Using Location-Based Access Control (LBAC)

Location-based access control is an optional feature that enables you to control which records and events operators can manage.

Turning on LBAC mode enables you to create location groups. Operators can only view records and events that belong to the locations and location groups assigned to them. This allows you to separate records belonging to different branches, franchises, cities, regions or any other grouping that makes sense for your Protege X system.

For this walkthrough, we will use the example of a global company with offices in multiple cities. Each country (Australia, New Zealand, Singapore) is a location group containing one or more locations from that country. A larger location group represents the entire Asia-Pacific region.

For some other examples of how to design a system using location groups, see Designing a Protege X System.

LBAC Rules

The rules for location group visibility are based on the record hierarchy (see Protege X Record Hierarchy):

  • All locations must be in a location group, even if the group only contains that one location. For example, Auckland must be programmed in the New Zealand location group even though there are no other New Zealand locations.

  • Records programmed under the location or controller are only visible to operators with access to those locations.

    For example, if an operator has the Australia location group, they can see outputs from the Melbourne and Sydney locations but not from the Singapore location.

  • Events come from the controller, and so are only visible to operators with access to the location that controller belongs to.

  • Groups (excluding holiday groups) are only visible if the operator has access to every individual record in the group.

    For example, an area group containing areas from both Melbourne and Auckland locations will be visible to operators with the Asia-Pacific location group, but not to those with only the Australia location group.

  • Other records programmed under the place (users, access levels, schedules, holiday groups, etc.) have a location group assigned to them. Operators can see any record that is associated with any of the locations they have access to.

    For example, an operator with the Asia-Pacific group will see all user records from the Asia-Pacific group and the Australia, New Zealand and Singapore groups.

In addition, the records that can be assigned to another record are filtered based on location groups. You can only assign a record if it comes from the same location group or another location group that is a subset of it.

For example, a user with the Australia location group can have access levels from Melbourne and Sydney, but not from New Zealand or Singapore. A user with the Asia-Pacific location group can be assigned access levels from Australia, New Zealand and Singapore location groups.

Enabling LBAC

To enable LBAC:

  1. Navigate to the places page by clicking Places in the breadcrumb bar (directly below the Protege X logo).

  2. Select the place you are programming.

  3. Click Edit.

  4. Enable LBAC Mode.

  5. Click Save.

Programming Location Groups

Before you program location groups, we recommend you carefully consider how the system should be structured (see Designing a Protege X System). Programming the location groups correctly at the beginning will prevent reprogramming at a later stage.

To create location groups:

  1. Navigate to Groups | Location groups.

  2. Add a new location group with a descriptive name (e.g. Australia).

  3. Under Locations, click Add to select one or more locations that will be included in this group (e.g. Melbourne and Sydney).

  4. Click Create.

  5. Create as many location groups as required. Each location can be added to multiple groups: for example, the Melbourne and Sydney locations should be included in both the Australia group and the Asia-Pacific group.

Assigning Location Groups to Operators

Location groups are assigned to operators under the role. The operator's location group has two effects:

  • Determines what records the operators can view. The operator can only view records that share a location with their location group.

  • Determines which other operators can view this operator record.

To assign a location group to an operator:

  1. Navigate to Admin | Operators.

  2. Add or select an operator. Enter any details required.

  3. Under Roles, click Add and add a role to the operator.

  4. By default, the operator has access to all locations. Click All Locations next to the role to select a specific location group.

  5. Click Create or Save.

Assigning Location Groups

The following record types must have a location group assigned:

  • Users

  • Access levels

  • Schedules

  • Input types

  • Door types

  • Phone numbers

  • Holiday groups

  • Roles

  • Personal access tokens

By default, all records are set to All Locations. This means that they will be visible to all operators and have no programming restrictions. You can narrow down access by setting the Location Group when you create or edit the record.