Permissions

Everyware Cloud employs a centralized Role-Based Access Control (RBAC) security model where each account may have multiple users and each user may be granted a different set of permissions. Permissions can be grouped under a role and roles can be assigned to users. When a users connects to the Everyware Cloud, its roles and permissions will determine the set of functionality available to the user.

The Everyware Cloud permissions can be described as a tuple with the following parts:

Domain

Action

Access Group

Defines the target service of the permission. The domain generally relates to the type of the Everyware Cloud entity which is targeted by the permission.

Defines the actions that this permission allows on the target entities. Actions include basic operations like read, write, delete and other entity specific operations.

Defines the target entity instances. By default the target entities are all the entities under the current account scope (ALL). If an access group is specified, the target is limited to the entities under the specified access group.

The following sections describe the permissions exposed by each Everyware Cloud service.

Account Service

The Account Service manages the account entity. It controls the life-cycle of accounts and child accounts.

Domain

Action

Description

account

read
write
delete
ALL

The actions control what operations are allowed on the account entity. The read/write/delete actions grants the CRUD operations on the entity. The ALL action grants all the operations on the entity.

Authentication Services

The Authentication Services manage the user's credentials and the authentication process.

AccessTokenService

Domain

Action

Description

access_token

read
write
delete
ALL

The actions control what operations are allowed on the access_token entity. The read/write/delete actions grants the CRUD operations on the entity. The ALL action grants all the operations on the entity.

CredentialService

The CredentialService manages the credential entity.

Domain

Action

Description

credential

read
write
delete
ALL

The actions control what operations are allowed on the credential entity. The read/write/delete actions grants the CRUD operations on the entity. The ALL action grants all the operations on the entity.

Authorization Services

The Authentication Services control user's authorized operations, the granting and revoking of permissions and roles.

AccessInfoService

The Access Info entity captures all the permissions and roles granted to a subject. The AccessInfoService exposes operations to assign and remove roles and to grant and revoke permissions to a user.

Domain

Action

Description

access_info

read
write
delete
ALL

The actions control what operations are allowed on the access_info entity. The read/write/delete actions grants the CRUD operations on the entity. The ALL action grants all the operations on the entity.

DomainService

The DomainService manages the domains of the access control sub system and it maintains a directory of all registered domains.

Domain

Action

Description

domain

read
write
delete
ALL

The actions control what operations are allowed on the domain entity. The read/write/delete actions grants the CRUD operations on the entity. The ALL action grants all the operations on the entity.

GroupService

The Group Service manages the access group entities. Access group entities can create a set of entity instance and used is as the target for the grant operation of a permission.

Domain

Action

Description

group

read
write
delete
ALL

The actions control what operations are allowed on the access group entity. The read/write/delete actions grants the CRUD operations on the entity. The ALL action grants all the operations on the entity.

RoleService

The RoleService manages role entities.

Domain

Action

Description

role

read
write
delete
ALL

The actions control what operations are allowed on the role entity. The read/write/delete actions grants the CRUD operations on the entity. The ALL action grants all the operations on the entity.

Device Registry Services

The Device Registry Services are a set of services managing the device entity, its profile, its connections, and its events.

DeviceRegistryService

The DeviceRegistryServices manages the device entity and its profile. The device lifecycle events update the profile information of a device.

Domain

Action

Description

device

read
write
delete
ALL

The actions control what operations are allowed on the device entity. The read/write/delete actions grants the CRUD operations on the entity. The ALL action grants all the operations on the entity.

device_lifecyle

read
write
delete
ALL

The actions control what operations are allowed on the device event entity. The read/write/delete actions grants the CRUD operations on the entity. The ALL action grants all the operations on the entity.

DeviceConnectionService

The DeviceConnectionService manages the connection of field devices.

Domain

Action

Description

broker

connect
ALL

The connect action allows the granted subject to establish a connection.

device_connection

read
write
delete
ALL

The actions control what operations are allowed on the device_connection entity. The read/write/delete actions grants the CRUD operations on the entity. The ALL action grants all the operations on the entity.

DeviceEventService

The DeviceEventService logs all the events associated with a device including its connection status and its management operations.

Domain

Action

Description

device_event

read
write
delete
ALL

The actions control what operations are allowed on the device_event entity. The read/write/delete actions grants the CRUD operations on the entity. The ALL action grants all the operations on the entity.

Job Service

The JobService manages batch Jobs for device management operations.

Domain

Action

Description

job

read
write
delete
execute
ALL

The actions control what operations are allowed on the job entity. The read/write/delete actions grants the CRUD operations on the entity. The ALL action grants all the operations on the entity.

Message Store Service

The Message Store Service stores the device telemetry data in the back-end storage.

Domain

Action

Description

datastore

read
write
delete
ALL

The actions control what operations are allowed on the storing and retrieving data messages. The read/write/delete actions grants the CRUD operations on the entity. The ALL action grants all the operations on the entity.

Scheduler Service

The SchedulerService manages the schedule operations for batch Jobs in device management operations.

Domain

Action

Description

scheduler

read
write
delete
ALL

The actions control what operations are allowed on the job entity. The read/write/delete actions grants the CRUD operations on the entity. The ALL action grants all the operations on the entity.

Tag Service

The TagService manages tag definitions and tag assignments to taggable entities.

Domain

Action

Description

tag

read
write
delete
ALL

The actions control what operations are allowed on the tag entity. The read/write/delete actions grants the CRUD operations on the entity. The ALL action grants all the operations on the entity.

User Service

The UserService manages user entities under an account.

Domain

Action

Description

user

read
write
delete
ALL

The actions control what operations are allowed on the user entity. The read/write/delete actions grants the CRUD operations on the entity. The ALL action grants all the operations on the entity.

Minimal permissions required for Web Console access

In the table below, an indication of the minimal read/view permissions required in order to get read access to each Web Console section:

Console Section

Basic read/view Permission

Additional Read Permission

Welcome Page

at least one read permission

Provisioning

provisioning

endpoint_info (Provision Request Details)

Connections

device_connections

Devices

device

  • device_event (Events tab)
  • device_management (Packages, Bundles, Configuration, Command, Assets tabs)
  • device_management and vpn (Remote Access tab)
  • device_management and certificate (Certificates tab)
  • log (Logs tab)
  • tag (Tags tab)

Device Logs

log

device (for Available Devices tab)

Remote Access

vpn

Batch Jobs

job

device (for Targets tab)

Data

datastore

device (for By Device and By Asset filters)

Tags

tag

Users

user

  • credential (Credentials, Multi Factor Authentication tabs)
  • role and access_info (Roles tab)
  • domain and access_info (Permissions tab)

Roles

role

  • domain (Permissions tab)
  • user and access_info (Granted Users tab)

Access Groups

groups

Child Accounts

account

Certificates

certificate

Routing

route

Settings

account

  • certificate (CertificateService settings)
  • deployment_registry (ClusterService settings)
  • credential (CredentialService settings)
  • device_connection (DeviceConnectionService settings)
  • log (DeviceLogStoreService settings)
  • device (DeviceRegistryService settings)
  • group (GroupService settings)
  • job (JobService settings)
  • datastore (MessageStoreService settings)
  • provision (ProvisionRequestService settings)
  • role (RoleService settings)
  • route (RouteService settings)
  • tag (TagService settings)
  • user (UserService settings)
  • vpn (VpnConnectionService settings)
  • endpoint_info (tab CORS)