User permission and access control

This guide explains how to manage access, permissions, and sharing in Ento. Whether you're managing your team, sharing sites with external partners, or controlling who can view and edit your data, this guide will walk you through every feature.

Table of Contents

1. Quick Start

2. Settings Overview

3. Your Access

4. Team Members

5. Shared by Us

6. Shared with Us

7. Common Scenarios

8. Frequently Asked Questions

1. Quick Start

Roles and Permission

Access Roles - There are 4 different roles, that defines what a user can do:

• Admin - Full access to all sites, including organisation, team and sharing settings

• Collaborator - Full access to all features - excluding organisation, team and sharing settings. A collaborator access can be limited to specific sites

• Commenter - Read-only access and the ability to make comments. A Commenter access can be limited to specific sites.

• Viewer - Read-only access. A Viewer access can be limited to specific sites.

Access Scope - defines which sites users can access:

• All Sites - Every site in your organization

• Sites with Tags - Only sites with specific tags (e.g., "offices")

• Specific Sites - Individual selected sites

Role Hierarchy

Roles are hierarchical - higher roles include all permissions from lower roles:

Admin

↓ includes all Collaborator permissions

Collaborator

↓ includes all Commenter permissions

Commenter

↓ includes all Viewer permissions

Viewer

2. Settings Overview

Access all features from Settings in the left navigation:

• Your Access - See all sites and organizations you have access to

• Team Members - Manage your organization's team (Admin only)

• Shared by Us - Manage access you've shared with partners outside the organisation (Admin only)

• Shared with Us - See access others have shared with your organization (Admin only)

Note: Only organization admins can access team and sharing settings.

Common Tasks

3. Your Access

Location: Settings → Your Access

View all access you've been granted across all organizations.

What You'll See

A table showing:

• Organization - Which organization the access is from

• Access Type - How you got access (Member, Shared with your user, Shared via [Org])

• Access Role - Your role (Admin, Collaborator, Commenter, Viewer)

• Accessible Sites - How many sites you can access

Understanding Access Types

Member

• You're a team member of the organization

• Access was granted by an organization admin

• Shows in "Team Members" for that organization

Shared with your user

• Direct personal access grant

• Someone shared specific sites with you directly

• You're not a team member

Shared via [Organization Name]

• Access granted to your entire organization

• Someone shared sites with your team

• Organization admin can control who gets this access via "Team Access Rules"

Actions

Accept (for pending access)

• Click to accept membership invitations or access grants

• Access becomes active after accepting

Remove

• Remove yourself from an organization

• Decline access you don't need

4. Team Members

Location: Settings → Team Members

Who can access: Organization admins only

Manage your organization's team members and control what they can access.

View Team Members

The table shows:

• Name - Team member's name

• Email - Team member's email address

• Access role - Team members access role

• Which sites -Summary of sites they can access

Status indicators:

• "(Awaiting Acceptance)" - Invitation sent but not yet accepted

• Normal display - Active team member

+ Invite

Click + Invite to add someone to your team.

Invitation Form

Name

• Full name of the person you're inviting

Email

• Email address where invitation will be sent

• Must be unique (can't invite someone already in the team)

Access Role

• Assign initial role: Admin, Collaborator, Commenter, or Viewer

Scope

Choose which sites they can access:

• All Sites

• Sites with Tags

• Specific Sites

What happens next:

1. System sends invitation email

2. Recipient clicks link in email

3. Recipient creates account (if new) or logs in

4. Recipient accepts invitation

5. You configure their access in "Member Access Rules"

Member Access Rules

Access: Adjust Member Access

Control exactly what each team member can access.

Current Access

Shows all active access grants for this member:

• Access Role - Their permission level

• Which Sites - Scope of their access

• Actions - Edit or Remove each grant

+ Add Access

Grant additional access to this member.

Access Role

• Choose: Admin, Collaborator, Commenter, or Viewer

• Higher roles include all lower role permissions

Which Sites? (not shown for Admin role)

• All sites - Access to every site in your organization

• Sites with tags - Access to sites with specific tags

• Specific sites - Access to individually selected sites

Examples:

Scenario 1: Facility Manager for Building A

• Access Role: Collaborator

• Which Sites: Sites with tags → "Building-A"

• Result: Can edit all sites tagged "Building-A"

Scenario 2: Read-only access to two specific sites

• Access Role: Viewer

• Which Sites: Specific sites → Select "Main Office" and "Warehouse 3"

• Result: Can view only those two sites

Scenario 3: Organization Admin

• Access Role: Admin

• Which Sites: Automatically set to "All sites"

• Result: Full access to everything

Best Practices

Start with minimum access

• Grant Viewer role first, increase as needed

• Easier to add access than remove it

Use tags for scalability

• Tag sites by building, region, or department

• Grant access by tag instead of individual sites

• New sites with matching tags are automatically included

Multiple grants for complex needs

• Grant Admin access to specific sites

• Grant Viewer access to all sites

• Member gets highest role for each site

5. Shared by Us

Location: Settings → Shared by Us

Who can access: Organization admins only

Manage access you've shared with external users and organizations.

What You'll See

A table showing:

• Shared With - Who has access (user email or organization name)

• Access Role - Their maximum permission level

• Which Sites - What they can access

Types of recipients:

User (email@example.com)

• Individual user access

• Shows "(Awaiting Acceptance)" if pending

Organization Name (Organization)

• Entire organization has access

• Their admin controls which team members get access

• Shows "(Awaiting Acceptance)" if pending

+ Share Access

Click + Share Access to grant access to external users or organizations.

Share Access Form

Who is it Shared With?

• User - Share with individual by email

• Organization - Share with entire organization by ID
  • Ask the organisation for their ID. The ID is the first number in the URL.

For User grants:

User Name

• Full name of the person (for new users)

User Email

• Email address

• They'll receive invitation if new user

• They'll see access in their "Your Access" page

For Organization grants:

Organization ID

• Numeric ID of the organization

• Contact the other organization for their ID

• Their admin can distribute access via "Team Access Rules"

Access Role

• Choose: Admin, Collaborator, Commenter, or Viewer

• This is the maximum role they can use

• They (or their admin) can further restrict it

Which Sites? (not shown for Admin role)

• All sites - Share all sites in your organization

• Sites with tags - Share sites with specific tags

• Specific sites - Share individual selected sites

Examples

Scenario 1: Share all buildings with consultant

• Shared With: User → consultant@example.com

• Access Role: Collaborator

• Which Sites: All sites

• Result: Consultant can work on any site

Scenario 2: Share specific building with facility manager

• Shared With: User → fm@building.com

• Access Role: Collaborator

• Which Sites: Sites with tags → "Building-5"

• Result: They have full control over Building-5 tagged sites

Scenario 3: Share portfolio with partner organization

• Shared With: Organization → ID 123

• Access Role: Viewer

• Which Sites: Sites with tags → "Region-North"

• Result: Their team can view Region-North tagged sites (their admin controls distribution)

Managing Existing Shared Access

Edit

• Change role or scope

• Cannot change recipient

• Changes take effect immediately

Remove

• Revoke access completely

• User/organization loses access immediately

• Cannot be undone (must create new grant to restore)

6. Shared with Us

Location: Settings → Shared Access → Shared with Us

Who can access: Organization admins only

See access other organizations have shared with your team.

What You'll See

A table showing:

• Shared By - Organization that shared access

• Granted Role - Maximum role available

• Which Sites - What sites are available

Status:

• "(Awaiting Acceptance)" - You haven't accepted yet

• Normal display - Active access

Accept

Click Accept on pending grants to:

1. Activate the shared access

2. Make sites available to your organization

3. Enable creation of Team Access Rules

What happens:

• System creates an organization-level team access rule

• You can now distribute access to specific team members

• Sites appear in your organization's site list

Team Access Rules

Access: Click on accepted grant → Team Access Rules

Control which team members can use the shared access and with what permissions.

Understanding Team Access Rules

When another organization shares sites with you:

• They set the maximum role (e.g., Collaborator)

• You control distribution via Team Access Rules

• You can further restrict scope and role

• You cannot elevate beyond their granted role

Example:

• Partner shares 100 sites with Collaborator role

• You create rules to:
  • Give “Alice” Admin access (limited to Collaborator by grant) to 10 sites

  • Give “Bob” Viewer access to all 100 sites

  • Give “Charlie” Collaborator access to sites tagged "Downtown"

Current Team Access Rules

Shows all rules you've created:

• Applies To - Team member or entire organization

• Access Role - Their effective role

• Which Sites - Scope of their access

• Actions - Edit or Remove

+ Add Team Access Rule

Create rules to distribute shared access.

Applies To

• All team members - Everyone in your organization gets access

• Specific member - Choose individual team member

Access Role

• Cannot exceed the granted role from "Shared By"

• Can be more restrictive (e.g., grant is Collaborator, rule gives Viewer)

Which Sites?

• All sites - All shared sites (from grant)

• Sites with tags - Only shared sites with specific tags

• Specific sites - Only specific shared sites

Examples:

Scenario 1: Grant shared access to everyone

• Shared By: Partner Org (Collaborator, All sites)

• Applies To: All team members

• Access Role: Viewer

• Which Sites: All sites

• Result: Everyone can view all shared sites

Scenario 2: Give one person Collaborator access to subset

• Shared By: Client Org (Collaborator, 50 sites)

• Applies To: Specific member → John

• Access Role: Collaborator

• Which Sites: Sites with tags → "Building-A"

• Result: John can edit sites tagged with Building-A from the shared set

Scenario 3: Restricted access for external consultant

• Shared By: Data Provider (Commenter, All sites)

• Applies To: Specific member → consultant@external.com

• Access Role: Viewer

• Which Sites: Specific sites → Select 3 sites

• Result: Consultant can view only 3 specific sites

Best Practices

Review before accepting

• Check what's being shared and the role

• Decline if you don't need the access

Start restrictive

• Create "All team members" rules with Viewer role first

• Add specific higher-access rules as needed

Use specific member rules for sensitive access

• Don't give everyone admin access

• Create targeted rules for those who need it

7. Frequently Asked Questions

General Access

Q: How do I see what I can access?

A: Go to Settings → Your Access. This shows all organizations and sites you have access to.

Q: Can I have different roles for different sites?

A: Yes! Your role is determined per-site. You might be Collaborator for some sites and Viewer for others.

Q: What happens if I have multiple access grants to the same site?

A: You get the highest role. If you're granted Viewer and Collaborator access to the same site, you have Collaborator access.

Q: Can I access sites through multiple organizations?

A: Yes. If you're a member of Org A and Org B shares sites with you, you can access both organizations' sites.

Team Management

Q: I invited someone but they haven't shown up in the team. Why?

A: They need to:

1. Click the invitation link in their email

2. Create an account (if new) or log in

3. Accept the invitation

Check if they show as "(Awaiting Acceptance)" in the team list.

Q: Can I remove someone from my team?

A: Yes. Select them in Team Members and click Remove. They lose access immediately.

Q: Can team members change their own access?

A: No. Only organization admins can manage team member access.

Sharing Access

Q: How do I find an organization's ID to share with them?

A: Ask the organization administrator. They can find it in their settings or provide it to you.

Q: Can I share with someone who doesn't have an account yet?

A: Yes. Share by email. They'll receive an invitation to create an account and access your sites.

Q: What if I share with the wrong person?

A: Click Remove on the grant in "Shared by Us" immediately. They lose access right away.

Q: Can I temporarily share access?

A: The system doesn't have automatic expiration, but you can:

1. Share access when needed

2. Manually remove it when the project ends

3. Set a calendar reminder to review and remove access

Q: When I share with an organization, who gets access?

A: Nobody automatically. The organization's admin must first accept the share.Then they can create Team Access Rules to distribute access to their team. This gives them control over which team members see your sites.

Team Access Rules

Q: Why can't I give someone Admin access when managing Team Access Rules?

A: The organization that shared with you set a maximum role (e.g., Collaborator). You cannot grant a higher role than they allowed.

Q: Can I create Team Access Rules before accepting a share?

A: No. Accept the share first, then create rules.

Q: What happens if I create an "All team members" rule and also a specific member rule?

A: The specific member gets the highest role from any applicable rule. Example:

• All team members: Viewer

• Alice (specific): Collaborator

• Result: Alice has Collaborator, everyone else has Viewer

Roles and Permissions

Q: What's the difference between Collaborator and Admin?

A: Collaborators can work with sites and data but cannot:

• Manage team members

• Share access with others

Admins can do everything.

Q: Can a Commenter create content?

A: No. Commenters can only view data and add comments. They cannot create or edit sites, meters, or other content.

Q: I'm a Viewer but need to edit something. What do I do?

A: Contact your organization administrator and request Collaborator access.

Q: Can Viewers see sensitive data?

A: Viewers can see all data within their scope. If certain data should be restricted, exclude those sites from their access scope.

Tags and Scopes

Q: What happens if I grant access by tag and then change a site's tags?

A: Access updates automatically:

• Add tag to site → User gains access

• Remove tag from site → User loses access

Q: Can I use multiple tags in one grant?

A: Yes. Select multiple tags. User gets access to sites that have ANY of the selected tags (OR logic).

Q: What's better: tag-based or site-specific access?

A:

• Tags: Better for many sites, automatically includes new sites

• Specific sites: Better for small numbers, precise control

Use tags for scalability, specific sites for precision.

Troubleshooting

Q: Someone says they can't see a site they should have access to.

A: Check:

1. Settings → Team Members → Their access rules

2. Verify the site has the expected tags (if using tag-based access)

3. Confirm the site is in the right organization

4. Check if they've accepted pending access grants

Q: I shared access but the user says they didn't receive an email.

A: They should:

1. Check spam/junk folder

2. Verify email address is correct

3. Go directly to Settings → Your Access and check for pending grants

You can also remove and re-share if needed.

Q: How do I audit who has access to my sites?

A: Go to Settings → Shared by Us to see all external access you've granted. For team members, use Settings → Team Members.

Q: Can I export a list of who has access?

A: Tables in all settings pages can typically be exported. Look for export/download options in the interface.

Q: Someone left the company. How do I remove all their access?

A:

1. If they were a team member: Settings → Team Members → Select them → Remove

2. If they had direct user grants: Settings → Shared by Us → Find their grants → Remove

3. This removes all their access immediately

Tips and Best Practices

Access Management

Use the principle of least privilege

• Start with Viewer role

• Grant higher access only when needed

• Regularly review and remove unnecessary access

Leverage tags for scalability

• Develop consistent tagging strategy

• Grant access by tags instead of individual sites

• New sites automatically inherit appropriate access

Document your access strategy

• Keep notes on why specific access was granted

• Document temporary access with end dates

• Review access quarterly

Team Organization

Regular access reviews

• Quarterly: Review all external access

• Monthly: Review team access rules

• When people leave: Remove immediately

Sharing Best Practices

Before sharing externally:

• Verify you have right to share the data

• Confirm recipient's identity

• Start with minimum necessary access

• Set expectations about access duration

When receiving shared access:

• Review what's shared before accepting

• Create restrictive team rules initially

• Expand access as needed

• Communicate with sharing organization if issues arise

Security

Protect admin access

• Limit number of admins

• Use strong authentication

• Review admin list regularly

Monitor shared access

• Track who you've shared with

• Remove access when projects end

• Don't share more than necessary

Respond to access issues quickly

• Remove access immediately if compromised

• Contact support for suspicious activity

• Update access when people change roles

8. Common Scenarios

Scenario 1: Onboarding a New Team Member

Situation: New energy manager joining your team

Steps:

1. Go to Settings → Team Members

2. Click + Invite

3. Fill in:
   • Name: "Sarah Johnson"

   • Email: "sarah@company.com"

   • Access Role: Collaborator

   • Which Sites: All Sites

4. Click Submit

5. Wait for Sarah to accept invitation

Result: Sarah can access and edit all sites

Scenario 2: Sharing Building Data with Facility Manager

Situation: Building FM needs admin access to their building only

Steps:

1. Go to Settings → Shared by Us

2. Click + Share Access

3. Fill in:
   • Shared With: User

   • User Name: "Mike Chen"

   • User Email: "mike@building-fm.com"

   • Access Role: Collaborator

   • Which Sites: Specific Sites → "Building-7"

4. Click Submit

Result: Mike gets invitation and full access to Building-7

Scenario 3: Peer Organization Data Sharing

Situation: Peer org shares their data, you want team to view it

Steps:

1. Wait for share notification (or check Settings → Shared with Us)

2. Go to Settings → Shared with Us

3. Find pending grant from peer organization

4. Click Accept

5. Click on the accepted grant

6. Go to Team Access Rules tab

7. Click + Add Team Access Rule

8. Configure:
   • Applies To: All team members

   • Access Role: Viewer

   • Which Sites: All sites

9. Click Submit

Result: Everyone on your team can view the peer organization's shared sites

Scenario 4: External Consultant Needs Temporary Access

Situation: Consultant needs to work on specific project sites for 3 months

Steps:

1. Go to Settings → Shared by Us

2. Click + Share Access

3. Fill in:
   • Shared With: User

   • Name: "Alex Rivera"

   • Email: "alex@consulting.com"

   • Access Role: Collaborator

   • Which Sites: Tags → "Consultant-Project"

4. Click Submit

Later (after project):

1. Go to Settings → Shared by Us

2. Select access grants to remove

3. Click Remove

Result: Consultant has time-limited access to specific sites

Scenario 5: Multi-Building Portfolio Manager

Situation: Manager oversees buildings in multiple regions with different access needs

Steps:

1. Go to Settings → Team Members → Click on user

2. Create multiple access grants:

Grant 1: Full access to Region 1

• Access Role: Collaborator

• Which Sites: Sites with tags → "Region-1"

Grant 2: View-only for Region 2

• Access Role: Viewer

• Which Sites: Sites with tags → "Region-2"

Grant 3: Collaborate on specific HQ building

• Access Role: Collaborator

• Which Sites: Specific sites → "Headquarters"

Result: Manager has appropriate access levels across portfolio

Scenario 6: Cascading Access Through Tags

Situation: Want to automatically grant access as buildings are added

Setup:

1. Tag your sites consistently (e.g., "Division-A", "Division-B")

2. Grant access by tags:
   • Division A Manager: Collaborator → Sites with tags → "Division-A"

   • Division B Manager: Collaborator → Sites with tags → "Division-B"

When you add new buildings:

1. Tag new building with "Division-A"

2. Division A Manager automatically gets access

3. No manual access update needed

Result: Scalable access management as portfolio grows

Getting Help

For access issues:

1. Check this guide's FAQ section

2. Verify your access in Settings → Your Access

3. Contact your organization administrator

For security concerns:

1. Remove access immediately if concerned

2. Document the issue

3. Contact Ento support