Users and permissions

What user permissions are defined in IoTP?

In IoTP there are defined Services and SubServices. SubServices exists into Services. Tipically a Service represents a smartcity and all of the SubServices represents the verticals of that smartcity. For more details read multitenancy.

Users are created into Services. The same user name could be used across different Services to represent different Users. i.e. "adm1" user could exists in "smartcity" Service and "adm1" could be another user for "smartgondor" Service.

Roles are created into Services. By default all Services created into IoT Platform are created with the following Roles:

  • ServiceCustomer: Role for a normal user of the Service, with standard read/write permissions over all the objects in the Service, but not in SubService
  • SubServiceCustomer: Role for a normal user in a SubService, with standard read/write permissions over all the objects in the SubService, but not in Service.
  • SubServiceAdmin: Role for an administrator user in a SubService, with full capabilities in SubService, but not in Service.

There is one and unique role common for all Services:

  • Admin: administrator with full capabilities of the Service, but not in SubService.

Users receive roles assignments into Services (or Subservices). The permissions are determinated by the Role which a user has in a service (or subservice). Depending on the IoTP component, user permission implies the ability to do some actions or not.

User Role Service\SubService
adm1 admin smartcity
adm1 SubServiceAdmin smartcity\*
Alice SubServiceAdmin smartgondor\palaces
bob SubServiceCustomer smartcity\electricity
bob SubServiceAdmin smartcity\gardens

In deep details, each Role in a Service is defined by a Policy for each IoTP component:

Since Identity Management of IoT Platform is based on OpenStack Keystone the following table represents relations between involved concepts:

IoT Platform Keystone
Service Domain
SubService Project
User User
Role Role

Can I modify permissions for a given user?

The common way to modify permissions for a given user is to assign or unassign Roles. User can be assigned to admin, ServiceCustomer, SubServiceAdmin and SubServiceCustomer roles in a given Service or SubService. This can be done using IoT Portal and IoT Orchestrator.

How can I create a user with special permissions?

To create a new user with special permission you should do the following steps: