This post has been transcribed from an email. Some details were hidden to protect the privacy of customers and their clients
Good Morning

I hope you are keeping well. I am currently working on the JXXXX server, and have come across a strange scenario (albeit probably created by myself)

I will start from the beginning, so you can get a full picture of what has transpired. We have started the KXXXX Project. The first 9 meters were created with the PXXXX log in, then NXXXX recommended that we create a separate Organisation for KXXXX, so I created the Organisation and role and login at that point. To get the 9 meter accounts and all the dependants on the KXXXX Organisation, I added all those entities to the role, so they would show up in the KXXXX login, Then I added another 43 meters etc. via the KXXXX Login, and everything was been displayed correctly on that login.

The PXXXX login was still displaying the 9 original meters and dependants (which I understand as they were created there); but it was also displaying all 52 meter accounts and all 52 modems (none of 43 sim cards or meters). So I removed the original 9 meter accounts and dependants, and re-added them via the KXXXX Login. Now we just had the 52 Meter accounts and Modems been displayed on PXXXX, and the KXXXX Login was correct.
Nigel said in the Role, I should try remove all the entities listed there on the KXXXX role, which I did, and this is where my problem now starts.

With the Entities removed, I can only see the 52 Meters and Sim cards. I can only see the role from the PXXXX login in, and I can only add the 52 Meter accounts and Modems to the KXXXX role from there (which If I do, then I can’t access the meters/sim cards). So I seem to have gotten myself in a bit of a permissions loop. Not wanting to recreate the 52 meters accounts and all the dependants is there a way to get them all to be displayed only on the KXXXX login and not the PXXXX one?

The only dependent that is not only for the KXXXX login is the Tariff used by those meter accounts (currently the TXXXX one, as I am awaiting on info from the Munic)

If you could help me get the Entities to be displayed only on the KXXXX organisation? I will be in a meeting first thing this moring, but will give you a call after to chat with you about the issue.

Kind regards

WXXXX

Permissions can get very complicated in various systems. In PNPSCADA we've tried to keep it as simple as possible. To understand it, there are a few core concepts that it is necessary to understand.
The first one is Ownership: every thing (all entities: meters, sim cards, modems, logins, roles, organizations etc) belongs to only 1 Organization.
The second one is that every Role is a role in only 1 Organization (not necessarily its owner); and there should be at least one Role called Administrator in an Organization.
The third one is that every Individual is an individual in only 1 Role (not necessarily in or belonging to its owner Organization). The Individual is your login.
Permissions are assigned per Role.
There are three domains of permissions in a Role.
The first domain is Access to Entities.
The second domain is Access to Interfaces.
The third domain is Access to Add entities of a certain type/class.
Each of the three can be either restricted or unrestricted. An Administrator role must have all three as Unrestricted.
If your Access to Entities is unrestricted, it means that you can see all entities that belongs to your Role's Organization. If your Access to Entities are restricted, it means that the entities that can be seen by you is determined by the person that edits your Role: she can choose any entities visible to herself and give you access to it, regardless of what Organization they belong to.
(it follow from that, that it is possible in some circumstances for a 'restricted' role in an organization to see more entities than an 'unrestricted' role).
If another role is given permission to 'give' or 'share' access to entities to your role, they can also give the entities to your organization, or in the case where your permission is restricted on visible entities, they can 'share' access to an entity with your role, to make it visible to you, without giving up ownership.
Interface permissions determine what you can do with the entities you can see, e.g. delete permissions, or to view specific screens.
Add permissions determine what you can add and delete, e.g. Elster A1700 or Etron meters, etc.
For a client login, this is usually restricted completely.

Normally when you add an entity, its owner is the same as the owner of your role. That is assigned by default. Also, if your role is entity-restricted, it will be added to your role permissions to be visible to your role.
If you want to make a separate organization, that 'owns' its own meters, the easiest way to do that is as follows:

1. Add the new Organization
   
2. Add a Role on that Organization called Administrator that is unrestricted
   
3. Add a Login on that Role, but when doing that, Click (select) the checkbox in the add dialog that says for the Login to become the Administrator of his own Organization.
   

What this will do, is it will give the Role and Organization to itself. The New Administrator will still belong to the original parent organization, and you can select it there and zoom in to it to see everything of the new organization.

If you have entities belonging to one organization that you want to belong to another organization, you can 'give' it to that other organization. To be able to do that, follow the following simple procedure:

1. Select the Role To Which you want to give the entities.
   
2. Go to the Edit->SharingPermissions screen.
   
3. Enter the [Role]/[Organization] text description in the text box of a Role that can see the entities now, and has admin permissions to it. And press the Add button to add the permission.
   (What I always do is go to the same screen in the other Role, and just select and copy it from the one page, and paste it into the other page). This would typically be something like for example "Administrator/Acme Printing"
   
4. After that, log in on the Role that you specified in the text box in step 3.
   
5. Select the entity you want to give up. Under the box under Selected Entity on your screen, should be a link visible that says share entity.
   
6. Click on share entity, and on the little popup, select 'Give it up' and the Role you want to give the entity to. Click on Share.
   

And that is how you give an entity from one organization to another.