Exoprise CloudReady® Help
Search:     Advanced search

Access Control in an Organization Account

Article ID: 102
Last updated: 26 Feb, 2016

A user of CloudReady deals with three main resource types:

  1. Sites: can be created, configured, deleted
  2. Sensors: can be deployed to sites, reconfigured, deleted
  3. Alarms: can be attached to sensors, reconfigured, deleted

Organization accounts can have multiple users, so an access control mechanism is need to authorize users’ interaction with these resources. CloudReady supports role and team based access control via Org Roles, Teams and Team Roles

Roles

A role determines the level of access a user has to a set of resources. It can allow different levels for different resource types, for example only allowing view rights to sensors but create and delete for alarms.

The set of resources that the role applies to is either everything in the organization (for an Org Role) or a configurable subset of resources which make up a Team (for a Team Role). You can think of an Organization as a predefined Team that includes all resources and all users.

Org Roles

Currently CloudReady has a predefined fixed set of Org Roles:

  1. Member: Does not grant access to anything, but members can subsequently be given permissions to specific resources via teams.
  2. Viewer: Can only view sensors and alarms but can’t make adjustments
  3. Operator: Viewer rights + ability to create and edit alarms
  4. Deployer: Operator rights + ability to create and edit sites and sensors
  5. Admin: Can do anything, including adding additional users and teams, except billing and payments
  6. Owner: Can do anything, including adjusting the billing and payment records

In this article, the generic term “admin” refers to a user with Admin or Owner Org Role (Org Admin, Org Owner). The person who creates the account becomes an Org Owner. They can add users to the organization giving each an Org Role. Org Admins can also add users but can not make them Org Owners.

An Org Role applies to all resources in the org which enables coarse-grained (allow edit all sensors or none) role based access control. For more fine-grained control Teams can grant groups of users a certain level of access (specified by their Team Role) to subsets of resources.

Team Roles

Team Roles are a subset of Org Roles that make sense for a team context:

  1. Viewer: Can only view sensors and alarms but can’t make adjustments
  2. Operator: Viewer rights + ability to create and edit alarms
  3. Deployer: Operator rights + ability to create and edit sites and sensors

Teams

A Team is a grouping of users and resources. Each member (user) has a Team Role, which determines the level of access they have to the resources in the Team. Teams are administered by admins, who can:

  1. create, rename and delete teams
  2. add users with a Team Role, change the Team Role of members, remove members
  3. add/remove resources

Sites added to a team automatically include all their present and future sensors and sensors automatically include all their present and future alarms.

A typical use-case would be:

  • You want to give a couple of users view and alarm access to a particular sensor (or several) and nothing else
  • You add them to the org with Member role, which gives them access to nothing
  • You create a team and add these users with Operator role
  • You add one (or more) sensors to the team
  • Once the team exists you can add users to the org and a team in one step.

Prev   Next
Configurable Dashboards     Exoprise Management API