Next Plus doesn't have a single "permission" switch. Access is controlled by five independent systems that stack on top of each other. You set each one separately, and a person's real-world access is the combination of all of them. Understanding the five layers β and that they're separate β is the key to getting access right and avoiding surprises.
The five layers at a glance
Layer | The question it answers | Where you manage it |
Role | What actions can this person perform? (view, sign, build, administer) | Settings β Users β User Configuration |
Groups | Which content is this person allowed to see? | Modeling β Groups |
Stations | From which terminals on the floor may this person log in? | User profile flag + Station Management |
Certifications | What is this person qualified to sign / approve? | Settings β Users β Certifications |
Licensing | How many users of each type does the contract allow? | Licensing (seat counts, enforced automatically) |
Read it this way: Role decides what you can do. Groups decide what you see. Stations decide where you log in. Certifications decide what you can sign. Licensing decides how many seats exist. They are configured independently.
Layer 1 β Roles: what you can do
Every user has exactly one base role. The role is the biggest lever β it defines the core of what the person can do. Next Plus ships with five built-in roles, from least to most privileged:
Role | What they can do | Typical people |
Viewer | Read-only. View work instructions, reports, and BI dashboards. Cannot enter data, sign steps, or fill forms. | Managers, quality leads, auditors, C-level |
Operator | The shop-floor user. Open work orders, run sessions, sign steps, fill forms. No access to configuration or modeling screens. | Machine operators, technicians, QC personnel, subcontractors |
Editor | Owns content. Build and edit workflows, forms, work orders, fields, and tools. Can assign roles, groups, and stations to users. Uses BI tools. No system-level settings. | R&D, engineering, technical writers |
Admin | Full business administration: user management, system settings, integrations (ERP / LDAP / SAML), and all content. Everything an Editor does, plus system administration. Not infrastructure operations. | IT / IS, compliance officers |
SysAdmin | Everything an Admin can do, plus infrastructure: system backups and sync / replication. The highest level. | IT / IS teams |
A note on naming: older material sometimes calls the top tier simply "System Administrator." The current platform separates Admin (full business administration) from SysAdmin (adds infrastructure-level backup and replication). For day-to-day administration, Admin is what most customers use.
Fine-tuning a role: custom roles
When the base role is almost right but you need one exception, you add a custom role on top. A custom role does one thing: it adds (Allow) or removes (Deny) specific capabilities for that user. Two common examples:
Operator who can also create work orders β add a custom role that Allows work-order creation.
Editor who must not delete forms β add a custom role that Denies form deletion.
For admins: Custom roles are built in Settings β Users β Roles Configuration. Each rule targets a system entity (e.g. Work Orders, Forms), an access type (read / write / execute / all), an optional specific action, and Allow or Deny. Best practice is one base role per user plus a custom role only when needed. Stacking many roles is technically possible but not recommended.
Layer 2 β Groups: what you can see
Groups scope visibility, not actions. Put the Assembly team in an "Assembly" group and tag Assembly's workflows and work orders to that group, and those users see Assembly's content instead of the whole plant's.
The thing customers most often get wrong: groups only scope a specific set of things. Group filtering applies to workflows, work orders, work-order templates, configurations, the forum, and user assignment β and nothing else. Forms, parts, stock, tables, and tools are not directly hidden by groups. An Editor opening the Forms list sees every form regardless of group; a form is only "hidden" indirectly, because an operator can't reach the workflow that opens it.
The one setting that changes everything
A single system setting β "Users without group see all" (default OFF) β changes how group filtering behaves. It affects both grouped and ungrouped users, which is the part that surprises people:
Setting | A user WITH groups sees⦠| A user with NO groups sees⦠|
OFF (default) | Their own groups + shared (ungrouped) content | Only shared (ungrouped) content |
ON | Only their own groups β loses access to shared content | Everything |
The gotcha: the name suggests it only affects ungrouped users, but turning it ON also makes grouped users lose access to shared content. Decide this once at implementation. Turn it ON for strict department-by-department isolation; leave it OFF when departments share common content.
Two common models:
Group-per-department β tag all workflows and work orders to a department group and attach each user to their department. Strict separation, often paired with the setting ON.
Views instead of groups β skip groups; each team uses saved filters (Views) on the list screens to show only what's relevant. Simpler to maintain.
For admins: Groups live under Modeling β Groups, not Settings β a frequent point of confusion. Groups can also sync from a SAML / LDAP identity provider by matching an external group ID. Categories (also under Modeling) look similar but are organization only β they carry no security.
Layer 3 β Stations & licensing: where you log in, how many seats
Seat counts (licensing)
Next Plus tracks two seat pools against your contract limits, and exceeding a limit blocks the role change until a seat is freed:
Editor seats β every Editor, Admin, and SysAdmin counts against your editor limit.
User seats β every active Operator and Viewer counts against your user limit.
Station-based licensing
Some users are licensed to a station β a work position on the shop floor β rather than to themselves personally. A station is identified by the browser: it's created automatically the first time someone opens Next Plus on that browser, and stored there. No hardware lock is used, so a different browser, an incognito window, or a cleared browser all look like a new station.
There are two kinds of user:
Regular users β not affected. They log in from any device or location, as before.
Station-based users β can log in only from approved stations. They are not tied to one specific station; they move freely between any approved station. Only one station-based user can be active on a station at a time.
What happens at a new station:
The first login from a new station marks it as pending, and a request is created automatically β no manual setup.
An administrator approves or declines it. Until it's approved, station-based users can't continue from that station.
If a second station-based user logs into a terminal already in use, the first session is disconnected (one session can replace the other) β this stops a shared terminal being used by two people at once.
Every station action β requested, approved, declined, status changed β is recorded, so administrators have full visibility without extra setup.
For admins: Mark a user station-based with the "Requires Station License" flag on their profile, and approve stations in Station Management. The recent platform change is about applying these long-standing rules more strictly and consistently at login β it does not add a new license type, change pricing, limit regular users, or lock usage to specific hardware.
Layer 4 β Certifications: what you're qualified to sign
Certifications are qualifications you assign to users. Their main job is to gate signing on specific workflow steps: a step can require a certification, and only users who currently hold it can sign. They also gate work-order status transitions and form permissions.
Defining and assigning
Define a certification in Settings β Users β Certifications with a name, an optional description, and Days to Expire (0 = never expires). Then assign it to users β the expiry countdown starts from the assignment date. After expiry the user simply can no longer use the cert (its status flips to Invalid); to renew, you reassign it, which starts a fresh window.
How it's enforced at signing
Normal sign β when the operator presses Next, the system checks the logged-in operator holds every certification the step requires. Missing one blocks the sign with a clear message.
Electronic Signature β the signer authenticates in the sign dialog (username + password, or a PIN for SAML users), and their current valid certs are checked per signature slot.
Beyond signing, certifications can also be required to move a work order between statuses, and they can be mixed with roles in a form's View / Create / Close permissions. This layer matters most in regulated industries (AS9100, ISO 13485, medical, aerospace), where "only a currently-certified person may sign this inspection" is a compliance requirement.
Layer 5 β How people sign in: local vs SAML / LDAP
Local users β username + password (optionally a scanned badge or PIN).
SAML / LDAP users β identity (username, email, name) is managed by your identity provider and is read-only inside Next Plus. These users must set a PIN in their Next Plus profile, because the PIN is required for Electronic Signatures β without it they get a "you haven't set a PIN" error when trying to sign.
Roles, groups, stations, and certifications are still assigned inside Next Plus, not in the identity provider β with one optional exception: Role Mapping and Certification Mapping can auto-assign roles or certs from your IdP's attributes if you set them up.
Putting it together: one worked example
A QC inspector on a regulated assembly line shows all five layers at once:
Layer | How it's set for this person |
Role | Operator β runs sessions, signs steps, fills forms; no access to configuration. |
Custom role | (optional) Allow "create work orders" if they open their own jobs. |
Groups | "Final Assembly" β they see only that line's workflows and work orders. |
Station | Station-based β can log in only from approved QC terminals, one user per terminal. |
Certification | "Final Inspection" β only current holders can sign the inspection step. |
Sign-in | SAML via company Azure AD; a PIN is set in Next Plus for the electronic signature. |
The result: this person can do exactly the QC job, only on the right line, only from approved terminals, and can sign the inspection only while their certification is valid β all enforced automatically.
Quick reference: where to manage each layer
What | Where | Who can change it |
Users & base roles | Settings β Users β User Configuration | Editor / Admin |
Custom roles | Settings β Users β Roles Configuration | Admin |
Certifications | Settings β Users β Certifications | Admin / Editor |
Groups | Modeling β Groups | Editor |
"Users without group see all" | Settings β System Settings | Admin |
Station-based flag | User profile ("Requires Station License") | Editor / Admin |
Approving stations | Station Management | Admin |
SAML / LDAP sign-in | Settings β Integrations | Admin |
Things to know
Groups only scope six entity types β forms, parts, stock, and tables are not directly hidden by groups.
The "Users without group see all" setting changes behavior for both grouped and ungrouped users. Set it once at implementation.
Groups and Categories live under Modeling, not Settings. Categories are organization only β they carry no security.
SAML / LDAP users must set a PIN before they can electronically sign.
Stations are browser-based: incognito mode or a cleared browser looks like a new station and needs re-approval.
Expired certifications fail at sign time with no advance warning to the user β plan renewals proactively.
Licensing limits block role changes when a seat pool is full β free a seat first.
Related articles