System accounts
A system account is a special kind of account that is used by the Planon application internally to perform specific actions.
Actions in the Planon application are always performed by an account. For reasons of security and compliance, the user performing such an action needs to be known by the application.
 | System accounts: • Are not linked to an actual person • Are meant to be used for internal processes only • Must not be deleted |
The following table lists the system accounts in the Planon application:
System account | Description | Used by |
|---|---|---|
AWMDataEngineAdmin | Used to perform all the AWM processes, initialized by the AWM data engine. For example: polling the sensoring system. The AWMDATAENGINEADMIN account must be linked to specific product definitions: • AWMDataEngine • EnterpriseServiceAPI • EventConnector • JsonServices | Agile Workplace Management |
CloudAdmin | Used to configure the environment based on (cockpit) input. For example: Creating a property set in the Cloud. The CloudAdmin account must be assigned all rights and, if you use product definitions, the product definition EnterpriseServiceAPI must be linked to the CloudAdmin user group. | Environment Management gadget |
EventConnectorAdmin | Used to trigger events creating and processing outbound messages. For example: using the pull mechanism to create outbound messages. | Event Connector |
ExchangeAdmin | Used in synchronizing Exchange appointments. It is recommended that the EXCHANGEADMIN account be part of the Administrators user group and have full access to specific business objects such as Exchange mailbox, Exchange appointment, Reservation, and Reporting. | Connect for Outlook Connect for Calendars |
IOTAdmin | Used to service the IoT platform. | IoT Platform |
SchedulerEngineAdmin | Alerts Connect for Outlook | |
SysDatalake | Connect for Analytics |
User groups
Each of these special accounts is assigned to a corresponding user group, which is preconfigured in the Accelerator. These groups define the expected role, authorization, function profiles, and product definitions required for the account to operate correctly.
Account name | Expected user group* |
|---|---|
AWMDATAENGINEADMIN | AWMDataEngineAdmin |
CLOUDADMIN | CloudAdmin |
EVENTCONNECTORADMIN | EventConnectorAdmin |
EXCHANGEADMIN | ExchangeAdmin |
IOTADMIN | PlanonIoTAdmin |
SCHEDULERENGINEADMIN | Schedule |
System account protection
To ensure operational continuity and prevent misconfiguration, the platform protects these accounts from unintended changes.
| | Although SYSDATALAKE is also a system account, it requires not further protection as it does not exist in the database and is inherently protected. |
The following rules are in place for system accounts to protect the system:
• Account - user group
◦ You can link an account to a user group
◦ You cannot unlink an account from the last linked user group
◦ You cannot unlink an account from its expected (*) user group
• User group - account
◦ You can link a user group to an account
◦ You cannot unlink the last user group from the account
◦ You cannot unlink the expected user group (*) from the account
• You are not allowed to change specific fields on the account:
◦ Name
◦ Setting an end date
If an end date for these system accounts is detected during upgrade, it will be attempted to clear the value. If this attempt fails, the end date will be set to 1/1/5000.
◦ Setting a start date after the current date-time
If the start date of any of these accounts is in the future, the date will be set to 1/1/1970.
• The following actions are not allowed:
◦ Delete
◦ Anonymize