Permissions
Everyware Cloud employs a centralized Role-Based Access Control (RBAC) security model where each account may have multiple users and each user may be granted a different set of permissions. Permissions can be grouped under a role and roles can be assigned to users. When a users connects to the Everyware Cloud, its roles and permissions will determine the set of functionality available to the user.
The Everyware Cloud permissions can be described as a tuple with the following parts:
| Domain | Action | Access Group |
|---|---|---|
| Defines the target service of the permission. The domain generally relates to the type of the Everyware Cloud entity which is targeted by the permission. | Defines the actions that this permission allows on the target entities. Actions include basic operations like read, write, delete and other entity specific operations. | Defines the target entity instances. By default the target entities are all the entities under the current account scope (ALL). If an access group is specified, the target is limited to the entities under the specified access group. |
The following sections describe the permissions exposed by each Everyware Cloud service.
Account Service
The Account Service manages the account entity. It controls the life-cycle of accounts and child accounts.
| Domain | Action | Description |
|---|---|---|
| account | read write delete ALL | The actions control what operations are allowed on the account entity. The read/write/delete actions grants the CRUD operations on the entity. The ALL action grants all the operations on the entity. |
Authentication Services
The Authentication Services manage the user's credentials and the authentication process.
AccessTokenService
| Domain | Action | Description |
|---|---|---|
| access_token | read write delete ALL | The actions control what operations are allowed on the access_token entity. The read/write/delete actions grants the CRUD operations on the entity. The ALL action grants all the operations on the entity. |
CredentialService
The CredentialService manages the credential entity.
| Domain | Action | Description |
|---|---|---|
| credential | read write delete ALL | The actions control what operations are allowed on the credential entity. The read/write/delete actions grants the CRUD operations on the entity. The ALL action grants all the operations on the entity. |
Authorization Services
The Authentication Services control user's authorized operations, the granting and revoking of permissions and roles.
AccessInfoService
The Access Info entity captures all the permissions and roles granted to a subject. The AccessInfoService exposes operations to assign and remove roles and to grant and revoke permissions to a user.
| Domain | Action | Description |
|---|---|---|
| access_info | read write delete ALL | The actions control what operations are allowed on the access_info entity. The read/write/delete actions grants the CRUD operations on the entity. The ALL action grants all the operations on the entity. |
DomainService
The DomainService manages the domains of the access control sub system and it maintains a directory of all registered domains.
| Domain | Action | Description |
|---|---|---|
| domain | read write delete ALL | The actions control what operations are allowed on the domain entity. The read/write/delete actions grants the CRUD operations on the entity. The ALL action grants all the operations on the entity. |
GroupService
The Group Service manages the access group entities. Access group entities can create a set of entity instance and used is as the target for the grant operation of a permission.
| Domain | Action | Description |
|---|---|---|
| group | read write delete ALL | The actions control what operations are allowed on the access group entity. The read/write/delete actions grants the CRUD operations on the entity. The ALL action grants all the operations on the entity. |
RoleService
The RoleService manages role entities.
| Domain | Action | Description |
|---|---|---|
| role | read write delete ALL | The actions control what operations are allowed on the role entity. The read/write/delete actions grants the CRUD operations on the entity. The ALL action grants all the operations on the entity. |
Device Registry Services
The Device Registry Services are a set of services managing the device entity, its profile, its connections, and its events.
DeviceRegistryService
The DeviceRegistryServices manages the device entity and its profile. The device lifecycle events update the profile information of a device.
| Domain | Action | Description |
|---|---|---|
| device | read write delete ALL | The actions control what operations are allowed on the device entity. The read/write/delete actions grants the CRUD operations on the entity. The ALL action grants all the operations on the entity. |
| device_lifecyle | read write delete ALL | The actions control what operations are allowed on the device event entity. The read/write/delete actions grants the CRUD operations on the entity. The ALL action grants all the operations on the entity. |
DeviceConnectionService
The DeviceConnectionService manages the connection of field devices.
| Domain | Action | Description |
|---|---|---|
| broker | connect ALL | The connect action allows the granted subject to establish a connection. |
| device_connection | read write delete ALL | The actions control what operations are allowed on the device_connection entity. The read/write/delete actions grants the CRUD operations on the entity. The ALL action grants all the operations on the entity. |
DeviceEventService
The DeviceEventService logs all the events associated with a device including its connection status and its management operations.
| Domain | Action | Description |
|---|---|---|
| device_event | read write delete ALL | The actions control what operations are allowed on the device_event entity. The read/write/delete actions grants the CRUD operations on the entity. The ALL action grants all the operations on the entity. |
Job Service
The JobService manages batch Jobs for device management operations.
| Domain | Action | Description |
|---|---|---|
| job | read write delete execute ALL | The actions control what operations are allowed on the job entity. The read/write/delete actions grants the CRUD operations on the entity. The ALL action grants all the operations on the entity. |
Message Store Service
The Message Store Service stores the device telemetry data in the back-end storage.
| Domain | Action | Description |
|---|---|---|
| datastore | read write delete ALL | The actions control what operations are allowed on the storing and retrieving data messages. The read/write/delete actions grants the CRUD operations on the entity. The ALL action grants all the operations on the entity. |
Scheduler Service
The SchedulerService manages the schedule operations for batch Jobs in device management operations.
| Domain | Action | Description |
|---|---|---|
| scheduler | read write delete ALL | The actions control what operations are allowed on the job entity. The read/write/delete actions grants the CRUD operations on the entity. The ALL action grants all the operations on the entity. |
Tag Service
The TagService manages tag definitions and tag assignments to taggable entities.
| Domain | Action | Description |
|---|---|---|
| tag | read write delete ALL | The actions control what operations are allowed on the tag entity. The read/write/delete actions grants the CRUD operations on the entity. The ALL action grants all the operations on the entity. |
User Service
The UserService manages user entities under an account.
| Domain | Action | Description |
|---|---|---|
| user | read write delete ALL | The actions control what operations are allowed on the user entity. The read/write/delete actions grants the CRUD operations on the entity. The ALL action grants all the operations on the entity. |
Minimal permissions required for Web Console access
In the table below, an indication of the minimal read/view permissions required in order to get read access to each Web Console section:
| Console Section | Basic read/view Permission | Additional Read Permission |
|---|---|---|
| Welcome Page | at least one read permission | |
| Provisioning | provisioning | endpoint_info (Provision Request Details) |
| Connections | device_connections | |
| Devices | device | - device_event (Events tab) - device_management (Packages, Bundles, Configuration, Command, Assets tabs) - device_management and vpn (Remote Access tab) - device_management and certificate (Certificates tab) - log (Logs tab) - tag (Tags tab) |
| Device Logs | log | device (for Available Devices tab) |
| Remote Access | vpn | |
| Batch Jobs | job | device (for Targets tab) |
| Data | datastore | device (for By Device and By Asset filters) |
| Tags | tag | |
| Users | user | - credential (Credentials, Multi Factor Authentication tabs) - role and access_info (Roles tab) - domain and access_info (Permissions tab) |
| Roles | role | - domain (Permissions tab) - user and access_info (Granted Users tab) |
| Access Groups | groups | |
| Child Accounts | account | |
| Certificates | certificate | |
| Routing | route | |
| Settings | account | - certificate (CertificateService settings) - deployment_registry (ClusterService settings) - credential (CredentialService settings) - device_connection (DeviceConnectionService settings) - log (DeviceLogStoreService settings) - device (DeviceRegistryService settings) - group (GroupService settings) - job (JobService settings) - datastore (MessageStoreService settings) - provision (ProvisionRequestService settings) - role (RoleService settings) - route (RouteService settings) - tag (TagService settings) - user (UserService settings) - vpn (VpnConnectionService settings) - endpoint_info (tab CORS) |
Updated over 3 years ago