 | yes |
✅ new in 2025.01 Enables access to V2 API that follows OData v4 model |