Accruent Family
Insecure URL disabled

Into

This is about using your camera app to scan a QR code and take you in to the person (id badge), asset, part (bin barcode) etc..,

What is a QR code

You probably think you know the answer, and some do. The QR code originally was a way of holding some Japanese text for vehicle tracking, it then expanded adding features for providing a string of any random information and several other spec

When most people think of QR codes they think of the square of squares that they point their phone at and the phone takes them to a URL.

A QR code can hold up to 7089 digits or 4296 characters. When damaged, there are error correction features built in, this is why you can put a picture in the center - basically you are corrupting those bits and error correction fixes it when people read it.

URLs to MCe

This is the way Accruent and we recommend you do it.

You create a URL (discussed later), you then can use that URL in various ways including putting it into the type of QR code that 'is' a URL.

How to create a MCe URL to take you directly to an asset

Barcode Printing, what content - Sample Asset report And good news, the exact same MCe barcode will let you scan it to pick in a pick list as well as filter in a tree or list or table view. This is more than even the ill fated MC ones ever did (they were one or the other ways).

URLs to MRO

TL;DR

Do not use, use the MCe one instead. Barcode Printing, what content - Sample Asset report

Accruent used to support this feature, but when they realized all the security risks, they wisely removed it in the next upgrade. They have officially stated that they do not support, will not support it, and if it works 'today' they might on purpose or by accident block it in a future release.

But still, people continue to ask for it from time to time so... here is why you really don't want it.

Details

There is a 'hidden' feature.

It is not on by default, you have to do things to make it work.

It takes about 3 hours of professional services (consultation, design for least bad, implementation) that lets you create a URL that will take you directly to that Asset in MRO.

Known problems

Accruent explicitly does NOT support it.

They are aware of the problems and have stated, most recently in early 2026, that they will not fix any of them unless by accident, and if they break in a future release, they will do nothing to try to get them working again.

Security issues

To use it, you have to create a user and password that will be the 'login'. While the login and password are not leaked.

If anyone receives one of these links, they log in with the permissions of that user.

They can receive this link by email, by seeing it then typing it in.

Indeed, if anyone from another company knows about this point of entry, they can create a link that gives them access to your system.

For casual users, probably not a problem, but the documentation already exists in the internet, so a 'bad actor' could write a program that just keeps trying until they find an ID that let's them in.

Once in they are on a page that has just that Asset, they can now make any changes they want.

From there they can click on things like History to get into work orders. Essentially anything that is now available directly, including your drop down lists if you haven't blocked access to editing them.

From there they can get into any other assets on those work orders.

This last is not a problem if you never have more than one asset. However, we have no customers that have only one asset, so this is not really a solution of any practicality.

Anything else that you can open up now or in future releases from the Work Order is accessible, and then anything from them.

In practice, there may be limitations, but in practice - there is a lot that anyone can get into.

No SaaS provider will provide this.

There are 2 authorized Accruent MC SaaS providers, us and Accruent themselves. Neither of us will ever permit this security breach on our systems. (And there is a simple solution, as above, use MCe)

license issues:

When the get in, they consume a license.

With Conccurent MRO databases they will consume the license for the timeout you have specified.

Note: with this specific MRO feature, once you are in - logging off does not release the license.

Once you log off, the timer starts, and the license will be released when it times out.

So to use this feature effectively, the user of this feature needs to disconnect their user after they are done, which defeats the ease of use of this feature.

Denial attack

The above leads to a Denial of service type attack.

A person who is aware of this can write a trivial program that just calls that link peridically and use up all your licenses.

SSO, including MCe LoginHub

If you have a SSO tool (the LoginHub being the most expansive, doing far more than SSO) it will likely not work.

Conclusion on MRO direct login to asset

The conclusion is likely pretty obvious. If you want conceptually this type of feature, Accruent says you should use MCe, we say you should use MCe.