Role-based Access
Roles define the permissions a user or service account has within an account.
Roles are applied to a collection of resources. These can be the Account itself, its Location Groups, or its Locations.
How roles are applied is dependent on your use case, including the roles and responsibilities of your employees. For example, you could assign the role of IoT Manager to a device installer. With this role, the installer could be assigned access to either a Location Group and all Locations within it, or to a small subset of individual Locations. You could also assign the role of IoT Member to an installer if you wanted to limit access of that particular installer to only specific locations.
Several pre-defined Roles are available to assign to both Users and Service Accounts. Roles allow varying levels of permission (what they can do on the platform), and what scope of resources they apply to.
Available Roles
Account Admin (ACCOUNT_ADMIN
)
Manages all aspects of the Enterprise Account and all resources underneath it.
- The user who creates the Enterprise Account receives this role automatically. This user manages the Enterprise Account.
- Provide this role to Service Accounts to allow your services to manage all aspects of the Account through APIs.
IoT Manager (IOT_MANAGER
)
A power user with the ability to manage both Location Groups and Locations.
- Provide this role to trusted staff (building management, maintenance, or installers) to manage entire Location Groups or individual Locations for either long-term or temporary scenarios.
Restricted variation (
IOT_RESTRICTED_MANAGER
): A read-only version of the IoT Manager role.
- Provide to staff with lower privileges that may be read-only.
IoT Member (IOT_MEMBER
)
Access to a Location with the ability to also fully manage devices.
- Provide to end users (tenants) that might require a limited view of a Location.
- User access expiry can be defined in each invitation.
Restricted variation (
IOT_RESTRICTED_MEMBER
): Access to a Location with full ability to use a Location, but limited ability to modify/edit/delete devices in the Location.
- Provide to end users (guests, employees) that might require a limited view of a Location. User access expiry can be defined in each invitation
Role Capabilities
The table below outlines permissions for each role name.
C: Create | R: Read | U: Update | D: Delete
Role Name | Account | Location Group | Location | Devices | Routines |
---|---|---|---|---|---|
Account Admin | |||||
IoT Manager | |||||
IoT Restricted Manager | |||||
IoT Member | |||||
IoT Restricted Member |
How roles can be applied to different resources
Role Name | Account | Location Group | Location |
---|---|---|---|
Account Admin | |||
IoT Manager | |||
IoT Restricted Manager | |||
IoT Member | |||
IoT Restricted Member |