No you have not missed anything.
This functionality in EMPOWER is not protected at all
In other words: ANY user of Empower can create NODES or instruments.
We do have on a regular basis issues with that as we are running a multisite environment.
So if a user in site a is buying a new instrument then he can connect it to EMPOWER without purchasing needed licenses as long as there are free licenses in the system available.
That means He can "steel" a license from somebody else.
Thank you Reinhard. Saves me some time searching. But this is something we will have to solve procedurally and make sure a review of nodes/systems is covered in the periodic reviews.
There is something more important if user see instrument or node he or she could remove it...
As a longtime Enterprise Empower 3 user. You have missed a lot of stuff. (I am not talking about Empower 3 Personal Client!).
You need to download 2 PDF's from waters 1) Empower 3 installation guide. 2) Empower 3 System Admins Guide.
You create USER's and USER Groups., The Newly created USER GROUPS have access rights, None of which should allow you to delete an UPLC, rename a UPLC or any other major changes. Then you create USERS. You add the USERS to the newly created groups. These groups should only see the projects that THERE group created and made.
So, you can have a NON-GxP group, a GxP group and a Research group....As many as you want...
When you create a user. You need to assign that person to a group. (as an FYI, you can create several access group levels next to a Group that let you promote users as they get better at Empower)
For example, you have a group called Formulations. You create a group named FGScientist. this will have the lowest access to the equipment in Formulations. Then you create a 2nd group called FGReseacher. This group has the same access as the 1st group plus a few more...freedoms.
When you create a USER. You select all of the USER groups for the new user.
Also, when you install and setup an HPLC/UPLC or a Beckman Coulter pa880+. When you create the new system in Empower. You assign that new system to a group or groups. So that only that Group can see and access it.
Yes, this can be complicated but it can be done!
No one outside your group should see your Projects and equipment. No One!
Your WATER's rep can help you setup what I am talking about.
I know that it is possible to cross user privileges within user types and access privileges with Use group, but you could test that for example for Guest use group that it is default one within the standard installation of Empower 3 FR2 SR2 this user type that has only 2 privileges selected and could remove Nodes-Laces and also Systems, probably you prefer not to have this so closed but in pharma granular made you to do things in an easy way.
So this is obviously not a complete way of avoid deletion issues. In my opinion it should be added a specific privilege for each thing one for deleting Nodes and another for systems, they are pretty important categories like projects, custom fields or user for having its own and specific separate level, and for projects, custom fields, default strings etc have delete specific privileges as you know.
I have been working with millenium, Empower 1, Empower 2 and Empower 3 from 15 years ago thanks for your help.
Privileges are included in User Types, view access it is provided by User Groups.
This is very easy to control. Change the access of Node to people who can actually modify it by assigning "Owner and group". After that user cannot see node, but can see the systems. They can also see the delete highlighted for systems but while trying to delete it shows that you do not have access.This prevents people from deleting nodes and systems
The question was: how to prevent a user to CREATE a system?
Your explanation is correct and complete BUT it is not the answer to the question.
What you are explaining is what we do here in a global EMPOWER3 system day by day. And I can promise you that we have not missed something :-)