Permissions

Everyware Cloud employs a centralized Role-Based Access Control (RBAC) security model where each account may have multiple users and each user may be granted a different set of permissions. Permissions can be grouped under a role and roles can be assigned to users. When a users connects to the Everyware Cloud, its roles and permissions will determine the set of functionality available to the user.

The Everyware Cloud permissions can be described as a tuple with the following parts:

DomainActionAccess Group
Defines the target service of the permission. The domain generally relates to the type of the Everyware Cloud entity which is targeted by the permission.Defines the actions that this permission allows on the target entities. Actions include basic operations like read, write, delete and other entity specific operations.Defines the target entity instances. By default the target entities are all the entities under the current account scope (ALL). If an access group is specified, the target is limited to the entities under the specified access group.

The following sections describe the permissions exposed by each Everyware Cloud service.

Account Service

The Account Service manages the account entity. It controls the life-cycle of accounts and child accounts.

DomainActionDescription
accountread
write
delete
ALL
The actions control what operations are allowed on the account entity. The read/write/delete actions grants the CRUD operations on the entity. The ALL action grants all the operations on the entity.

Authentication Services

The Authentication Services manage the user's credentials and the authentication process.

AccessTokenService

DomainActionDescription
access_tokenread
write
delete
ALL
The actions control what operations are allowed on the access_token entity. The read/write/delete actions grants the CRUD operations on the entity. The ALL action grants all the operations on the entity.

CredentialService

The CredentialService manages the credential entity.

DomainActionDescription
credentialread
write
delete
ALL
The actions control what operations are allowed on the credential entity. The read/write/delete actions grants the CRUD operations on the entity. The ALL action grants all the operations on the entity.

Authorization Services

The Authentication Services control user's authorized operations, the granting and revoking of permissions and roles.

AccessInfoService

The Access Info entity captures all the permissions and roles granted to a subject. The AccessInfoService exposes operations to assign and remove roles and to grant and revoke permissions to a user.

DomainActionDescription
access_inforead
write
delete
ALL
The actions control what operations are allowed on the access_info entity. The read/write/delete actions grants the CRUD operations on the entity. The ALL action grants all the operations on the entity.

DomainService

The DomainService manages the domains of the access control sub system and it maintains a directory of all registered domains.

DomainActionDescription
domainread
write
delete
ALL
The actions control what operations are allowed on the domain entity. The read/write/delete actions grants the CRUD operations on the entity. The ALL action grants all the operations on the entity.

GroupService

The Group Service manages the access group entities. Access group entities can create a set of entity instance and used is as the target for the grant operation of a permission.

DomainActionDescription
groupread
write
delete
ALL
The actions control what operations are allowed on the access group entity. The read/write/delete actions grants the CRUD operations on the entity. The ALL action grants all the operations on the entity.

RoleService

The RoleService manages role entities.

DomainActionDescription
roleread
write
delete
ALL
The actions control what operations are allowed on the role entity. The read/write/delete actions grants the CRUD operations on the entity. The ALL action grants all the operations on the entity.

Device Registry Services

The Device Registry Services are a set of services managing the device entity, its profile, its connections, and its events.

DeviceRegistryService

The DeviceRegistryServices manages the device entity and its profile. The device lifecycle events update the profile information of a device.

DomainActionDescription
deviceread
write
delete
ALL
The actions control what operations are allowed on the device entity. The read/write/delete actions grants the CRUD operations on the entity. The ALL action grants all the operations on the entity.
device_lifecyleread
write
delete
ALL
The actions control what operations are allowed on the device event entity. The read/write/delete actions grants the CRUD operations on the entity. The ALL action grants all the operations on the entity.

DeviceConnectionService

The DeviceConnectionService manages the connection of field devices.

DomainActionDescription
brokerconnect
ALL
The connect action allows the granted subject to establish a connection.
device_connectionread
write
delete
ALL
The actions control what operations are allowed on the device_connection entity. The read/write/delete actions grants the CRUD operations on the entity. The ALL action grants all the operations on the entity.

DeviceEventService

The DeviceEventService logs all the events associated with a device including its connection status and its management operations.

DomainActionDescription
device_eventread
write
delete
ALL
The actions control what operations are allowed on the device_event entity. The read/write/delete actions grants the CRUD operations on the entity. The ALL action grants all the operations on the entity.

Job Service

The JobService manages batch Jobs for device management operations.

DomainActionDescription
jobread
write
delete
execute
ALL
The actions control what operations are allowed on the job entity. The read/write/delete actions grants the CRUD operations on the entity. The ALL action grants all the operations on the entity.

Message Store Service

The Message Store Service stores the device telemetry data in the back-end storage.

DomainActionDescription
datastoreread
write
delete
ALL
The actions control what operations are allowed on the storing and retrieving data messages. The read/write/delete actions grants the CRUD operations on the entity. The ALL action grants all the operations on the entity.

Scheduler Service

The SchedulerService manages the schedule operations for batch Jobs in device management operations.

DomainActionDescription
schedulerread
write
delete
ALL
The actions control what operations are allowed on the job entity. The read/write/delete actions grants the CRUD operations on the entity. The ALL action grants all the operations on the entity.

Tag Service

The TagService manages tag definitions and tag assignments to taggable entities.

DomainActionDescription
tagread
write
delete
ALL
The actions control what operations are allowed on the tag entity. The read/write/delete actions grants the CRUD operations on the entity. The ALL action grants all the operations on the entity.

User Service

The UserService manages user entities under an account.

DomainActionDescription
userread
write
delete
ALL
The actions control what operations are allowed on the user entity. The read/write/delete actions grants the CRUD operations on the entity. The ALL action grants all the operations on the entity.

Minimal permissions required for Web Console access

In the table below, an indication of the minimal read/view permissions required in order to get read access to each Web Console section:

Console SectionBasic read/view PermissionAdditional Read Permission
Welcome Pageat least one read permission
Provisioningprovisioningendpoint_info (Provision Request Details)
Connectionsdevice_connections
Devicesdevice- device_event (Events tab)
- device_management (Packages, Bundles, Configuration, Command, Assets tabs)
- device_management and vpn (Remote Access tab)
- device_management and certificate (Certificates tab)
- log (Logs tab)
- tag (Tags tab)
Device Logslogdevice (for Available Devices tab)
Remote Accessvpn
Batch Jobsjobdevice (for Targets tab)
Datadatastoredevice (for By Device and By Asset filters)
Tagstag
Usersuser- credential (Credentials, Multi Factor Authentication tabs)
- role and access_info (Roles tab)
- domain and access_info (Permissions tab)
Rolesrole- domain (Permissions tab)
- user and access_info (Granted Users tab)
Access Groupsgroups
Child Accountsaccount
Certificatescertificate
Routingroute
Settingsaccount- certificate (CertificateService settings)
- deployment_registry (ClusterService settings)
- credential (CredentialService settings)
- device_connection (DeviceConnectionService settings)
- log (DeviceLogStoreService settings)
- device (DeviceRegistryService settings)
- group (GroupService settings)
- job (JobService settings)
- datastore (MessageStoreService settings)
- provision (ProvisionRequestService settings)
- role (RoleService settings)
- route (RouteService settings)
- tag (TagService settings)
- user (UserService settings)
- vpn (VpnConnectionService settings)
- endpoint_info (tab CORS)