Access Management

Owned by Thorsten Boedeker
Last updated: Sept 21, 2023

Access management for platform data is a critical function for any company that is using the platform. Due to the multi tenancy approach and the fact that the access to machine data is mission critical, the platform needs a flexibel solution that fits every company. Therefore we’re offering a role-based access control (RBAC) that helps you to manage who has access to machines & customer data, what they can do with those data, and what areas they have access to.

How it works

The way you control access to data using RBAC is to assign roles. This is a key concept to understand – it's how permissions are enforced. A role assignment consists of three elements: user or groups, role definition, and scope.

Role setting

The role setting is a collection of permissions that enables the user to execute the following functions. It's typically just called a role. The role setting lists the operations that can be performed within a specific feature. The permissions are defined by the feature. Let's take Customer Management and his permissions as an example.

  • Show customer

  • Create customer

  • Edit customer

  • Invite customer

  • Revoke invite of customer

The platform has a set of built-in roles as starting point.

Scope

Scope is the structure of your company within the platform. You can assign several entities to a scope so that the responsibility can be defined. Currently, the platform offers two types of scope. Tenant (Company account) and Facilities/Service Organisations. We have already concepts to extend this scope with dynamic facilities (like Site, Building, Production area).

The scope is defined by the following levels:

  • Service organization / Facility
  • Company
  • Machine / Asset

Examples

Assign scope to operator roles:



Role assignments

A role assignment is the process of attaching a role definition to a user or group at a particular scope for the purpose of granting access. Access is granted by creating a role assignment, and access is revoked by removing a role assignment.
A user role is selected first and afterwards the scope where this role assignment is valid.

Example

A producing company called FEMO has 3 production sites (Hawthorne, US; Berlin, DE and Billund, DK).
Every production site has multiple assets.
There is a new Machine Operators that should only get access to the Assets on the location they are working on but not on the others.

The admin user

  • creates a new user account and the user gets invited via email.

  • assigns the Machine Operator role to this user.

  • assigns the Facility in Hawthorne, US as scope to this role assignment.

Result

The new user can only access the assets for the facility in Hawthorne, US.

Multiple role assignments

It is possible to assign multiple roles to one user as long as these roles are part of the same tenant role.

Example

A small operating company is only having a handful of employees and one employees should both work as a Workshop manager to manage his assets and check the KPIs and also as a Machine Operator in the daily business.
-> It is possible for one user to have both roles "Workshop Manager" and "Machine Operator". These roles can also have a different scope.