Role Management module defines role-based access control concepts of WolkAbout IoT Platform such as permissions and their relations to roles and users/user groups.
For all Assets (Devices, Device Types, Device Groups, Semantic templates, Data Semantics) access control list are do not exist on the Platform.
Instead, Global/Asset Roles must be assigned to User Groups in order from them to have access to these Assets. The only exception is Owner Role, which is automatically assigned to a user (when the user creates an asset or has been assigned as the Owner).
There are two types of roles:
- Global Roles - These roles contain permissions defined on a global level (for example - view ALL devices). They are always assigned to User Groups
- Asset Roles - These roles define access permissions on a set of assets within a tenant (e.g. view devices in a device group TestDevices) for a specific User Group. They are always assigned to User Groups and Assets (or different groups of assets, like Device Group)
A User Group can have many Global Roles. All users from User Group get all Global Roles (permissions) assigned to a User Group.
Global Roles define access to ALL assets/objects in WolkAbout IoT Platform modules. Additionally, only Global Roles have permissions for administrative tasks (such as User Management).
Asset Roles define access to specific assets within a WolkAbout IoT Platform (i.e. within a Tenant). Asset Roles permissions are a strict subset of Global Role permissions, meaning that for Asset Role permissions to be applicable, it must be known to which User Group and Assets (e.q. Device groups, Semantic groups…) the Asset Role is granted.
Permissions can have scope on Global and Asset level, where Global permissions give access rights to all assets of certain type, while Asset-level permissions give access rights to a specific set of assets to a specific user group.
For example, by selecting permissions related to Device Management or/and Data Management modules, access is granted to all of the corresponding assets. If you want to limit access to specific assets, you can do it by creating an Asset Role and linking the role to appropriate assets and user groups.
From Role Management, you can create, edit, and delete both Global and Asset Roles.
Create Global Role
There are four predefined (system) Global Roles on the Platform:
- Platform Owner - Manages platform-wise settings and tenants
- Tenant Owner - A special Admin within a tenant. A user assigned to a Tenant by a Platform Owner has a role of Tenant Owner (and there can be only one Tenant Owner within a Tenant).
- Admin - A role that gives all global permissions within a tenant. A user with an admin role within a tenant has permission to do everything.
- Power User - A role that gives full access to all assets without administrative rights
- Standard User - A role that gives View access permission to all modules.
You can also create custom Global Roles on the Platform.
To create a custom Global role:
- Go to Global Roles tab
- Click on
- This will open the Create Global Role screen
- Enter Global Role name
- Enter Global Role description (optional)
- Check the checkboxes next to permissions you want to grant. In this case, we have selected to grant Access permissions over Data Visualisation, Device Management, Administration, Rule Engine, and Data Management.
- Click on Create Role
You can also search permissions by name:
With Access Only Global Role we have created, user is able to:
- Open Administration Module - User can access the following tabs: Users Management, User Groups Management, Roles Management, Reading Types Management, Audit Tracing, and Tenant Configuration, with the content in overview tables.
- Open Device Management Module - User can access the following tabs: Device Management, Device Type, Device Gropus, and Device Imports, but unable to see the content in overview tables.
- Open Data Management Module - User can access the following tabs: Data Management, Semantic Templates, Data Export Channels, Data Export Jobs, and Data Imports, but is unable to see the content in overview tables.
- Open Rule Engine Module - User can access Rule Management, with the content in overview table.
- Open Visualization and Monitoring Module - User can access the following tabs: Dashboards, Charts, Messages, and Message Subscriptions, but is unable to see the content in overview tables or boards.
Create Asset Role
There is only one predefined (system) Asset Role on the Platform:
- Asset owner (or simply Owner) - A User with role Owner for a specific Asset has permission to do all operations on an asset (view, edit, delete…) except to perform administrative tasks (for example to share an asset with a User Group and assign Asset Role to that User Group).
For example, a User which has role Owner on a device TestDevice can perform all operations on a device (view, edit, delete…) but the role Owner does not grant permission to add a device to a Device Group (and then share it with User Group and assign Asset Role to that User Group).
You can also create custom Asset Roles on the Platform.
To create a custom Asset Role:
- Go to Asset Roles tab
- Click on
- This will open the Create Asset Role screen
- Enter Asset Role name
- Enter Asset Role description (optional)
- Check the checkboxes next to permissions you want to grant. In this case, we have selected to grant all permissions over Data Management and Access control over everything Data Management-related
- Click on Create Role
After you have created a new Asset Role, you need to link it to the appropriate user groups and assets from the User Group Management screen.
Edit Global/Asset Role
To edit a custom Global/Asset Role:
- Click on next to Global/Asset Role you want to edit
- Select Edit from the menu
- This will open the Edit global/asset role screen
- Proceed to make edits to name, description, and/or permissions
- Click on Update Role
Note: You cannot edit a predefined (system) Global/Asset Role.
Delete Global/Asset Role
To delete a custom Global/Asset Role:
- Click on next to Global/Asset Role you want to delete
- Select Delete from the menu
- Confirm Delete
Note: You cannot delete a predefined (system) Global/Asset Role.