Users and permissions
What user permissions are defined in IoTP?
In IoTP there are defined Services and SubServices. SubServices exists into Services. Tipically a Service represents a smartcity and all of the SubServices represents the verticals of that smartcity. For more details read multitenancy.
Users are created into Services. The same user name could be used across different Services to represent different Users. i.e. "adm1" user could exists in "smartcity" Service and "adm1" could be another user for "smartgondor" Service.
Roles are created into Services. By default all Services created into IoT Platform are created with the following Roles:
- ServiceCustomer: Role for a normal user of the Service, with standard read/write permissions over all the objects in the Service, but not in SubService
- SubServiceCustomer: Role for a normal user in a SubService, with standard read/write permissions over all the objects in the SubService, but not in Service.
- SubServiceAdmin: Role for an administrator user in a SubService, with full capabilities in SubService, but not in Service.
There is one and unique role common for all Services:
- Admin: administrator with full capabilities of the Service, but not in SubService.
Users receive roles assignments into Services (or Subservices). The permissions are determinated by the Role which a user has in a service (or subservice). Depending on the IoTP component, user permission implies the ability to do some actions or not.
In deep details, each Role in a Service is defined by a Policy for each IoTP component:
- IoTP Policies
- Orion component actions
- Perseo component actions
- Keypass component actions
- Rest API based components (STH, IOTA) actions
Can I modify permissions for a given user?
The common way to modify permissions for a given user is to assign or unassign Roles. User can be assigned to admin, ServiceCustomer, SubServiceAdmin and SubServiceCustomer roles in a given Service or SubService. This can be done using IoT Portal and IoT Orchestrator.
How can I create a user with special permissions?
To create a new user with special permission you should do the following steps:
Create new user. Orchestrator how to create a new user
Create a new Role. Orchestrator how to create a new role
Define a new custom XACML Policy, like one of these
Assign a XACMLpolicy for that role and each IoTP component that you need. Set a XACML policy to a Role
Assign Role to User. Orchestrator assign a Role to a User